Google Cloud Infrastructure:
CRIO operates in a way that minimizes reliance on local assets, including office space, servers, hard drives, printers or filing cabinets. The CRIO application itself is hosted within the Google Cloud Platform infrastructure and follows industry-standard protocols to ensure availability and uptime.
Google’s extensive portfolio of security certifications offers significant benefits in terms of data security, regulatory compliance, and customer trust. Google Cloud is certified under a wide range of industry standards, ensuring that its infrastructure meets rigorous requirements for data privacy, security, and operational controls. These certifications provide reassurance that data hosted on Google Cloud adheres to industry best practices for protecting sensitive information and aligns with compliance standards across different regions and industries.
Google Cloud as the Industry Standard
Google regularly undergoes independent third-party audits to verify its compliance with industry standards for security, privacy, and compliance controls. Some of the key international standards that Google is audited against are:
- ISO 27001 (Information Security Management)
- ISO 27017 (Cloud Security)
- ISO 27018 (Cloud Privacy)
- ISO/IEC 27701 (Privacy – Data Processor)
- SOC 2 and SOC 3 reports
- NIST 800-53
- PCI DSS
- CSA Star
- GxP
Google also participates in sector and country-specific frameworks, such as FedRAMP (US government), BSI C5 (Germany), MTCS (Singapore), HIPAA (US government), iRAP (Australia), MeitY (India) and many others. Google also provides resource documents and mappings to frameworks and laws where formal certifications or attestations may not be required or applied.
To heavily regulated sectors, such as healthcare and clinical research, the benefit of these certifications is especially valuable. Google Cloud’s adherence to SOC and ISO standards simplifies compliance with frameworks like HIPAA, GDPR, and FedRAMP, which require strict data protection measures.
By using Google’s certified infrastructure, CRIO can focus on building and scaling their applications without needing to invest as heavily in duplicating compliance efforts at the infrastructure level. Instead, CRIO leverages Google’s controls to fulfill many compliance requirements.
In addition to the certifications Google maintains, CRIO has implemented robust internal controls to further strengthen our security posture. These additional controls include rigorous access management, regular internal audits, and ongoing monitoring processes to ensure that CRIO’s security standards meet or exceed those of its cloud provider.
Together, Google Cloud’s certified infrastructure and CRIO’s internal controls create a layered approach to security and compliance, giving customers confidence that their data is well-protected across both infrastructure and application layers.
Data Backup:
Our data is safeguarded through Google’s point-in-time recovery system, with precise restoration targets of the last 7 days down to the second. Restoration targets older than 7 days can be exact to 12-hour intervals, and targets older than 90 days can be precise to 24-hour intervals. All data is backed up in the region where it was collected.
CRIO’s data backup mechanism strengthens the reliability, resiliency, availability of the data maintained within the Google Cloud infrastructure. CRIO’s procedure describing the Backup and Restore process is SOP-IT-002 Backup and Restore.
Strengthening of our Infrastructure:
In addition to the backup strategy outlined above, CRIO is utilizing a set of Vulnerability Management and Monitoring tools. Monitoring controls include security and compliance reviews within the Google Cloud Security Command Center, Google Cloud Log review, patch installation and verification, application code scans, network scans, multifactor review and enforcement, and Google Admin Console Log reviews.
Continuous performance monitoring and review is performed through numerous software products, including DataDog and other application monitoring tools that are part of the Google Cloud infrastructure. CRIO’s different application domains are being pinged with an HTTPS request every minute, and CRIO is alerted if a request fails to return with a response of OK. This enables rapid response to any issue that could be affecting the application.
Independent Audits and Third-Party Attestations
As part of the vendor management process of our clients, CRIO is frequently audited by current as well as prospective clients. With a diverse client base – from large pharma to CRO’s, site networks and single sites – CRIO has enjoyed the scrutiny of quality assurance auditors and has passed muster with each audit.
Additionally, CRIO clients have undergone many regulatory audits for studies in which the CRIO application was used. To date, no regulatory inspection has resulted in observations for CRIO.
For additional information, please contact:
Marc Wartenberger
Sr. Director, Security, Corporate QA & Compliance
[email protected]