ProofPilot uses technology to democratize research techniques that used to only be possible with massive academic and pharma budgets. We want these tools to be available to our customers without worrying about the IT infrastructure. That means ProofPilot thinks about security from the ground up.
Security by design balanced by user experience excellence
The entire ProofPilot team continually strategizes new features to improve our product. We take cues from our customers, review product use logs, and formalize ideas and strategies based on identified threats and ideas discussed during our quarterly security and ethical review process.
At ProofPilot, every new feature, bug, and request is logged in our task management feature. We prioritize tasks for completion of a strategic release process to meet the needs of our customers and participants while ensuring system uptime, security, and quality of experience.
During the requirements and assessment process for every new feature, we consider how the feature affects security, impacts a participants privacy and confidentiality, and improves or maintains access to valuable research tools. ProofPilot will not settle for security features that create an awkward or unusable experience for the very users we want to access our systems. There is a careful balance in all discussions between security/privacy features and the access and usability of the very people we want to access our systems. We consider all these aspects within the rubric of our organizational moral compass. During this design phase, any new feature or request that doesn’t meet these guidelines is redesigned or scrapped for a better approach.
During the development process, software developers work on a dummy versions of the product without real data via a virtual private network. The new code is contributed to a code peer review process where other staff members check the code for quality, security and ensure it meets stated requirements. The approved code is merged into a development server with restricted access for additional testing. Periodically the development team pushes the release to a staging server, where the broader team, including CEO Amsden, do additional testing. Only after this process is completed do we update the experience for our customers and participants. Every aspect of change for each unique task is automatically logged from conception through to implementation on our production environment. We continue review as users interact with the new features for a continuous process improvement model.
Encryption in Transit and at Rest
ProofPilot uses industry standard SSL encryption for all data communicated to browsers and devices and back to our servers. All data on our servers is encrypted, and personally identifiable information is double-encrypted for additional software-based security.
ProofPilot provides multiple secure ways for participants and researchers to access accounts, improving usability and increasing participation rates. All of these techniques have been reviewed both technically and operationally to maintain or improve security and privacy issues among our customers. The techniques have also been approved by various accredited research ethics commissions. Using any of these techniques, ProofPilot requires strong passwords, after three incorrect password attempts, an account is locked, and password reset link is sent to an e-mail and logs participants out after 30 minutes of inactivity automatically to reduce unauthorized viewing.
Explicit Authorization and Momentary Access to Personally Identifiable Data
By design, ProofPilot collects very sensitive personally identifiable information. However, to protect the confidentiality of our participants and increase security, that information is rarely communicated back to the participant, researchers or study professionals in a personally identifiable way. Doing so is typically unnecessary. ProofPilot only provides access to name, e-mail address, or telephone number to research staff with the explicit permission of the participant, and only then with the participant available. No access immediately identifiable participant data (name, contact information) is ever available to researcher without a code or password provided by participant. Downloadable data is coded with a unique number. While data download does not contain immediately personally identifiable information, the data download does have birthdate, zip code and sex, which is personally identifiable, so customers should take care with the downloaded data.
In cases where a business case exists to communicate personally identifiable information, participants, with easy to use functionality, must provide explicit approval to study professionals that lasts only for the duration of a specific task.
Logging and Monitoring
ProofPilot automatically logs every customer and participant login, data change, addition, edit and change. This data is encrypted and saved. The data is used in realtime to identify and mitigate security, ethical, and privacy risks from an internal, customer and/or participant perspective.