COMPLIANCE WHITE PAPER

Table of contents

Introduction

I. PRIVACY AND SECURITY ON THE SEVEN BRIDGES PLATFORM

II. A HIPAA COMPLIANT PLATFORM FOR ALL CLIENTS

III. ISO/IEC 27001:2013 compliance

ISO/IEC 27001:2013 is part of the ISO/IEC 27000 family of international information security standards, backed up by third-party audits and certification by an accredited certification body. The standard mandates a rigorous, risk-based approach to information security while offering organizations flexibility to tailor their controls to their operating environment and risk profile. While ISO certification is not required by law or regulation, it provide clients assurance that our information security management system has been evaluated by a trusted third party and found to meet the highest industry-agnostic certifiable information security standard in the world.

An ISO 27001 certificate (and the audit process it is based on) is limited to a defined scope, setting out what information systems are covered. As you’ll see on our ISO certificate, we defined our scope broadly to ensure our clients’ information is protected:

The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting cloud-based environments and related information systems owned or operated by Seven Bridges for the management of its own information assets and those of its clients and business partners, in accordance with the statement of applicability version 1.2, dated July 14, 2017.

On this basis, our information security team conducts regular risk assessments and maintains a risk register identifying a wide range of risks to in-scope information systems and mapping out technical and organizational controls mitigating those risks. The controls are largely selected from Annex A to the ISO 27001 standard, which lists out 114 controls broken out into 35 control categories, covering everything from cryptography and secure development to employment practices and vendor management. The overall risk profile is subject to review by executive management and the entire system is subject to regular internal audits as well as annual external audits by a third-party accredited certification body.

Our ISO certificate is publicly available on the website of our third-party accredited certification body at https://www.schellman.com/certificate-directory?certificateNumber=1361153-3 .

The EU data protection regime

While the United States prefers to protect privacy rights through industry-specific rules such as HIPAA, jurisdictions such as the European Union have taken a more comprehensive approach to the protection of personal data. Seven Bridges stands ready to ensure our  clients can use our platform in full compliance with local data protection laws. Below we outline our compliance with European data protection laws, as the EU has developed a data protection regime that provides an optimal framework for key privacy and security considerations .

The foundation of the European data protection regime is the General Data Protection Regulation (GDPR),  which lays out a detailed set of obligations  intended to unify the data protection laws of European countries and reinforce commitments to European data subject privacy by strengthening the rights of citizens with regards to their personal data.

Key roles under the GDPR

There are four key actors that one should consider when thinking about GDPR compliance: data subjects, data controllers, data processors, and supervisory authorities. Data subjects are those persons from which personal data is collected. Personal data is defined in Article 4(1) of the regulation as “any information relating to an identified or identifiable natural person.” This broad definition means that personal data can be anything from genetic information to a government-issued unique identifier.

Most obligations outlined in the GDPR are directed at data controllers and data processors. The data controller determines the purpose of the processing of the personal data, with “processing” being broadly defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.” Data processors, on the other hand, process the personal data at the direction of the data controller and do not make any decisions whatsoever about the purpose of processing.

The supervisory authorities defined in the GDPR are represented in the form of each member state’s Data Protection Authority (DPA). DPAs have a broad set of responsibilities that allow them to monitor and correct the activities of data controllers and data processors. They are also the primary points of contact when a Data Subject wants to escalate a grievance against a data controller or data processor.

Seven Bridges operates as both a Data Processor and a Data Controller.

As Data Processor:

• We process genomic data at the direction of our clients – the Data Controllers

for the genomic data.

As Data Controller, we collect the following types of information:

• Platform registration information (e.g. login, email address, phone number)
• Platform user activity
• Datasets we make available to our users

Compliance as Data Processor

Seven Bridges works with all of its clients to determine if the service provider agreements it enters into with its clients necessitate key contractual provisions mandated by the GDPR. Specifically, where Seven Bridges (data processor) or the client (data controller) believe Seven Bridges is processing EU citizen data on behalf of the client, the following provisions are included in our service provider agreements:

• Description of processing
• Documented instructions for the data processor
• Confidentiality guarantees from the data processors
• Guarantee from the data processor to implement appropriate technical and organizational measures for security
• An authorization to use subprocessors/subcontractors where necessary
• A guarantee to flowdown any obligations of data processor to subprocessors
• A subcontracting liability clause
• A commitment to assist the data controller with any requests from Data Subjects
• A commitment to assist the data controller with responding to data breaches
• A commitment to assist the data controller with Data Protection Impact Assessments as necessary
• Outlines of policies for data deletion and data returns
• Data controller audit rights
• A commitment to only initiate international transfers outside of the European Economic Area at the request of the data controller

The technical security measures we mention in this white paper (and our Security White Paper), written data access protocols, and standard operating procedures for responding to compromised systems all allow us to comply with the contractual provisions listed above. All of our subprocessors undergo thorough reviews by our legal, privacy, and security teams to ensure they employ practices and systems that meet the same standards that Seven Bridges uses to fulfill our obligations to clients for which we are a data processor.

Seven Bridges’ GDPR Sub-processors

Just like researchers use the Seven Bridges platform to discover more from genomic and clinical data, Seven Bridges in turn makes use of third-party services to operate our platform. This page provides important information about the identity, location and role of each sub-processor we use, in compliance with our obligations under Article 28 of the European Union’s General Data Protection Regulation (“GDPR”).

In the course of our service delivery, Seven Bridges may process some of your personal data using one of these sub-processors.

Seven Bridges has an established vendor management program in place which means that before engaging with these vendors, due diligence is performed to analyze their privacy, security and compliance practices to ensure that it meets Seven Bridges standards, as well as the requirements of applicable regulations including GDPR .

Below is the list of the third-party sub-processors that Seven Bridges uses:

Compliance as Data Controller

For Platform user data, Seven Bridges uses the Privacy Policy available on our website to inform users about a) the types of personal data we may collect from them, b) what we do with that data (type of processing), and c) the legal basis for processing of the data. Because Seven Bridges determines the purpose of platform user data, we are the data controller for such data. Similarly, we issue privacy notices to our employees in the European Economic Area to let them know the types of data we may need to collect from them and process in order to carry out the terms of their employment contracts.

As data controllers, we employ the same security and organizational measures that we employee in the services of our clients; however, we also take some additional steps to ensure we are complying with any additional obligations the GDPR places on data controllers. For example, we conduct internal Data Protection Impact Assessments of our own on any data in our data inventory for which we believe we are the data controller. We also are refining our procedures for communicating directly with Data Protection Authorities or other supervisory entities should we need to respond to an inquiry as data controller.

International Transfers

Transfers of European citizen data outside of the European Economic Area (EEA) require a legal mechanism accepted and approved by the European Commission. Under the General Data Protection Regulation’s predecessor, the European Directive 95/46/EC, the European Commission was granted the right to approve what have become known as the EU Model Clauses as one such mechanism. Seven Bridges includes the EU Model Clauses in contracts governing its processing of data that it transfers outside of the EEA. We have also self-validated as a requirement of the EU-U.S. Privacy Shield since 2016 for data transfers from the EEA to the United States.

The EU Model Clauses

Article 26 of the Data Protection Directive empowers the European Commission to approve model contract clauses which are deemed to provide adequate protection for transferred data by imposing requirements on all parties ensuring compliance with the key requirements of the Directive. The EU’s Information Commissioner has promulgated two sets of model clauses pursuant to this authority, one covering transfers between data controllers and one covering transfers from a data controller to a data processor which will process that data on behalf of the controller.

The clauses include requirements identical to those Seven Bridges puts into its service provider agreements with those clients for which it is processing EU citizen data. Importantly, the clauses also allow individual data subjects to enforce those clauses which are intended to protect their data, a right of enforcement that extends to the data exporter, the data importer, and any subprocessor. The data importer is also required to inform the exporter of any disclosure of data which may be compelled by law as well as any laws applicable to it which may have a substantial adverse effect on its ability to carry out its obligations under the model clauses.

Seven Bridges stands ready to include the model contract clauses in any agreement with EU-based clients in order to help them meet their data protection obligations. We have already agreed to data processing addendums with our subprocessors–including our cloud infrastructure providers–which include the model clauses and allow us to ensure subprocessor compliance where international transfers are necessary.

The EU-U.S. Privacy Shield

While U.S. law in and of itself is not deemed to provide “adequate” protection in the case of international transfers, there are other mechanisms by which adequate protection for transferred data may nonetheless be achieved. The most robust and commonly accepted of these is the EU-U.S. Privacy Shield framework, of which Seven Bridges is a member. Privacy Shield replaced the Safe Harbor framework, which the European Court of Justice invalidated in 2015 over concerns of U.S. government access to corporate data.

As participants in Privacy Shield, we are required to clearly describe how we collect and process data in our Privacy Policy as well as adhere to the Privacy Shield Principles, which echo the requirements of the General Data Protection Regulation.Any EU data subject can file a complaint directly with our Data Protection Office, which must respond within 45 days. They may also pursue the matter through their national Data Protection Authority, or through Seven Bridges’ identified independent recourse mechanism, the Better Business Bureau. Binding arbitration may also be available. Companies who fail to honor their obligations under Privacy Shield may incur a range of penalties under law.

Seven Bridges’ participation in Privacy Shield is overseen by the International Trade Administration of the United States Department of Commerce. To verify our Privacy Shield participation and learn more about our privacy practices, please see our public Privacy Shield registration page.

The Privacy Shield Principles and Seven Bridges

At Seven Bridges, we believe the Privacy Shield Principles represent a common sense approach to the stewardship of personal data and we take our commitment to abide by them quite seriously. We comply with each of the Principles in the following ways:

• Notice: The Notice principle requires notice of what personal data we collect and how we use it. We provide notice to our users via a Privacy Policy, available at https://www.sbgenomics.com/privacy-policy/.

• Choice: The Choice principle requires us to allow data subjects to opt out of use or transfer of their data that is inconsistent with the purpose for which it was collected. We comply with this Principle by providing users with fine-grained controls on how their data is shared with other users and by only using user information to provide and improve our service.

• Onward Transfer: The Onward Transfer principle requires us to abide by the Notice and Choice principles when transferring data to third parties, and to ensure that these parties themselves have adequate privacy protections. We comply with this principle by only providing data to third parties for the purpose of providing and improving our service, by noting in our Privacy Policy when data may be provided to third parties, and by vetting third parties’ privacy and security protections before entrusting them with data.

• Security: The Security principle requires us to implement procedures and technical protections to ensure data is kept secure. We comply with this principle through the measures described in this white paper and the Seven Bridges Security White Paper.

• Data Integrity: The Data Integrity principle requires us to ensure that the data we keep is relevant, accurate, current, and generally adequate for the purposes for which it was collected. We comply with this principle by keeping the data we collect on users to the minimum necessary to provide and improve our service.

• Access: The Access principle requires us to provide data subjects with reasonable access to the data we have collected. In our Privacy Policy, we describe how users can access the data they have submitted to us. Access requests for other data we may have collected (for instance, via the sales process) or requests for access by non-user data subjects may be directed to dpo@sbgenomics.com.

• Enforcement: While the Privacy Shield Framework encourages data subjects to resolve disputes directly with participating companies, it recognizes that sometimes a third party needs to step in. This principle requires us to arrange for such a third party to provide an independent dispute resolution mechanism for privacy complaints. To meet this requirement, we have turned to the Better Business Bureau’s Privacy Shield Dispute Resolution Program, which you can learn more about at http://www.bbb.org/EU-privacy-shield/.

Our Data Protection Office

Further questions about our privacy and data protection practices should be directed to our Data Protection Officer at dpo@sbgenomics.com. Our team, which holds CIPM and CIPP/E certifications from the International Association of Privacy Professionals is trained to assist you with a range of topics.

What dbGaP Security Best Practices are and who they apply to

The dbGaP Security Best Practices are a set of requirements that must be met by researchers who use the “controlled-access” tier of datasets included in the database of Genotypes and Phenotypes (dbGaP).

Researchers wishing to analyze controlled-access human genomic and phenotypic data in NIH-designated repositories governed by the NIH Genomic Data Sharing Policy (such as TCGA) are required to enter into Data Use Certification (DUC) Agreements with the NIH setting out the conditions under which they are allowed to access, store, and use the data in these databases. These conditions include adhering to a security plan that meets the requirements of the Security Best Practices, which set out general requirements for securely working with sensitive genetic data. The latest update to the Security Best Practices, published in March 2015, also specifically addresses security concerns particular to working in the cloud.

The dbGaP Security Best Practices are available at https://osp.od.nih.gov/wp-content/uploads/NIH_Best_Practices_for_Controlled-Access_Data_Subject_to_the_NIH_GDS_Policy.pdf.

Before using the Seven Bridges Platform to store or analyze controlled-access data, researchers should update their Data Access Request to specifically indicate the use of the Seven Bridges Platform as a cloud computing service. While the institution retains ultimate responsibility for information security in cloud environments, features of the Seven Bridges Platform can facilitate compliance with security requirements. The following information is meant to provide guidance for how the Seven Bridges Platform can facilitate secure and compliant use of controlled-access data in the cloud.

dbGaP security compliance at a glance

Implementing dbGaP Security Best Practices using the Seven Bridges Platform

The Seven Bridges Platform allows for easy compliance with all relevant dbGaP standards.

The Best Practices document provides guidance for individuals in the following roles: scientific staff making use of the data, and IT staff setting up the necessary computing infrastructure. Each section also contains a subsection on using cloud computing resources like the Seven Bridges Platform. The Seven Bridges Platform meets or exceeds all the standards for working with controlled data in cloud-based environments.

Best practices for scientific staff

The section of Best Practices directed at scientific staff emphasizes the importance of establishing a formal security plan to control access to and use of data. While the Best Practices rightly emphasize that setting up a security plan is the responsibility of researchers and their institutions, the Seven Bridges Platform has a number of features which actively guide users toward creating a compliant security plan.

The Best Practices emphasize that security should be “on by default”, and be built on a strong foundation of access controls and accountability. On the Seven Bridges Platform, both are the case.

A user’s data is private by default, and fine-grained access controls allow users to grant their collaborators the minimum permissions necessary for their roles. Individual users are required to set up their own strong passwords and all activities are logged, allowing for accountability. Storing your data on the Seven Bridges Platform also makes it easy to avoid the use of portable media, which the Best Practices discourage, and delete all the data as required at the end of your project.

Best practices for IT staff

The section of the Best Practices directed at IT staff contains more detailed recommendations for technical security controls. The Seven Bridges Platform supports all of the recommended controls.

While most are Platform defaults — IT staff get them “automatically” — the rest are easily enabled on an as-needed basis.

The first set of recommendations for IT staff consist of general guidelines. The Best Practices require that data not be posted publicly or available on the web, that external access to cloud instances and storage be restricted, and that software patches be up to date, all of which is handled automatically by the Seven Bridges Platform. Seven Bridges also makes it easy to set strong passwords.

The next set of recommendations deal with physical security and controls for servers, and again, Seven Bridges meets them all. On the Platform, your data is stored and processed in cloud provider data centers with state-of-the-art physical security protections. The required server controls are implemented by Seven Bridges, including enforcement of the principle of Least Privilege on the process level, use of VPN for remote access to the production environment, and retention of data access controls throughout processing. Fine-grained access controls on the Seven Bridges Platform allow researchers to implement the principle of Least Privilege on the individual user level, restrict downloading of data and provide “view only” access as needed.

The final sets of recommendations deal with logging and destruction of data. The Seven Bridges Platform automatically logs all user activity, making it easy to keep track of copies of data and what is done with it. All logs are stored for a minimum of six (6) years. It also makes it easy to delete data, with all data automatically purged from all systems and backup copies destroyed within a week.

Cloud computing

As the advantage of of cloud computing for bioinformatics is now clear, the March 2015 version of the Best Practices for the first time included requirements and recommendations specific to users of cloud computing environments.

As with the general requirements, on the Seven Bridges Platform everything needed for complete compliance is already implemented for you, or ready to be enabled. All data transfer to and from the Platform is conducted over HTTPS exclusively. Inbound access to computational instances is restricted using Virtual Private Clouds, the security profile of these instances is configured to allow access only to the minimum set of ports required to provide necessary functionality for your services, administrative access is restricted to the minimum set of ports and source IP address ranges necessary, and the image specific security requirements are all met.

The user-and-project-specific access control features and extensive logging performed by the Seven Bridges Platform also make it easy to review Access Control Lists and logs of individual user activity. While the Seven Bridges Platform allows researchers to readily comply with dbGaP security policies, users retain ultimate control and responsibility for access to their projects and data.

Laboratory testing performed on specimens from humans for the purpose of diagnosis, prevention, or treatment of disease or assessment of health is governed by regulations issued by the Centers for Medicare & Medicaid Services under the authority of the Clinical Laboratory Improvement Amendments of 1988, as amended (“CLIA Regulations”).

The CLIA regulations establish quality standards for all laboratory testing to ensure the accuracy, reliability and timeliness of patient test results regardless of where the test was performed. They include quality standards for proficiency testing (PT), patient test management, quality control, personnel qualifications and quality assurance.

But while CLIA regulations set the baseline standard for clinical labs, many clinical labs instead choose to have their practices evaluated under more rigorous standards set by the College of American Pathologists (“CAP”), considered the gold standard for clinical laboratory practices. From a regulatory perspective, because CAP standards have been recognized as going above and beyond what is required by CLIA regulations, accreditation by CAP is formally “deemed” by CMS to certify compliance with CLIA regulations as well.

At Seven Bridges we have experience working with clients to ensure compliance with CAP and CLIA standards and are happy to assist labs in setting up compliant policies and procedures.

VII. FDA

Some of our clients may find that their use of the Platform is subject to U.S. Food and Drug Administration (FDA) regulations. In some cases this may be because data produced using the Platform will ultimately be submitted to the FDA, e.g. to support a new drug application, and so is subject to the FDA’s regulation regarding electronic records, 21 CFR Part 11. In other cases, the Platform may be used as part of processes subject to FDA quality systems regulations, bringing it within the scope of the FDA’s guidance on software quality and validation. For clients in these situations, the Platform is designed to allow clients to meet their compliance obligations.

21 CFR Part 11

The Platform has all the features necessary for clients to comply with the record-keeping requirements of 21 CFR Part 11:

• Development and Validation: The Platform is developed by trained software engineers under the guidance of expert bioinformaticians (§11.10(i)) in accordance with documented quality assurance procedures to ensure validation of system functionality (§11.10(a)).
• Pipeline Specification and Reproducibility: The Platform uses the Common Workflow Language to fully document all components and parameters of data analysis pipelines, allowing for verifiable validation of client pipelines, automatic enforcement of operational checks to ensure proper pipeline execution, and reproducibility of all data generated (§11.10(a), §11.10(b), and §11.10(f)).
• Data Storage: All client data is stored and transmitted in encrypted form, backed up regularly, and retained by default for a minimum of 6 years. Checksums are used to ensure integrity of data (§11.10(b), §11.10(c), and §11.30).
• Access Control: The Platform’s permissions system allows clients to limit access to the Platform to authorized and trained personnel, as well as exercise more fine-grained control over user permissions (such as allowing some users to access data but not alter it), further protecting data integrity (§11.10(d) and §11.10(i)).
• Authentication: User authentication can be accomplished using the Platform’s built-in authentication features or through integration with a client’s SSO solution using SAML2 (§11.10(g)).
• Auditability: Seven Bridges maintains audit trails that are available upon request (§11.10(e)). Finally, Platform documentation is available to all users online and version-controlled by Seven Bridges (§11.10(k)).

While the Platform currently does not support electronic signatures (§11.50-§11.300), in most cases records maintained on the Platform need not be signed under the predicate rules, and in any case signature requirements can be met through integration with other information systems or via a “hybrid” approach.

Quality System Regulation and Software Validation

Certain provisions of the Quality System regulation apply to the validation of:

• Software used as a component of a medical device;
• Software that is itself a medical device;
• Software used in the production of a device; and
• Software used in implementation of the device manufacturer’s quality system.

The FDA defines software validation as “confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled.” Seven Bridges has established software validation practices in line with recommendations referenced in the FDA’s General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0 (http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm085281.htm).

The FDA sees a documented user requirements specification defining a software’s “intended use” as one of the key elements of software validation. Seven Bridges’ Software Development Lifecycle (SDLC) documentation requires that all product and feature design documents include functional specifications describing how the proposed solution will meet user requirements (e.g. performance requirements, safety requirements, requirements dictated by the intended operating environments). Design specifications documents also include risk assessments.