SaaS vs. COTS Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? Unlike COTS solutions, SIMCO s CERDAAC is software that is offered as a service (SaaS). This offers several advantages. It does not require on-site software or IT support, as the complete system is managed by SIMCO and can be easily accessed from any computer connected to the Internet with a standard web-browser. There is no up-front capital purchase of hardware and software required SIMCO customers simply pay a monthly fee as they access the system. SIMCO software and customer data are maintained at two secure facilities and backed-up daily to ensure continuity of service. Life Science customers have the added benefit of a system that is already validated and compliant with FDA 21 CFR Parts 11 and 820. Unlike SaaS, COTS solutions typically require on-site hardware, software, installation, system validation, back-ups, maintenance and periodic upgrades, resulting in increased costs to the program and a serious distraction from the customer s core business. Security Explain the level of data encryption used for protecting CERDAAC transactions, as well as any additional security precautions SIMCO s security procedures and policies are continually audited by thousands of customers and are fully compliant with the most stringent regulatory requirements, including life science and nuclear industry requirements. The following security provisions are a few among the many SIMCO employs: Application Security Configurable password policies and security questions Session timeout settings User activity audit log recording authorized access and break-in attempts Team-based data sharing policies IP range address blocking Single sign-on and LDAP access control Field level data encryption
Physical Security Data center access limited to datacenter technicians Biometric scanning for controlled data center access Security camera monitoring at all data center locations 24x7 onsite staff provides additional protection against unauthorized entry Unmarked facilities to help maintain low profile Physical security audited by an independent firm Uninterrupted power supply and generator backup System Security System installation using hardened, patched OS System patching to provide ongoing protection Dedicated firewall and VPN providing port level security Managed backup solution Dedicated intrusion detection devices to provide an additional layer of protection against unauthorized system access Distributed Denial of Service (DDoS) mitigation Privacy What is SIMCO s privacy policy? Because we gather important information from our customers, SIMCO has established a privacy policy as a means to communicate our commitment to ensuring the privacy of customer data. We do not share, distribute, or reference any specific customer data to any third party except as may be required by law and not without prior written notice in order to give the customer adequate time to object to such disclosure or seek a protective order. SIMCO may use and access customer data, including but not limited to: help resolve or diagnose technical problems or support issues, administer or manage the service, improve the service, train employees, ensure or check compliance with the terms and conditions of our privacy policy and applicable law. SIMCO reserves the right to modify our privacy statement from time to time with prior written notice of any such modifications.
Authentication and Virus Protection Describe CERDAAC s authentication and virus protection methods SIMCO uses both server authentication and data encryption to protect customer data and restrict access. Our servers use Secure Sockets Layer (SSL) authentication with 128-bit Triple Data Encryption Standard (3DES) encryption. Our security infrastructure also includes an advanced security method based on dynamic data and encoded session identifications. Employee laptops and workstations are often the most vulnerable point in an enterprise network. Data stored on an employee laptop or desktop computer is less likely to be backed-up and more likely to be corrupted, lost or stolen. With SIMCO s solution, all customer data is maintained on secure SIMCO servers and backed up on a daily basis. SIMCO provides each user with a unique username and password that must be entered each time they log in. The password policy is configurable to each customer s needs. Each user s ability to view and edit data can be restricted based on their role in the organization. SIMCO does not require any software to be installed on the customer s servers or PC s. There are no executable programs to be downloaded, therefore virus detection is not required as part of SIMCO s offering. We do recommend, however, that users have an updated anti-virus solution running on their machines at all times. Backup and Continuity Plan What are SIMCO s backup procedures and business continuity plans? Backup All customer data is backed up to a Network Attached Storage (NAS) device on SIMCO servers in two secure datacenters. Backups occur daily. These backups are stored such that there are 7 days of daily, 4 weeks of weekly, 12 months of monthly, and up to 10 years of yearly backups available in case a restore is required.
Disaster Recovery SIMCO has a documented and validated disaster recovery process. The process anticipates multiple types of system failure and recovery at the application, database, network and facility levels. To ensure continuity of service, SIMCO maintains two separate, secure and mirrored systems. In the worst case of a complete facility disaster, SIMCO s SaaS solution will fail-over to the second system (located at a different datacenter). We expect this Domain Name System (DNS) change to take 30-60 minutes to propagate throughout the Internet. This fail-over system is set as read-only to enable customers to access their data, but to avoid synchronization and write-back problems that would occur upon restoration of the primary system. Upgrades and Downtime What is SIMCO s approach and policy regarding upgrades? How is system downtime handled? SIMCO regularly updates CERDAAC with new capabilities. These updates are managed entirely by SIMCO without burdening the customer s IT organization. SIMCO customers don t need to cling to outdated software or plan for expensive system upgrades. They can also expect superior customer support because every customer is running on the same version of software located in SIMCO s secure facilities. There is never a need for SIMCO to duplicate the customer s environment before diagnosing and resolving customer issues. SIMCO also offers a validated version of CERDAAC for life science customers. This version is compliant with the most stringent FDA guidelines (21 CFR Parts 11 and 820). All software updates go through multiple stages of testing and validation prior to being introduced to customers. Updates are performed outside of normal business hours (in the Continental U.S.). Once an update is made available, it is immediately available to all SIMCO customers, thus accelerating the discovery and resolution of any remaining bugs.
Integration Is the current solution able to integrate with existing software? Is so, please specify. CERDAAC provides a full Representational State Transfer (REST) and Web Services based Application Programming Interface (API) for programmatic integration with other systems. SIMCO s software also exposes Java and JavaScript class access, making the data mode appropriately available to third party integration. By leveraging these well established industry standards, SIMCO has successfully integrated with numerous client applications and databases. Data Ownership Does SIMCO own my data? SIMCO Electronics does not own your data you do. SIMCO ensures that your data is safe, secure and available. You have the ability to export your data from SIMCO s servers at your convenience. Disclaimer: The information in this document applies to CERDAAC 4.0 and on. Parts of this document do not apply to earlier versions of CERDAAC and to SIMCO Electronics internal software systems.