HUNT Cloud - Security and Compliance
We are committed to international excellence in privacy and information security
We believe that trust from data donors is the single most valuable asset in biomedical research. We are therefore proud to be the first academic research cloud in Norway with third-party certified management systems both for quality and information security. We are also proud to work with data controllers that expect such strict independent verifications, both to ensure their commitment to research participant's privacy, and to ensure their compliance with laws and regulations.
You retain ownership over data that are uploaded and generate in HUNT Cloud. This is regulated in Data Processor Agreements (databehandleravtaler) between the organization that control the data and HUNT Cloud. This include access to system documentation and risk evaluations, as well as the right (and expectation) to conduct regular audits to confirm compliance with system expectations.
HUNT Cloud enable data controllers and researchers to become compliant with acts and regulations that regulate privacy and information security, such as The Personal Data Act (Personopplysningsloven), The Health Research Act (Helseforskningsloven), The Health Registry Act (Helseregisterloven), The Health Personnel Act (Helsepersonelloven), and The Data Protection Directive from EU (GDPR).
Independent third-party certifications
We undergo two independent third-party audits on regular basis for our information security and quality management systems, ISO 27001 and ISO 9001 respectively. For each one, an independent auditor examines our data center, infrastructure, services and operations. This help data controllers and regulators to confirm that our services meet strict security and compliance needs.
ISO 9001. Our compliance with the international standard in quality management «ISO 9001» is certified by Kiwa, Norway.
ISO 27001. «ISO 27001» is one of the most widely recognized and accepted independent security standards. Our compliance is certified by Nemko, Norway. The international standard specifies requirements for establishing, implementing, maintaining and continually improving an information security management system. This standard help you, your data controllers, and regulators, to confirm that our operations meet strict security and compliance requirements.
We do maintain self assessed statements of applicability for «ISO 27017» that cover cloud security and «ISO 27018» that cover personal identifiable information in public clouds. We do also maintain self assessed statements of applicability for the Norwegian «Norm for informasjonssikkerhet» and Subpart C of «HIPAA».
We welcome audits from data controllers and research leaders to ensure compliance with your expectations.
We strive to provide elegant and easy-to-use security controls for optimal user compliance. Our role model is «safe drinking water» for which you may enjoy instant access without thinking too much about the purification process. We do therefore allow for an initial installation of «water pipes» as long as you may enjoy subsequent instant access without thinking too much about the security controls
Key security controls
HUNT Cloud ensure that research information is protected by an extensive list of 121 information security controls for which we are applicable. This list include important controls such as:
Encrypted communication: Access from the outside are only allowed in encrypted tunnels (VPN) to provide confidentiality of information.
Restricted communication: Access are restricted to communication that is agreed by data controllers and lab owners using firewalls.
Unique users: Each user has unique credentials to ensure one person per login.
Two-step verification: Users are required to enter a verification code in addition to their user name and password to log in.
Private networks: Research projects are logically isolated from each others network communication.
Private storage: Research projects are logically isolated from each others data, even when it's stored on the same physical server.
Data residency: All data is located in Norway.
Please contact us for further information on our security and compliance.