Security & Trust
TMRW Life Sciences, Inc. Security Policy
Effective as of December 22, 2022
TMRW Life Sciences shows utmost dedication to the security and safety of the specimens within our care. We have created this page to answer frequently asked questions about the TMRW Security Posture. For IT professionals, Quality and Risk Assessors, we provide high-level details about the architecture, security practices, and operating model to assess the fit of TMRW Services within your enterprise IT architecture. The document assumes a level of understanding of SaaS and Public Cloud infrastructure.
The security of the TMRW infrastructure has been successfully evaluated and certified against the following control frameworks and standards:
AICPA SOC 2 Type 2: Security, Availability, and Confidentiality Trust Criteria
ISO 27001:2013 Information Security Management System (ISMS)
ISO 27018:2019 Protection of personally identifiable information (PII) in public clouds acting as PII Processor
Data Center Hosting
TMRW uses the public cloud infrastructure Google Cloud Platform, Inc. (“GCP”) to host and process Customer Data submitted to the TMRW services.
Information about the security provided by GCP is available from the GCP Security website. Information about security and privacy-related audits and certifications received by GCP, including their ISO 27001 certification and SOC reports, is available from the GCP Compliance website.
TMRW services use industry-accepted encryption to protect Customer Data (1) during transmissions between a customer's network and TMRW services; and (2) when at rest.
TMRW services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.
Our current standards are:
- TLS 1.2+ to protect Customer Data between TMRW services and our customer’s network endpoints.
- AES-256 to protect Customer Data at rest on persistent storage systems managed and operated by TMRW.
TMRW Life Sciences strives to maintain data and services' confidentiality, availability, and integrity by proactively mitigating cybersecurity risks and meeting regulatory demands.
- Risk-based Approach - TMRW focuses on the risks it faces, and maintaining focus means continually identifying and managing those risks.
- Universal participation - Everyone at TMRW is actively responsible for the security of our services.
- Least privilege - Users and systems should have the minimum access necessary to perform their defined functions.
- Defense-in-depth - Overall security cannot rely on a single defense mechanism. If one security control is defeated, other controls should compensate for resisting the attack.
TMRW implements and maintains appropriate industry-standard technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to Customer’s data processed or transmitted through TMRW services. The TMRW services have several security controls, including but not limited to the following:
- Multi-Factor Authentication (MFA) - MFA is used to access any resource across our GCP environments and enterprise systems that support our products.
- Intrusion Detection - TMRW employs intrusion detection that continuously scans our network for malicious and anomalous network usage patterns
- File Integrity Management - TMRW uses file integrity management to keep an eye on critical files and look for unexpected changes to those files.
- Endpoint Management - TMRW deploys updates and patches to operating systems and critical applications across our laptops and workstations. We have also implemented multiple endpoint protection solutions to protect against threats such as malware.
TMRW ensures that all our staff knows how to do their work securely and are empowered to act accordingly.
- Information Security Policies - All of our employees and contract personnel are bound to our policies regarding Customer Data, and we treat these issues as matters of the highest importance within our company.
- Background Checks - As permitted by local laws, background checks are performed on all new hires to aid in this process. Depending on the role, background checks may include criminal history checks, education verifications, and employment verifications.
- Security Awareness Training - In addition to general information security training, more targeted training is available to our entire team regardless of role.
Product engineering is required to follow security best practices. Our product and platform engineering teams incorporate the latest security best practices and automate security testing throughout the TMRW software development lifecycle.
- AppSec Training - All Product Engineering teams must complete application security training annually that includes coverage of current security risks (e.g., OWASP Top 10) and techniques for controlling those risks in our application software
- Environment Segregation - Development, Testing, and Staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.
- Vulnerability Management - TMRW maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. TMRW uses third-party tools to conduct vulnerability scans regularly to assess vulnerabilities in TMRW cloud infrastructure
- Penetration Testing - TMRW engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities detected are prioritized, triaged, and remediated promptly.
We strive to build security into all aspects of our day-to-day operational processes. We want security to be an inherent part of our work.
- Configuration Management - TMRW uses configuration management tools to manage configurations and changes to our infrastructure in our production environments.
- Change Management - TMRW follows a change management process that ensures that any change to a production environment has been assessed and de-risked by an independent review before release.
- Log Management - TMRW uses log events to track application usage, system access, and auditable system events. Security logs are collected and analyzed within a log aggregation platform and by System Administrators.
- System Monitoring - TMRW monitors the health of our service in real time. We track technical and application metrics and can alert TMRW service administrators through multiple channels when anomalies are detected.
- Incident Response - TMRW maintains established procedures for managing production support and security incidents.
Where TMRW engages any third-party suppliers (including contractors and cloud service providers), we are intent on ensuring those engagements do not jeopardize our customers or their data.
- Vendor Assessments - TMRW may use third-party vendors to provide the Services. TMRW conducts a security risk-based assessment of prospective vendors before working with them to validate that they meet TMRW’s security requirements.
- Vendor Agreements - TMRW enters into written agreements with all of its vendors, including confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
- Vendor Reviews - TMRW periodically reviews each vendor in light of TMRW’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements.