Security and Compliance

At Avicenna Research Inc., keeping our systems and data secure is a top priority. We have built a solid foundation of security practices over the years by putting together a combination of ongoing efforts and new measures to ensure our systems and data are well-protected. More importantly, in November 2024, we made improvements to meet the ISO 27001:2022 certification requirements. Here is an overview of what we are doing to stay secure.

Brief Summary for Non-Technical Stakeholders

For those who may not be familiar with technical terms, here's a quick overview of our security measures:

We keep our systems updated regularly to protect against vulnerabilities.
Our monitoring systems are always on the alert for potential security issues.
We ensure that access to our systems is secure and monitored.
Our compliance with international standards and frameworks like ISO, HIPAA, and GDPR ensures that we follow best practices in data security and privacy.

1. Keeping Systems Updated

We update all operating systems and software monthly. This includes on-premise servers running Rocky Linux 9.x, AWS-based EC2 instances, and critical internal services like:

Firmware
Hypervisor (Proxmox)
Source Code Management and CI/CD Pipelines (Gitlab)
Chat (Mattermost)
Ticketing System (Zammad)
IAM (Keycloak)
LDAP (Authentik)
Firewalls
Vulnerability Manager (Greenbone Vulnerability Manager - GVM)
DAST (ZAP)
SIEM (Wazuh)
Databases (PostgreSQL, Elasticsearch, Cassandra)
OS and Programming Languages' Packages and Libraries
Reverse Proxies (OpenResty, Nginx)
WAF (OPNSense)

2. Finding and Fixing Vulnerabilities

We run vulnerability checks monthly and after each deployment to ensure the security of our systems. These vulnerabilities are addressed according to our internal timelines:

Operating system vulnerabilities
Network vulnerabilities
Dynamic Application Security Testing (DAST)

3. Monitoring for Security Issues

Our SIEM system, powered by Wazuh, helps us monitor security problems in real time. It includes:

Alerts for potential security threats
Anti-malware, anti-virus, and anti-rootkit detection
File integrity monitoring to catch unauthorized changes
Collection and analysis of logs from various applications, including databases, reverse proxies, operating systems, and AWS, to ensure comprehensive security monitoring

4. Keeping an Eye on System Health

We use Prometheus, Grafana, and exporters to monitor how our systems are performing. This includes:

Detailed metrics for operating systems, databases, and applications
Detailed metrics of our system and the business logic
Alerts to notify us if something goes wrong or crosses a threshold

5. Securing The Development Process

To make sure our software is safe, we have built security checks into our development pipelines:

Static Application Security Testing (SAST): Finds vulnerabilities in our code and packages/libraries.
Dynamic Application Security Testing (DAST): Scans our running apps to catch security issues.
Regular linting and style checks ensure clean and consistent code.

6. Managing Access Securely

We have integrated IAM across all systems to manage access securely. This makes it easier to control who can access what.

7. Protecting The Network

Our network is protected with:

A unified firewall setup using OPNSense, Proxmox firewall, and Linux firewall
Suricata for intrusion detection and prevention which helps us monitor and block unauthorized traffic

8. Preventing Malware

All our servers are protected with anti-virus software to guard against malware.

9. Risk Management and Incident Handling

We have established processes to identify and manage potential risks:

We regularly assess and prioritize risks to promptly address the most critical ones.
Our incident response plan outlines clear steps for handling security incidents, including identification, containment, eradication, recovery, and lessons learned.
We conduct regular training for our team to ensure they are prepared to respond effectively to any security incidents.

10. Meeting ISO Standards

We are proud to have achieved ISO 27001:2022 certification through UKAS. This shows that our security practices meet international standards and that we are committed to keeping things secure.

As a data processor, Avicenna does comply with GDPR and currently, multiple European institutions have Data Controller and Data Processor agreements with Avicenna in place.

Below we explain how our privacy policy and overall system architecture are set to comply with GDPR requirements.

GDPR does apply to Avicenna, as a data processor.
Participant unambiguous consent

Our software will require each study to have a consent form. As explained in section 6.2. of our Privacy Policy, the consent form is required to "... specify, among other things, (1) what is the purpose of the study (2) what are the potentials risks or benefits to you as the Participant (3) what type of data is being collected (each referred to as a Data Source) (4) how the data will be handled and who will have access to the data (5) how you can contact the Researcher (6) what is the withdrawal process."

This consent form will be presented to participants before joining a study, and they have to agree to this before being able to participate. The consent form is available to the participants throughout the study participation.
Further processing outside of what mentioned in the consent form

Avicenna does not perform any processing on the data collected for a given study.
Participants' right to access their data

Avicenna provides each participant with an online account. The credentials of that account are the same as the ones used to sign up in the Avicenna app. Participants can log in to their online account on Avicenna's website at any time to access their data.
Participant's right to delete their data

Avicenna allows participants to delete all or part of their data directly through their online account (as described in Section 10.6 of the Privacy Policy). If the participant does not have enough technical skills to use this option, they can contact our support for assistance.
Data Portability

Participants in any Avicenna study can contact Avicenna's Support team and ask for a copy of their data. We will provide them with a machine-readable file containing all data collected from them.
Data Storage and flow

Avicenna stores all data on servers physically located in Canada. All Avicenna employees and support staff are also located in Canada, therefore the data does not flow to any country other than Canada. Canada is considered by the EU Data Protection Commission as a country that provides adequate data protection.

You can find more information in Avicenna's Privacy Policy and Terms of Use. For example, Section 6.5. Data Sources We May Collect From the Participant, While Enrolled in a Study, talks about different data sources, the anonymization methods that can be used for each, and the potential concerns for each. Or Section 6.6 Data Encryption, Upload, Storage, and Anonymization, talks about how Avicenna encrypts, uploads, and stores the data. If you have any questions regarding this topic, please feel free to email us.

How to Get in Touch

If you have any security concerns or need to report an issue, you can contact us at support@avicennaresearch.com.

Brief Summary for Non-Technical Stakeholders​

1. Keeping Systems Updated​

2. Finding and Fixing Vulnerabilities​

3. Monitoring for Security Issues​

4. Keeping an Eye on System Health​

5. Securing The Development Process​

6. Managing Access Securely​

7. Protecting The Network​

8. Preventing Malware​

9. Risk Management and Incident Handling​

10. Meeting ISO Standards​

11. Meeting GDPR Standards​

How to Get in Touch​