Security and Compliance

 

HUNT Cloud is committed to international excellence in privacy and information security!

Trust from research participants in our ability to maintain the privacy and security of their information is essential for all of our activities.

We are therefore proud to be the first academic research cloud in Norway with third-party certified management systems both for quality and information security.

We are also proud to work with data controllers that expect such strict independent verifications, both to ensure their commitment to research participant's privacy, and to ensure their compliance with acts and regulations.

Data ownership

Data controllers retain ownership over data that are uploaded and generate in HUNT Cloud. This is regulated in data processor agreements (databehandleravtaler) between the organization that control the data and HUNT Cloud.

Regulatory compliance

HUNT Cloud enable data controllers and researchers to become compliant with acts and regulations that regulate privacy and information security, such as The Personal Data Act (Personopplysningsloven), The Personal Data Regulations (Personopplysningsforskriften), The Health Registry Act (Helseregisterloven), The Health Personnel Act (Helsepersonelloven), and The Data Protection Directive from EU (GDPR).

Term of use and accompanying responsibilities are regulated in data processor agreements, project agreements and user agreements. These include access to documentation and risk evaluations, as well as a right (and expectation) to conduct regular audits to confirm compliance with system expectations.

Independent third-party certifications

We undergo two independent third-party audits on regular basis for our information security and quality management systems, ISO 27001 and ISO 9001 respectively.

For each one, an independent auditor examines our data center, infrastructure, services and operations. This help data controllers and regulators to confirm that our services meet strict security and compliance needs.

ISO 27001 is one of the most widely recognized and accepted independent security standards. The standard specifies requirements for establishing, implementing, maintaining and continually improving an information security management system.

Our compliance with the international standard in information security management systems is certified by Nemko. Our ISO 27001 certificate and scoping document are available here.

Our compliance with the international standard in quality management is certified by Kiwa. Our ISO 9001 certificate and scoping document are available here.

Key security controls

HUNT Cloud ensure that research information is protected by an extensive list of 121 information security controls for which we are applicable. This list include important controls such as:  

Encrypted communication: Access from the outside are only allowed in encrypted tunnels (VPN) to provide confidentiality of information.

Restricted communication: Access are restricted to communication that is agreed by data controllers and lab owners using firewalls.

Unique users: Each user has unique credentials to ensure one person per login.

Two-step verification: Users are required to enter a verification code in addition to their user name and password to log in.

Private networks: Research projects are logically isolated from each others network communication.

Private storage: Research projects are logically isolated from each others data, even when it's stored on the same physical server.

Data residency: All data is located in Norway.

Information

Please contact us for further information on our security and compliance.