Security Practices for Cloud Products

Last Updated: November 26, 2020

The security of your data is a top priority for Cytiva. We implement various security procedures that are designed to prevent unauthorized access to or disclosure of your Customer Data (defined below). This information is designed to help our customers understand what measures we have in place. If you have questions regarding how Cytiva treats the information Cytiva collects from you, your authorized users, or network and other systems ("Personal Data"), please visit the Cytiva Privacy Policy.

Although Cytiva has put in place a number of measures to ensure security and business continuity, this is a shared responsibility between us and you. Our Terms of Service for Cloud Products contains an outline of your responsibilities.

Customer Data

Cytiva defines customer data as data, text, audio, video, or images that you or your users create, upload and use in the Cytiva cloud services (the “Services”) in connection with your customer account (“Customer Data”).

Access

We have strict controls over our employees’ access to the Customer Data you and your users create, upload and use on the Services. The operation of the Services sometimes requires that some employees have access to the systems that store and process Customer Data. One example of this is that in order to diagnose a problem you may have, we may need to access your Customer Data. The employees that can access Customer Data are prohibited from using these permissions to view Customer Data except as necessary to provide the features and services of the product and assist with customer issues.

We have access controls and audit policies in place to ensure that any access to Customer Data by a Cytiva employee or Authorized Users is logged.

Personnel Practices

Cytiva performs background check on all employees before employment. All employees involved in the design and operation of our cloud products receive privacy and security training during onboarding as well as on an ongoing basis. All employees that work with our cloud services are required to read and acknowledge that they have understood our information security procedures.

Deletion of Customer Data Upon Termination

Cytiva will delete all Customer Data following termination of the Agreement unless otherwise agreed between Cytiva and the customer.

Product Security Practices

All our cloud products adhere to strict development procedures to ensure high standards for information security. New features and other design changes go through a security review process that is governed by Cytiva’s Information Security team. All source code undergoes automatic software-based screening for vulnerabilities and is further audited through testing and manual peer-review. Prior to release, all Services undergo independent ethical hacking attempts (penetration tests) by a third party and security vulnerabilities identified are addressed before the Service is released for customer use.

Security Features in our Cloud Products

The paid versions of our various cloud products comprise features and tools that allow you as a customer to protect your Customer Data. Every Service has a Product Privacy and Security Manual that describes the privacy and security considerations for the Service. This manual is accessible for all users from within the Service, and describes the intended use of the Service, the privacy and security capabilities included with the Service, and how they are configured and used appropriately.

Data Encryption in Transit and At Rest

All Cytiva cloud products support secure communication protocols such as HTTPS and Transport Layer Security to encrypt all traffic to and from the Service in transit. Customer Data is encrypted as rest.

We monitor the information security technology landscape closely and strive to promptly upgrade the Services to respond to new vulnerabilities as they are discovered and implement best security practices as they evolve.

Business Continuity

We acknowledge that you are relying on Cytiva cloud products in your work. We are committed to keeping our Services at a high availability so that you can rely on them for business-critical activities.

Our services are operated by operations teams that are staffed to quickly respond to and resolve unexpected incidents.

We have adopted facilities and systems to address a variety of disruptions, some of which are short term (measured in minutes and hours) and others lasting for a day or longer.

Infrastructure

Our systems are hosted on high availability and fault tolerant infrastructure. The physical access to computing infrastructure is rigorously controlled by our infrastructure provider.

Processes for secure operations

Once in production, our cloud products are continuously monitored by our operations teams. We continuously implement software corrections and infrastructure improvements to address security concerns that are discovered. This allows us to detect and manage threats and protect the Services.

Data backups

Customer Data is always stored in a redundant manner with two or more copies available. Every Service has well tested backup and restore procedures that allow recovery from a major disaster. Customer Data is backed up automatically and continuously with a maximum data loss of one hour of work.

Disaster Recovery

Our operations teams test our disaster-recovery measures regularly, at a minimum on a yearly basis, to ensure that our tools and processes work as expected, and that recovery can be completed within the time allotted in the operational procedures for restoration.

Incident Management & Response

In the event of an interruption of service or a security breach, we will promptly notify you. We have incident management procedures in place to handle such events.

External Security Audits

We contract reputable external security firms to audit our information security practices for cloud products. Cytiva also welcomes customers who wish to audit our information security practices.