ORX Data security
- 14 March 2022
Keeping your data safe is our highest priority. With data for more than half a million events in our system, it’s essential we use a platform that provides an extra level of security and anonymity for our members
How do we keep your data secure, confidential and anonymous?
Access to the Insight system is role-based and restricted to authorised members and ORX staff only. The ‘Member Access Approvers’ approve all new and removed users to the system for their organisation. Every user has their own login credentials limiting access to the parts of the system corresponding to their role.
access is only granted after successful authentication using a two-factor authentication provided by SecureEnvoy.
we conduct an entitlement review on a quarterly basis. Each quarter, the Members Authorised Access Approver is asked to confirm the users they want to have access and their roles. This ensures that the users set up on the system are valid at all times.
we ensure that member names are not stored with the data and obfuscate sensitive data. Member institution names, individual user names and email addresses are all allocated unique random alpha numeric codes.
Segregation of duties
Insight is based on a sophisticated user permission concept. Access to all data elements is strictly controlled by role so that ORX users of Insight cannot link the data they see to a specific member.
Data moves through three staging areas. The first area is only accessible to members and is where they load and maintain their data. All data is encrypted with a member specific key and no one else can access it. Following member approval, the data is anonymised and passed into the second staging area. The second area is only accessible by ORX analysts and is where the quality assurance process takes place that ensures the database contains high quality, accurate data. How do we keep your data secure, confidential and anonymous? The third area is accessible by all users who have read access and is where the reports can be run on the anonymised published data. It is not possible to determine which member losses come from in the published data set.
We apply data encryption to provide a layered approach to securing the data. The data is protected against casual browsers and against technical administrators who host and support the system.
The Insight application is hosted by Swisscom in their Bern data centres. The quality of the physical protection is comparable to well-designed computing centres of Swiss banks. These data centres are ISAE3402 (formerly SAS70) compliant.
How do we ensure that Insight and the data remains secure?
ORX conducts an independent IT security audit of the Insight system on a regular basis and whenever any major changes are made to the application.
If you would like more information on data security please contact Tim Phillips [email protected]