HUNT Cloud - Security and Compliance

HUNT Cloud - Security and Compliance


We are committed to international excellence in privacy and information security

We believe that trust from data donors is the single most valuable asset in biomedical research. We are therefore proud to be the first academic research cloud in Norway with third-party certified management systems both for quality and information security. We are also proud to work with data controllers that expect such strict independent verifications, both to ensure their commitment to research participant's privacy, and to ensure their compliance with laws and regulations.

Data ownership

You retain ownership over data that are uploaded and generate in HUNT Cloud. This is regulated in Data Processor Agreements (databehandleravtaler) between the organization that control the data and HUNT Cloud. This include access to system documentation and risk evaluations, as well as the right (and expectation) to conduct regular audits to confirm compliance with system expectations.

Regulatory compliance

HUNT Cloud enable data controllers and researchers to become compliant with acts and regulations that regulate privacy and information security, such as The Personal Data Act (Personopplysningsloven), The Health Research Act (Helseforskningsloven), The Health Registry Act (Helseregisterloven), The Health Personnel Act (Helsepersonelloven), and The Data Protection Directive from EU (GDPR).

Independent third-party certifications

We undergo two independent third-party audits on regular basis for our information security and quality management systems, ISO 27001 and ISO 9001 respectively. For each one, an independent auditor examines our data center, infrastructure, services and operations. This help data controllers and regulators to confirm that our services meet strict security and compliance needs.

ISO 9001. Our compliance with the international standard in quality management «ISO 9001» is certified by Kiwa, Norway.

Click here to see our «ISO 9001:2015» certificate and scoping document

ISO 27001. «ISO 27001» is one of the most widely recognized and accepted independent security standards. Our compliance is certified by Nemko, Norway. The international standard specifies requirements for establishing, implementing, maintaining and continually improving an information security management system. This standard help you, your data controllers, and regulators, to confirm that our operations meet strict security and compliance requirements.

Click here to see our «ISO 27001:2013» certificate and scope document

Self assessments

We do maintain self assessed statements of applicability for «ISO 27017» that cover cloud security and «ISO 27018» that cover personal identifiable information in public clouds. We do also maintain self assessed statements of applicability for the Norwegian «Norm for informasjonssikkerhet» and Subpart C of «HIPAA».

Audits

We welcome audits from data controllers and research leaders to ensure compliance with your expectations.

Design Principle

We strive to provide elegant and easy-to-use security controls for optimal user compliance. Our role model is «safe drinking water» for which you may enjoy instant access without thinking too much about the purification process. We do therefore allow for an initial installation of «water pipes» as long as you may enjoy subsequent instant access without thinking too much about the security controls

Key security controls

HUNT Cloud ensure that research information is protected by an extensive list of 121 information security controls for which we are applicable. This list include important controls such as:  

Encrypted communication: Access from the outside are only allowed in encrypted tunnels (VPN) to provide confidentiality of information.

Restricted communication: Access are restricted to communication that is agreed by data controllers and lab owners using firewalls.

Unique users: Each user has unique credentials to ensure one person per login.

Two-step verification: Users are required to enter a verification code in addition to their user name and password to log in.

Private networks: Research projects are logically isolated from each others network communication.

Private storage: Research projects are logically isolated from each others data, even when it's stored on the same physical server.

Data residency: All data is located in Norway.

Information

Please contact us for further information on our security and compliance.

Navigation

 


Navigation

Contact widget


Emergencies: Report data breach or data loss to soc@ntnu.no.

Contact: Feel free to send us an email at cloud@hunt.ntnu.no.