Safeguards of 3Shape Cloud Storage

Safeguards of 3Shape Cloud Storage

03/06/2024

3Shape has implemented a range of best practice processes and industry-standard safeguards to protect personal data in its products and services. The security measures for 3Shape Cloud Storage are divided into two categories: organizational and technical. Detailed information on these safeguards is provided below:

Technical security measures

Access controls

3Shape implements stringent access controls across its services. For synchronizing medical data with 3Shape Cloud Storage, users must be authorized through a 3Shape Account Company and the company must agree to specific Cloud Storage Consent. Additionally, operational access to the production environment is role-based, requiring 3Shape operators to seek privilege elevation from another Active Directory (AD) operator to ensure secure and regulated access.

 
 

Data Encryption & Data Loss/Leakage Prevention (DLP) 

3Shape ensures the security of users' data with encryption measures. During data transfer, 3Shape utilizes mutual TLS to confirm the identities on both sides, creating a secure connection. For stored data, 3Shape employs Azure's standard encryption methods to safeguard information.

3Shape incorporates NIST384 encryption, which encrypts data before it leaves users' devices, enhancing overall security. The encryption mechanism for 3Shape Cloud Storage is client-side, meaning that data is encrypted on users' devices before it is sent. This setup ensures that 3Shape does not have the capability to decrypt users' data; only users can access the decryption keys through the Key Management Service. This multi-layered approach ensures comprehensive protection of users' data at all stages. 

 
 

Integrity controls

3Shape Cloud Storage uses a special storage method where the content itself helps determine where it is stored. This means if any part of the content changes or gets corrupted, the system will not be able to find it because the storage address will no longer match. This helps keep customer's content safe and unchanged, because any alteration is easily detectable. 

 
 

Logging and Auditing

Whenever any medical data is created, updated, or deleted in 3Shape Cloud Storage, these actions are securely signed using a special digital certificate. This certificate is provided only after authorization by a 3Shape account. The signature, which verifies who made the changes, becomes an integral part of the data itself. This process ensures that all changes to medical data are properly recorded and verified, enhancing security and traceability. This is an integral and insperatable part of the medical data and stored in 3Shape Cloud Storage. 

 
 

Secure Coding Practices

To ensure that 3Shape Cloud Storage is secure and reliable, 3Shape follows strict coding practices. Every piece of code must go through a review process and pass automatic tests before it can proceed. Additionally, 3Shape first releases updates to a test environment where they undergo thorough testing across different products. This step helps catch any issues before the software goes live. 3Shape also periodically conducts penetration testing, a kind of security check, to find and fix any potential vulnerabilities for users. 

 
 

Patch Management

3Shape regularly updates its software every two weeks to ensure you have the latest enhancements and security features. These updates are thoroughly automated to ensure consistency and reliability. The only manual step in this process is the final one, where the update is approved for release into the production environment. This careful approach helps maintain high standards of security and performance for all users. 

 
 

Backup and Recovery

3Shape ensures the safety and availability of user data with a robust backup and recovery system. Our blob storage and PostgreSQL databases are configured with Zone-Redundant Storage (ZRS), which means user data is replicated across multiple geographic locations. This setup not only protects against data loss but also enhances data recovery capabilities. The same zone redundancy is applied to the storage accounts that manage these systems, ensuring comprehensive protection for all stored user data. 

 
 

Organizational security measures

3Shape's organizational security measures 

 

Policies for information & personal data security 

3Shape prioritizes the security and privacy of information and personal data. We have implemented comprehensive policies that govern how information and personal data is handled and protected to ensure that it is secure and processed in compliance with the highest industry standards and regulations, especially GDPR and HIPAA (including Information Security Policy, Data Protection Policy, Access control policy, Back-up Policy, Acceptable Use Policy, Retention Policy etc.)

 
 

Roles and responsibilities management

3Shape has implemented comprehensive roles and responsibilities management, which ensures that all roles related to the processing of information and personal data are clearly defined and assigned within our organization. This also includes the appointment of a Data Protection Officer (DPO) who plays a key role in ensuring that 3Shape complies with data protection laws and practices.

 
 

Risk Management

3Shape has implemented procedures that mandate regular risk assessments to identify and address any security vulnerabilities. Additionally, 3Shape assesses the risks of its activities on the privacy of data subjects when processing personal data.

 
 

Employee Training and Awareness Programs

3Shape prioritizes employee education and training in protecting information and personal data through mandatory regular trainings, various programs and campaigns to increase information security awareness.

 
 

Confidentiality of personnel and other people if having access to customer information and personal data

3Shape ensures the confidentiality of all personnel and any other individuals who have access to customer information and personal data. Confidentiality clauses in employment contracts, separate NDA agreements, and security policies are in place to govern the handling of information and personal data.

 
 

Data Classification

3Shape categorizes and labels data based on its confidentiality and business importance. This process allows for obtaining an appropriate level of security for individual categories of data, particularly for sensitive data (such as patient health data).

 
 

Incident Response Plan (IRP)

3Shape has developed a comprehensive Incident Response Plan (IRP) to quickly and efficiently address any security incidents or data breaches. This plan outlines the steps which must be taken from the initial detection of an incident through to resolution and post-incident analysis. It ensures that 3Shape can contain threats, minimize damage, and recover operations with minimal disruption. 

 
 

Disaster Recovery & Business Continuity Plans

3Shape maintains disaster recovery and business continuity plans and processes to ensure the continuation of services and effective recovery. These plans are regularly tested to ensure their accuracy and efficiency in the event of an emergency.

 
 

Change Management Procedures

3Shape has established procedures for managing changes to systems, software, and configurations. These protocols ensure that any modifications undergo thorough planning, documentation, review, and implementation. 

 
 

Audit and Compliance Reviews

3Shape conducts regular audits and compliance reviews to ensure adherence to industry standards and regulatory requirements. These reviews involve thorough assessments of 3Shape's security measures, policies, and procedures to identify any gaps or non-compliance issues. Any findings are proactively communicated to data owners, and remedial measures are implemented promptly.

 
 

Third Party Management

3Shape manages third-party involvement by selecting and overseeing external partners and vendors who have access to our systems or handle personal data. 3Shape implements strict compliance review processes to assess third-party security practices and ensure they comply with 3Shape's standards and regulatory requirements.

 
 

If you did not find the answers to your questions on this page or need more information about the security of personal data in 3Shape's products and services, please contact us at dpo@3Shape.com.

Was this article helpful?

Give feedback about this article