Technical and Organizational Security Measures

EN - DE - ES - FR - NL

Purpose of this Document

Procaryote implements appropriate security measures to protect the personal data it processes from unauthorized access, modification, or destruction. Data security, confidentiality, and patient privacy comply with applicable laws, including the European General Data Protection Regulation (GDPR). Procaryote follows the strictest procedures to ensure the best information security, including the information we collect about you, as described in this policy. This means that Procaryote has a world-class information security management system, ensuring rigorous protection of the data processed.

These Technical and Organizational Security Measures (Security Measures) explain how Procaryote ensures the security of the personal data it processes. They describe the set of measures, procedures, and processes that Procaryote has implemented to ensure the availability, integrity, and confidentiality of all forms of information, to ensure information continuity and supply, including the underlying IT infrastructure, and to limit the possible consequences of security incidents to an acceptable and predetermined level.

If you have an agreement with Procaryote as a healthcare professional, as a patient, or as a registered user, these Security Measures are part of that agreement.

Technical Measures

Technical measures refer to the measures and controls that Procaryote implements for its systems and any technological aspect of the organization, including devices, networks, and hardware.

Data Storage

All personal data and information processed by Procaryote are stored in the cloud and not on a site owned or operated by Procaryote. Procaryote’s cloud service provider(s) is/are responsible for the security of their data centers. Procaryote regularly, and at least once a year, conducts due diligence on its cloud service provider(s), including obtaining and reviewing security compliance certifications.

Availability

Our infrastructure is configured to offer high availability. Procaryote’s databases and servers are deployed in multiple data centers. If one of the data centers encounters a problem, our services remain available. Our applications are also hosted behind a Content Delivery Network (CDN).

The Content Delivery Network is essential for improving the speed, reliability, and security of internet services, delivering content effectively and reliably to end-users worldwide. The main benefits are:

• Latency reduction: The CDN places servers at the closest geographic locations to end-users. This reduces the time it takes for data to travel between the server and the user, improving the loading speed of web pages and other content.

• Traffic distribution: A CDN distributes traffic load across multiple servers, preventing a single server from being overloaded, which can lead to outages or slowdowns.

• Performance improvement: By caching copies of content at different locations around the world, a CDN can provide faster access to data and improve overall website or application performance.

• Enhanced security: The CDN helps mitigate Distributed Denial of Service (DDoS) attacks by spreading malicious traffic across multiple servers, preventing a single target from being overwhelmed.

• High availability and redundancy: In the event of a server failure, the CDN can redirect traffic to another operational server, ensuring continuous service availability.

• Bandwidth optimization: By using compression and caching techniques, the CDN can reduce the amount of bandwidth used and associated costs for content providers.

Separation of Environments

Procaryote ensures a strict separation between production and non-production environments to reduce the risk of unauthorized access or modifications to the operational environment. The production environment is isolated in a dedicated network. Procaryote’s non-production environments are used for development, testing, and production deployments. There is no testing with production data.

Cybersecurity

Procaryote has implemented detection, prevention, and recovery controls to protect its systems and data against malware (such as viruses, spyware, and ransomware). Procaryote’s internet connection and internal network are secured with a powerful firewall. The WiFi network is password protected, and guests use a separate WiFi network. To prevent the modification or misuse of Procaryote’s assets, conflicting tasks or responsibilities are performed by different people. When this is impossible due to Procaryote’s limited size, other measures (such as monitoring or supervision) are taken.

Encryption

Procaryote uses encryption to protect confidential and sensitive information at rest and in transit.

Physical Security

Procaryote has implemented physical security controls appropriate to the risk level posed by the information held and the nature of operations in Procaryote’s offices. Procaryote’s offices are located in a building with access restricted to holders of access means provided after a formal approval process. Procaryote’s offices and meeting rooms are reserved for staff who need access to these areas to perform their functions. Staff access means are revoked when they are no longer needed, including within one business day following a role change or departure of the relevant staff. Paper copies of records are stored in a locked cabinet. Visitors are escorted in all non-public areas and are never left unattended. Fire alarms and extinguishers are checked at regular intervals, and their access is not blocked.

Proper Disposal

Procaryote ensures that documents and devices containing or potentially containing personal data or other sensitive information are securely destroyed so that personal data or sensitive information cannot be retrieved by an unauthorized person. All paper copies, credit cards, and CD/DVD-ROMs that are no longer needed are shredded in the office. Hardware devices are securely wiped and stored in a secure location before being collected by a nationally recognized hardware destruction company for recycling or destruction.

Passwords

Procaryote requires internal and external staff, systems, and services (cloud) holding confidential or sensitive information to set strong passwords and, where possible, enable multi-factor authentication. Two-factor authentication is required for systems holding sensitive and confidential information. Passwords are stored in an encrypted/hashed manner and separated from other data, and login information is transmitted in an encrypted manner.

Access Rights

Access to databases containing personal data and documents containing sensitive data is granted on a need-to-know/use basis only. All staff with access to these databases or sensitive documents are bound by confidentiality and security obligations. Logical access lists are reviewed regularly, based on information classification. User access rights are reviewed quarterly. Access to Procaryote’s systems is revoked within one business day after the departure of an employee or contractor. Procaryote maintains a log of all connections to its databases.

Organizational Measures

Organizational measures refer to the policies, standard procedures, and audits that Procaryote implements to ensure consistency in the protection of personal data throughout the processing lifecycle.

Information Security Management System

Procaryote’s Information Security Management System (ISMS) is a set of policies and procedures intended to protect personal and sensitive data. It covers all people, systems, and processes of Procaryote, including employees, customers, suppliers, and third parties. Its goal is to ensure information security and continuity and to limit the impact of security incidents.

The ISMS is managed by a dedicated security team under the direction of the security officer. Procaryote monitors and updates the ISMS annually to reflect organizational, technological, and legislative changes. A formal security policy, approved by senior management, ensures compliance and the effectiveness of security controls.

Business Continuity and Disaster Recovery Plans

Procaryote maintains a documented Business Continuity and Disaster Recovery Policy. Our policy and plans include:

• Clearly defined roles and responsibilities;

• Recovery Point Objectives (RPOs);

• Recovery Time Objectives (RTOs); and

• A backup policy.

Procaryote reviews and updates its Business Continuity and Disaster Recovery Policy and Plans at least once a year. Backups are tested monthly.

Incident Management Process

Procaryote has developed and maintains an Incident Management Process to be used in the event of an actual or suspected data breach or other security incident. It defines clear roles and responsibilities, reporting mechanisms, and procedures for classifying, containing, and recovering from the incident. It also includes procedures for required notifications to relevant authorities and affected individuals and mechanisms designed to prevent similar incidents in the future.

Software Development Process

Procaryote’s Software Development Process includes principles and rules regarding source code storage, source code review, and the rules and principles applied to the design and engineering of systems, networks, and infrastructures. Network/system architecture and designs are always peer-reviewed, and any changes to Procaryote’s architecture/system are first tested and released in Procaryote’s staging environment before being applied to the production environment. Security is designed to allow for the regular adoption of new technologies, including a secure and logical technology upgrade process.

Penetration Testing and Risk Assessments

Procaryote undergoes regular audits by internal and external security teams. Internally, Procaryote regularly conducts risk assessments under the responsibility of the Risk Manager. Procaryote also conducts unannounced audits and phishing exercises targeting its staff. At least once every three years or after a major change in Procaryote’s architecture/infrastructure, Procaryote is also subject to external penetration tests by a nationally recognized security company.

Data Protection Officer

Procaryote has a Data Protection Officer (DPO) who reports directly to the management team. This DPO has combined experience in law, technology, and the healthcare sector. The DPO’s responsibilities at Procaryote include:

• Informing and advising Procaryote and its employees about their legal data protection obligations.

• Collaborating with the internal Privacy Officer on privacy matters.

• Monitoring Procaryote’s compliance with all data protection legislation, including through audits, awareness activities, and training for staff involved in data processing.

• Providing advice when carrying out Data Protection Impact Assessments and monitoring their implementation.

• Acting as a point of contact for individuals regarding the processing of their personal data and exercising their rights.

• Cooperating with Data Protection Authorities (DPAs) and serving as a contact point for these authorities on matters related to data processing.

This framework ensures that Procaryote maintains the highest standards in data protection and respects individuals’ rights.

Training

All Procaryote employees and, where applicable, contractors receive appropriate training and awareness updates on organizational policies and procedures based on their roles. In addition to these mandatory training sessions, Procaryote offers its staff additional training resources, including extra security readings and hackathons.

Due Diligence Checks

Procaryote conducts due diligence checks on all new hires and third-party contractors who have access to the company’s systems and information. All employees and contractors are bound by confidentiality obligations, which remain in effect even after their employment or engagement ends. Procaryote enforces a strict disciplinary procedure for any violations by staff of their security and confidentiality obligations.

Other Policies and Procedures

Procaryote has established various policies and procedures to ensure effective protection of its information and assets. These include:

• Information Classification Policy: Defines information sensitivity levels and appropriate protection measures.

• Information Retention Policy: Specifies data retention periods and secure destruction procedures.

• Access Control Policy: Regulates access to systems and information based on roles and responsibilities.

• Cryptography Policy: Governs the use of encryption techniques to protect sensitive data.

• Password Policy: Details the requirements for creating and managing passwords to ensure their robustness.

• Mobile Device Policy: Regulates the use of mobile devices to access company information.

• Code of Conduct: Covers additional security aspects such as remote working, use of personal devices, email, and file sharing.

Each policy is reviewed at least once a year to ensure it remains up-to-date and effective against new threats and regulatory requirements.

Modifications to this Document

This document is the latest version according to the version list below. We regularly review this document to ensure it is up-to-date, and we may modify it over time to reflect changes in our services and data processing activities. If we do so, we will publish the updated security measures on this web page. Please check these Security Measures for any changes, as any revised version of the security measures will apply to all personal data processed by Procaryote.

Summary of Changes

• V1.0 - April 10, 2021: First version.

Contact

To communicate with Procaryote about these security measures, please send an email to security@procaryote.com.