Security Overview

-
PhysioQ strives to meet the highest standards for data security, and ensure that your data collection and storage is set up to comply with all relevant laws, regulations, and best practices such as ICH-GCP, HIPAA, FDA 21 CFR Part 11, GDPR, ISO 27001, and ISO 9001. This document clarifies which measures have been taken in design and production of PhysioQ - in relation to data collection, storage, backup, security, and regulations that must be complied with when handling sensitive health-related data.
Get the full Security Statement PDF
Download
Get the full Security Statement PDF
Download
Security of the System/Application
Security of the System/Application
- As a hosted solution, we regularly improve our system and update security patches. Non-critical system updates will be installed at predetermined times, while critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.

- All PhysioQ users are informed of new PhysioQ version rollouts, with information on changes and potential feature updates.
Vulnerability and Security Testing
- PhysioQ performs regular Vulnerability Assessments once a month. Additional internal security testing is performed on the testing environment before the code is merged into a master repository.
User Login and Session Security
- Two-step verification provides an extra layer of security designed to ensure that user accounts can only be accessed by those given explicit access.

- With our trusted device management, accounts are protected with extra steps when being accessed by a new device.
Application Password Management
- PhysioQ requires user passwords to conform with high-level password security to limit the possibility of brute-force attacks. Passwords cannot be recovered, as PhysioQ doesn’t store the original password (only an undecryptable version), thus, users are required to create new passwords in case of a lost password.

- PhysioQ’s password policy requires each user to create a password that must consist of at least 8 characters with at least one number, one capital letter, and one lower case letter.
User Permission and Roles
- PhysioQ utilizes various account permission settings to allow secure collaboration with other PhysioQ users on a project. Administrators can customize user rights and responsibilities, from principal investigators to research assistants, ensuring projects and data can only be accessed by those given explicit access.
Encrypted Data Transfer
- All data sent between PhysioQ users and the system is encrypted with use of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) technologies. This keeps data secure while in transit and ensures it can only be interpreted by the intended parties.
How we limit PHI (Personal Health Information)
- Research participants have entrusted researchers with their data, and we believe in upholding that trust. We actively help researchers protect the confidentiality of participants, ensuring that all their data is anonymized before entering our system. Furthermore, no participant data is allowed to be collected without first having the researchers’ and participants’ consent.

- PhysioQ does not save the participants’ personal details. Instead, we create identification codes for your participants, which can be defined by the researcher. These IDs are anonymous and unalterable. They can also be automatically generated when a new participant is included. It is the researcher’s responsibility to keep a record of the participant IDs linked to personal data.  

- We advise all researchers not to store participant-identifiable information within PhysioQ, such as surnames, Social Security numbers, DOBs, and so on. The safest solution is to use the PhysioQ participant ID and to connect their computer to the participant data within their own network. This will ensure that participant information can never be traced back to a participant.
Data Center & Hardware (server security)
Data Center & Hardware
(server security)
- AWS data centers are certified with a broad set of international and industry-specific standards such as ISO 9001 (Global Quality Standards), ISO 27001 (Security Management Controls), ISO 27017 (Cloud-Specific Controls), ISO 27018 (Personal Data Protection).

- All PhysioQ application and database servers are physically managed by Amazon Web Services (AWS) in highly secure data centers within the United States.
View all compliance certifications here

- All AWS data center facilities have 24/7 physical security and Network Operations Center monitoring.
Learn more about Amazon data center security here
Physical Security
- Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.
Data Access and Server Management Security
- No third party has access to any data on AWS hosting services.

- Amazon does not access any of the data collected and stored on PhysioQ servers. As stated directly by AWS “As a customer, you maintain ownership of your content, and you select which AWS services can process, store, and host your content. We do not access or use your content for any purpose without your consent. We never use customer content or derive information from it for marketing or advertising.- PhysioQ ensures strong encryption for your data while in transit and at rest.
View AWS Data Privacy policies

- Only select PhysioQ employees are able to access the server network.
Infrastructure and Environmental Safeguards
- All AWS data centers are equipped with components like back-up power equipment, HVAC systems, and fire suppression equipment. They are built to mitigate environmental risks, such as flooding, extreme weather, and seismic activity.
Data Storage & Backups
- PhysioQ primarily uses AWS data centers in both N. Virginia. All data is continuously replicated and backed up across multiple AWS locations across the US. All data is de-identified and encrypted while in transit and at rest.

- For long-term storage of data, PhysioQ uses AWS S3 Glacier, a secure and durable cloud storage service for data archiving and long-term backup. It is designed to deliver 99.999999999% durability and provides comprehensive security and compliance capabilities that can help meet even the most stringent regulatory requirements.

- GCP prescribes that all medical data are stored for at least two years unless a longer period is required because of local regulations. PhysioQ stores all data for at least 3 years after your study finishes and allows you to easily export it at any time. If your local laws require longer storage let us know and we will make sure your study complies with your local laws.
System Availability
- PhysioQ runs on fully managed virtual private servers. All servers are continually and pro-actively monitored, and in the event of any emerging problems or downtime, action is immediately taken according to our standard operating procedures.
Continuity & Source Code Escrow
If anything unexpected should happen to PhysioQ we want to minimize the impact this has for all users. Therefore we provide coverage on the short and long term:

- Short term coverage through a continuity solution: Funds have been put aside to ensure hosting continues for at least 3 months for all users.

- Long term coverage through a Source Code Escrow: users have the option to become a beneficiary of the application source code in case of product discontinuation. The code can be deployed in your own environment, or our hosting provider can continue the services.
In the Event of an Incident
Disaster Recovery
- PhysioQ maintains real-time data stores mirrored across multiple geographic availability zones in AWS within the United States. In a disaster situation, the full PhysioQ platform will be recreated and available in a different availability zone within a day of the disaster declaration.
Incident Response
- PhysioQ incorporates the newest technologies for secure computing and data storage. However, data transmission over the internet and data storage can never be guaranteed 100% secure. As such, if a security breach should occur, we will do everything to inform you as soon as possible and minimize damage. A formal notice will contain the type of security breach the system was subject to and what measures have been taken to ensure minimal data breach. In addition, PhysioQ will inform all users of which actions to take to minimize any risk of inconvenience.