A Trusted Partner

At Saama, we are committed to setting and maintaining a high standard of quality, compliance, and security for our vendors, partners, and customers.

Information Security and Data Safeguards

Saama recognizes that Information Security must be designed, built, and operationalized into all facets of Saama’s products, services, and processes. Our solutions involve the data transmission, capture, processing and storage of our clients; proprietary information and Personal Data collected from medical professionals, trial participants, our employees, and client and vendor personnel. We understand the need to maintain the confidentiality, integrity, and availability of such data, is critical to our success. Saama has implemented the following data safeguards to ensure the security of such data.

Artificial Intelligence and Machine Learning

Many of Saama’s Platform services, and custom services leverage Machine Learning (“ML”) or AI, which empower our clients to perform quick and efficient analysis of their data. As the regulatory and legal framework around AI continues to evolve, Saama is committed to ensuring transparency, and adherence, to these developing requirements, including President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (2023) in the United States and upcoming laws, such as Canada’s Artificial Intelligence and Data Act (“AIDA”) and the EU AI Act.

Saama is committed to setting and maintaining the highest standards of quality, compliance, and security for our vendors, partners, and customers and invests in modern infrastructure to provide an innovative, scalable, global, predictable, and secure environment. We are committed to ensuring our Services are available for operation, and use, at times set forth in applicable service-level agreements, protected against unauthorized physical and logical access, 24/7/365 onsite monitoring, and our system Processing is complete, accurate, timely, and authorized.

For more information on Saama’s Data Privacy and Security, download our white paper.

Safeguards	Practices/Procedures
Organizational	We maintain an information security management program with defined roles, responsibilities, policies, and procedures. Our program is aligned to: ISO/IEC 27001:2013; 21 CFR Part 11; and ICH E6. We review, and update, our security framework to reflect evolving technologies, regulations, risks, and security practices.
	Security Organization and Management We maintain a responsibility, and accountability, structure for security management to: Identify technical, and business owners, for security-related tasks and activities; Document representatives for incident or other security issues; Monitor the effectiveness of the security framework; Maintain standards for network, compute, storage, and applications; and We have appointed an external Chief Information Security Officer to lead business managers, IT staff, Engineering, Product Management, and Compliance to satisfy Information Security requirements.
Safeguards	Practices/Procedures
Personnel	We maintain defined roles, and responsibilities, for Information Security processing activities, including management (and control) of operational systems; administration and support of production networks and cloud services and applications; and the secure software development life cycle processes. The roles and access rights of network and system administrators are separated from those of the software development and service delivery teams.
	In addition, we maintain procedures to: Manage information processing activities; Screen employees during our hiring process; and Require privacy and security awareness training for our employees.
Safeguards	Practices/Procedures
Physical	We ensure that our third-party cloud-hosting providers meet physical and logical security access requirements to protect our applications and services, ultimately ensuring the integrity and availability of our clients’ data. This includes: Restricting physical access to authorized personnel; Ensuring the presence of security staff at our data centers; and Ensuring security monitoring at the data centers (e.g., badge access, CCTV access, and perimeter monitoring).
	Protection from applications and service disruption/outage Our production applications, and services, are deployed in multiple data centers to enable rapid recovery in the event of an outage and to: Protect against compromises to critical power, network, and systems infrastructure; Allow for rapid recovery of our applications and services; and Allow for rapid recovery of our clients’ data.
Safeguards	Practices/Procedures
Technical	Cloud-based Infrastructure and Platform Services Saama’s SaaS Platform and Clinical AI and Analytics Solutions and Services (CaaS) leverages AWS infrastructure and platform services. These AWS services are configured to ensure ongoing confidentiality through system security features, such as role-based access for infrastructure components/services, application data store, and application view layer. Role-based access can be configured based on functional roles, departments, and various other parameters.
	Identity and Access Management Access Policy We assign access to systems, applications, and data in accordance with our documented Access Management policies, which align to least privileged access principles. Personnel must get authorization to gain system access. We use secure network protocols, and services, including: Transport Layer Security (TLS) v.1.2. and v. 1.3; and SSL enabled FTP.
	Access Privileges Access privilege controls are in line with good security practices, including: We require strong password construction; No display of passwords; and Ensure terminated, or change in an employee’s role, has authorization status removed or updated to systems and applications access.
	Authentication We use and support industry standard Identity and Access Management (“IAM”) platforms and practices to identify and authenticate user access, including: Saama’s Platform features SAML, OAuth, and LDAP authentication mechanisms and provide seamless single sign-on, in accordance with corporate security standards of our customers; Internal identities, and passwords, are managed via our industry standard identity provider and enforces a sign-in process that requires passwords to be changed periodically and disconnects a user after a defined number of unsuccessful login attempts; We require Multi-Factor Authentication (“MFA”) to gain access to critical systems; and Our portfolio of SaaS applications supports Federated Identity Management (“FIM”) that enables our clients to manage their own identities and access privileges to our applications.
	Access Logs We maintain user access logs designed to provide necessary information to support: Tracking and analysis of user access patterns; Systems and applications user access audit trails; Diagnosis and triage of user access disruption; and Analysis of periodic reviews of user login, logout and user session activities.
	Security Operations Architecture We have implemented security monitoring and management technologies to prevent, detect, and respond to incidents. This includes: We maintain an inventory of our critical information systems, services, and applications; We conduct security assessments of our systems and applications whenever there is a technology change, or a business or operational practice change that may impact the privacy, confidentiality, security, integrity, and data availability; Implementation and monitoring of endpoint detection and response (“EDR”) software to our corporate and cloud-based computer services to detect, and block, the proliferation of malware, viruses, and other malicious code; Implementation of a Cloud Access Security Broker (“CASB”) to monitor all activity and enforce security policies between our corporate and cloud-based networks; Implementation of a Security Information Event Management (“SIEM”) platform to capture, analyze, and triage incidents; and Implementation of Web Applications Firewalls (“WAF”) to monitor our web applications and filter HTTP traffic against cross-site scripting, SQL injection, and other web vulnerabilities.
	Network Communications and Systems Management We deploy industry standard firewall technologies and have developed procedures to manage change to network access control policies. Additionally, network and systems resources used for production environments are separated from development, test and validation environments. Acceptable Use Policy Our Acceptable Use Policy is part of the overall Information Security Management System (“ISMS”) policy and is designed to guide employees (and contractors) in understanding management’s expectations in providing employees desktops, and laptops, for use in carrying out their responsibilities and to help our employees use Saama information resources properly. Proper use of a computer greatly increases the productivity of the user and provides an efficient electronic communication tool between employees and our clients. Our IT organization monitors and maintains Internet access logs, email logs, and firewall logs, per our Acceptable Use Policy. Denial of Service We ensure that our cloud service provider has deployed network infrastructure, network monitoring to detect and mitigate denial of service attacks (DoS and DDoS).
	Encryption/Cryptography We use industry standard AES 256-bit encryption and cryptographic algorithms, approved in the Federal Information Processing Standard (“FIPS” 140-2) security standards publication. AES 256-bit encryption is used for data at rest to store data on our critical systems and applications; and AES 256-bit encryption is used for data in transit to access our critical systems and data.
	Software Development Life Cycle We maintain industry standard software development life cycle processes and controls that govern our development and testing processes, changes, and updates to our software, including software upgrades and patches. We conduct periodic security technical and code reviews based on security results reported as part of the threat and vulnerability management product security testing.
	Threat and Vulnerability Management (TVM) Saama recognizes that security requirements must be embedded into our secure software development life cycle process, including software requirements definition, design, development, delivery and deployment, and on-going software maintenance. We have implemented security testing tools, and practices, to identify potential security vulnerabilities during the software development and testing phases. During the development and test phases, regular security testing is conducted by our product security team to test and identify vulnerabilities are part of: Dynamic Applications Security Testing (“DAST”) process; Static Applications Security Testing (“SAST”) process; Infrastructure (container) vulnerability scans; and Black box manual testing. We also developed a process to incorporate potential critical, and high, vulnerabilities into the product requirements and product release process.
	Business Continuity and Disaster Recovery Our SaaS solutions (Platform) are designed to avoid single points of failure to reduce, or minimize, business disruption. We maintain, and test, documented procedures for recovery processes if there is a significant outage causing business disruption, to either our Platform systems, our Professional Services and Custom Solutions, and our corporate systems. We continually monitor our solutions for failure indicators or pending failure. We take preventative steps to minimize, or prevent, unplanned outages of our systems and applications.