Security & Privacy are a key priority for any responsible researcher.

Secure Access:
EmPower’s software security features include assigning unique user names and passwords to specific users as well as CAPTCHA access keys and can include RSA (a security fob). The software requires “Strong Passwords” to reduce the risk of unauthorized access via password guessing.
 
Time-Out:
The software will lock out a user after 15 minutes of being idle. To regain access to the system, the user must log back in using their username and password. Upon notification of a suspected or confirmed stolen password or unauthorized access, EmPower can disable a user in under 1 minute.

Permissions/Roles:
EmPower’s software operates on permissions meaning that there are different roles defined within the system that grant access to different forms within the database. The researcher is responsible for identifying all research personnel that will have access to the database and is responsible for defining their role. EmPower will ensure that the software reflects these roles through permissions. For example, the role of a research assistant may be defined as having access to all information (including personal identifiers) for study participants at their site but having no access to any information at any other site. Permissions would ensure that upon logging in, this research assistant would not have the ability to access any data from any other site. A second example, the role of the study coordinator, may be defined as having access to all data at all sites with the exception of personal identifiers (i.e. participants are referred to by their unique study number only). Finally, EmPower employees do not have permission to access to personal information and instead communicate to researchers using subject unique identifying numbers.

Audit Log:
EmPower’s software uses an auditing system when any user tries to change data that has been previously saved in the database, the system logs the username of the person making the change along with the date and the time that the change was made. The software requires that a reason for the change be provided before saving the change. All data, whether original or updated is stored and can be retrieved by the administrator at EmPower.

Encryption:
Data is collected via Secure Socket Layer (SSL), a protocol that transmits communications over the Internet in an encrypted form (256-bit encrypted in transit). SSL ensures that the information is sent, unchanged, only to the server specified in the SSL certificate.

Compliance:
EmPower’s software is compliant with US and Canadian electronic data transfer regulations including the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), reducing the risk to unauthorized access to personal information. EmPower’s SmartManager software has undergone a formal 21 CFR Part 11 assessment and is FDA compliant (certificate available upon request).

Professional Hosting:
EStruxture houses EmPower’s servers and is located at 800 Square Victoria in Montreal, Quebec, Canada. This building has 24/7/365 uniformed security patrol security, CCTV cameras installed to monitor perimeter and common areas of the building, card readers in elevator cabs in operation 24 hours, building telecommunication risers & MMR facilities electronically monitored 24 hours, optical entrance turnstiles enable controlled access. Tenants also deploy their own proprietary security systems. Access to all high-security areas, such as the Meet-Me Room and Riser Systems, require a supervisor to monitor all personnel. More complete information on EStruxture, their security and practices can be found at https://www.estruxture.com/