Security & Privacy are a key priority for any responsible researcher.

Secure Access:
EmPower’s software security features include assigning unique user names and passwords to specific users as well as CAPTCHA access keys and can include RSA (a security fob). The software requires “Strong Passwords” to reduce the risk of unauthorized access via password guessing.
 
Time-Out:
The software will lock out a user after 15 minutes of being idle. To regain access to the system, the user must log back in using their username and password. Upon notification of a suspected or confirmed stolen password or unauthorized access, EmPower can disable a user in under 1 minute.

Permissions/Roles:
EmPower’s software operates on permissions meaning that there are different roles defined within the system that grant access to different forms within the database. The researcher is responsible for identifying all research personnel that will have access to the database and is responsible for defining their role. EmPower will ensure that the software reflects these roles through permissions. For example, the role of a research assistant may be defined as having access to all information (including personal identifiers) for study participants at their site but having no access to any information at any other site. Permissions would ensure that upon logging in, this research assistant would not have the ability to access any data from any other site. A second example, the role of the study coordinator, may be defined as having access to all data at all sites with the exception of personal identifiers (i.e. participants are referred to by their unique study number only). Finally, EmPower employees do not have permission to access to personal information and instead communicate to researchers using subject unique identifying numbers.

Audit Log:
EmPower’s software uses an auditing system when any user tries to change data that has been previously saved in the database, the system logs the username of the person making the change along with the date and the time that the change was made. The software requires that a reason for the change be provided before saving the change. All data, whether original or updated is stored and can be retrieved by the administrator at EmPower.

Encryption:
Data is collected via Secure Socket Layer (SSL), a protocol that transmits communications over the Internet in an encrypted form (256-bit encrypted in transit). SSL ensures that the information is sent, unchanged, only to the server specified in the SSL certificate.

Compliance:
EmPower’s software is compliant with US and Canadian electronic data transfer regulations including the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), reducing the risk to unauthorized access to personal information. EmPower’s SmartManager software has undergone a formal 21 CFR Part 11 assessment and is FDA compliant (certificate available upon request).

Professional Hosting:
Akamai (Linode) houses EmPower's servers in their Toronto, Canada data center (ca-central region). The facility employs multiple layers of physical and biometric security including perimeter fencing, multi-factor access control with PIN and biometric scanners, man-traps, and trained security personnel. Akamai controls the physical infrastructure up to the hypervisor level, providing enterprise-grade physical and environmental security with redundant power systems and 24/7 infrastructure monitoring.

Akamai's data centers maintain industry-leading compliance certifications including ISO 27001, ISO 27017, ISO 27018, SOC 1 Type 2, and SOC 2 Type 2. The Toronto facility satisfies Canadian data residency requirements under PIPEDA (Personal Information Protection and Electronic Documents Act) and supports HIPAA-compliant and GDPR-compliant environments through Akamai's shared responsibility security model. More information on Akamai's security practices can be found at https://www.linode.com/legal/security/