The Galen information system is part of the Microsoft Azure cloud environment, and it brings FONS Galen users multiple advantages. One of the most important advantages is the very high level of security and major emphasis on personal data protection.
The most important questions
asked to providers of cloud services if FONS Galen services are used:
Who is the owner of the data stored in the FONS Galen application? Will the data be used to create advertising products?
The user of the FONS Galen services is the owner of the data, and only the user is authorised to handle it in accordance with valid legislation. The data is used only for providing FONS Galen services in the subscribed scope. The service provider does not use any user e-mails or documents or other data for advertising.
Personal data protection is set by default for all users, and we enable the user to switch off or on the function affecting personal data protection based on the user’s needs. The provider hereby commits to fulfil the requirements related to personal data protection and security in the Data Processing Agreement (DPA).
FONS Galen application customer data is stored physically in one of the most modern data centres in Dublin, Ireland.
How is security resolved, and what kinds of security functions do you offer for the protection of the FONS Galen service from external attacks?
Security is one of the most important principles of the design and functioning of the Microsoft Cloud. It focuses on security for hardware, software, the physical security of Microsoft data centres, fundamental control elements and verification by independent auditors.
As far as the security function is concerned, there are generally two categories:
- Integrated security, which consists of all measures that Microsoft implements on behalf of all of its customers for the protection of customer information and the operation of a highly accessible service.
- Customer control elements
You will remain the owner of the data stored in FONS Galen, and you will retain all rights, entitlements and authorised interests. At any time and for any reason and without any involvement of STAPRO s.r.o., you can download a copy of all of your data.
Will you inform us when something in your service changes, and will you let us know if our data is jeopardised?
We will certainly inform you if there are any important changes to the service in relation to security, personal data protection and legislative compliance. If unauthorised access to your data occurs, we will inform you promptly.
Personal data protection and handling in accordance with the valid legislation of the Czech Republic and the EU is ensured by the contractual relationship.
During the design and operations we use certified approaches, such as redundancy, error prevention, distributed services, monitoring and more.
Personal data protection and security in FONS Galen
- The data repository used for providing FONS Galen services is physically secured against unauthorised access by outside persons (biometric readers, motion sensors, uninterrupted secured access, camera supervision, alarm systems, etc.)
- Data transferred in the network between the data centre and the user are encrypted using the SSL protocol, converted to binary code and compressed.
- Data stored in the data repository is also encrypted. Data storage is done automatically in two separated data fields. After receiving a system confirmation of their storage, a third independent backup is automatically obtained.
- The data is not used for advertising purposes.
- The data is used only for providing the services stemming from a concluded contract and the valid legislation of the Czech Republic and the EU.
- All data is regularly backed up.
- Following contract termination, the data is not removed from the data repository until a confirmation is received confirming that a 100% local backup has been created at the user’s location.
- Requiring difficult passwords will increase the security of your data.
- All personal data protection and security rules are fulfilled, and their fulfilment is checked by the company.
Personal Data Protection
- In 2014, representatives of regulatory offices assigned to check personal data in all EU member states published the results of an investigation, in which they confirmed that the Microsoft Cloud solution fulfils high European standards for data and privacy protection. Microsoft is the first and currently only company that has received such a confirmation.
- Excepts from an article published at www.businessit.cz Link to the original Microsoft document (English).
- Personal data protection and handling in accordance with the valid legislation of the Czech Republic and the EU is ensured by the contractual relationship between Tersinida CZ a.s. (the operator of FONS Galen) and the administrator (the FONS Galen user). Public cloud – Basic comments
Security within the Microsoft Azure service
Our clients’ data is absolutely secure.
All Windows Azure services have a very high level of data security in Microsoft data centres. These services are physically operated in the Czech Republic in one of the most modern data centres in Dublin, Ireland, for which there is a wide spectrum of security certification available. There is also a specialised team, which is responsible for continuous pro-active testing and improvement of data security based on the method using the Microsoft Security Development Lifecycle 5.0.
taken from TechNet blog
FONS Galen uses the Microsoft Azure application and database environment. Access to the FONS Galen application is also secured by an access password, a licence key and other security features.
Security certification for data centres using Microsoft Azure
|ISO 27001||An international certificate proving that the company systematically analyses the potential security risks, implements tools for their elimination and adapts its processes in order to ensure continuous protection from new security risks.|
|SAS 70 Type II||A certificate from the American Institute of Certified Public Accounting (AICPA), particularly for providers of outsourcing services declaring provision of fair accounting based on actually received services for end customers.|
|Payment Card Industry Data Security Standard||PCI DSS is a global standard created by payment card system operators, and it contains a set of regulations and recommendations for reducing card abuse. This standard must be fulfilled by all organisations that possess, process or exchange information about payment cards.|
|HIPAA/HITECH||A certificate proving compliance with U.S. legislation and restrictions for the safe handling of inhabitants’ medical records.|
|FISMA||A certificate proving compliance with the U.S. Information Security Act.|
|95/46/EC (and other national and local certification)||Other certificates proving fulfilment of all measures required by national or local legislation, including European Commission Directive No. 95/46/EC, on personal data protection.|