Mission Bio Client Data Security & Retention Statement
Last updated: [Jul 7, 2023]
This document reports certain of Mission Bio’s internal data security and document retention policies relating to handling of third party (client) data on Amazon Web Services (AWS). This document is subject to change without prior notice.
Mission Bio does not accept personal or financial data which may be subject to protection. By sending data to Mission Bio, client represents and warrants that any transmitted data does not contain Protected Health Information (PHI) or any information that would be subject to consumer privacy data protection.
Mission Bio creates, receives, and manages data on behalf of our customers who utilize Mission Bio technical services and/or Mission Bio managed AWS cloud resources for processing and analysis of sample data prepared using the Tapestri™ platform. The security of client information is addressed by both AWS standard security practices as well as Mission Bio’s internal IT security policies.
In combination, this offers industry standard data protection and privacy.
AWS Security summary
Amazon Web Services are recognized to be compliant to current clinical and enterprise computing security best practices (Reference; https://aws.amazon.com/compliance/soc-faqs/).
Mission Bio’s AWS security policies
MissionBio provides an AWS-based platform for client use following best practices in the following areas
- Identity (client specific)
- Short-term credentials used with SSO.
- IAM roles attached to EC2 instances.
- Organization: each workload (development, staging, production, …) runs in a different account.
- Virtual Private Clouds (VPC): network traffic is isolated by using separate VPCs
- EC2 instances
- Launched in private subnets with controlled access to the internet using a NAT gateway.
- Users connecting to instances use AWS Systems Manager to tunnel traffic.
- s3 public access is blocked at the account level where possible.
- Default VPCs have been removed in most accounts.
- AWS CloudTrail and AWS CloudFront logs are stored in a separate account, allowing for Mission Bio access and security reviews without entering customer accounts.
- Data is encrypted in transit using HTTPS and at rest using encryption with the KMS service in each storage service (RDS, S3).
- Customer specific S3 buckets for uploaded data and results are encrypted at rest using different keys.
Mission Bio makes use of the following tools to monitor security of data stored or processed in the AWS environment:
- Shared resources identification: AWS IAM Access Analyzer
- Cloud security posture management: AWS Security Hub
- Threat detection: Amazon GuardDuty
All access to AWS resources byMission Bio employees is on an as-needed basis and managed through Okta SSO control with two factor authentication, and tiered permissions to limit access to any client information. Mission Bio maintains a corporate IT Security Policy that addresses the following areas:
- Managing Customer/Client Information:
- Mission Bio frequently creates, receives, and manages data on behalf of our customers. Each business unit develops, implements, and maintains an appropriate process and procedures to manage customer data intake and protection (if no business unit specific procedures exist then the rules dictated in the corporate IT Security Policy and outlined in this statement are in effect).
- Business unit-specific customer data intake and protection processes may vary but must include, at minimum:
- A means for identifying customer data and any pertinent requirements prior to data intake or creation
- Maintaining an inventory of customer data created or received (file listing with dates).
- Ensuring Mission Bio implements and maintains appropriate information security measures, including proper data and media disposal when Mission Bio no longer has a business need to retain the customer (or is no longer permitted to do so by time, customer agreement or written request).
- Data Intake Requirements:
- Business unit-specific customer data intake processes and procedures must provide for secure data transfer. All customer provided PHI information is protected as such. To minimize risks for customers, Mission Bio may engage customers in an ongoing dialogue to determine whether business objectives can be met without transferring PHI to Mission Bio.
- Customer/Client Data Protection:
- Protect all customer data Mission Bio creates or receives in accordance with internal policies and the data’s information classification level, whether Confidential, Highly Confidential Information or PHI in addition to any specific client-identified requirements. Customer data is recognized to be property of the customer and will not be utilized for any Mission Bio business purposes without written consent from the client. Excluded is any meta-data surrounding execution or processing of the data on Mission Bio owned resources, such as execution time, data sizes or other anonymized data that may be collected to ensure quality of operations. Such meta-data should not include customer confidential information, including any personally identifiable information or personal health information, or other information that could be used to identify customer or its projects.
- Customer/Client Data and Media Disposal
- Ensure that any customer data or media containing customer data is securely disposed of when it is no longer required for Mission Bio business purposes and exceeds any specified data retention periods, or as required by customer.
Backups and Disaster Recovery
Disaster Recovery and Backups: client data is stored on AWS storage systems which are inherently redundant and data loss resistant. No additional procedures are required to maintain data integrity and DR protection. No critical or client data is stored in Mission Bio on-premise or individually assigned physical systems (servers, laptops, removable media). Clients are responsible for maintaining backups of any source data uploaded to MB AWS locations and final result files available for download.
Data Retention Summary
MB AWS resources are provided to allow transient processing of client Tapestri data in an easy to use and efficient manner. To maintain highest data security data, files may be subject to deletion without notice as governed by the following guidelines (unless directed otherwise by business or subscription agreements):
- Input files (client uploaded) – subject to deletion >30 days from upload
- Output files (<1G) – subject to deletion >1 year from creation*
- Output files (>1G) – subject to deletion >30 day from creation
*not applicable if client maintains active paid subscription