Security Statement

We’ve provided an overview of the measures we take to secure your data.

Integrity and honesty are the key attributes of everything we do at Mahalo. We are committed to protecting our customers’ data above all else.

Mahalo is secured according to the most recent standards in order to protect your data in the best possible way. Mahalo is certified for ISO 27001 (Standards for Information Security Assurance), the standard that describes how Information Security should be organized in a process-based manner in the context of the general business risks for the organization. Inspect our certificates if you’d like to learn more.

General application security principles
  • Application code uses modern techniques to minimize the risk of SQL injection, cross site scripting (XSS) and other common attacks.
  • Immutable audit logs provide a fine-grained overview of data access and modifications.
  • Data is encrypted at rest and in transit.
  • Continuous Penetration Tests ensure our application and infrastructure security is always up to date.
Security of Mahalo
  • Users have individual accounts and strong passwords are required. Users are locked out of their account after 10 failed login attempts.
  • Sessions automatically time out after 20 minutes of inactivity.
  • Institute administrators can enforce additional security policies, such as mandatory two-factor authentication or regular password rotation.
  • Fine-grained access control is managed by the study administrator and authorizations are granted on a per person per institute basis. All access is denied by default, preventing unauthorized access to data by other researchers or institutes.
  • Study access can be limited based on IP-range in addition to requiring mandatory two-factor authentication.
  • In addition to our default encryption of data at rest and in transit, an extra application-level encryption layer can be enabled for sensitive data. This uses encryption keys managed off-site by a trusted third-party key management system. Within the application, fine-grained encryption and decryption authorizations can then be granted per study and institute.
Security of Mahalo eConsent
  • Users have individual accounts and strong passwords are required. Rate-limiting is used to prevent brute-forcing of passwords.
  • Sessions automatically time out after 20 minutes of inactivity.
  • Access to data is determined by the study and/or organization admin. This is done by assigning roles to users on an organization, study or site level.
  • In addition to our default encryption of data at rest and in transit, an extra application-level encryption layer is used for personally identifiable information.
Security of Mahalo SMS
  • Sessions automatically time out after 60 minutes of inactivity.
  • Access to data is determined by the study and/or organization admin. This is done by assigning roles to users on an organization, study or site level.
  • In addition to our default encryption of data at rest and in transit, an extra application-level encryption layer is used for personally identifiable information.
Security of Mahalo SMS
  • Users have individual accounts and strong passwords are required. Users are locked out of their account after 10 failed login attempts.
  • Sessions automatically time out after 60 minutes of inactivity.
  • Access to data is determined by system administrators, who manage user roles on a system wide level.
  • Newly registered users are required to go through a manual approval process before receiving any level of privileged access.
Security of the servers

Mahalo applications run on fully managed Google Cloud Platform, in the following regions: United States

  • Singapore
  • UK
  • Netherlands
  • Australia

All hosting platforms are certified for or compliant with relevant certifications (ISO27001) and/or national or international standards (HIPAA, GDPR).

Our servers are patched with security updates on a daily or weekly basis depending on the environment. Critical updates are applied regularly to mitigate potential vulnerabilities.

Backups are made twice daily and stored encrypted within a different physical location to ensure maximum security and continuity.

Security of the network
  • All of Mahalo’s applications run on security-hardened servers with only necessary services and ports open to the outside world.
  • Web traffic is only permitted using modern, industry standard encryption (>TLS 1.2 and newer), and all uses of cryptography are regularly reviewed.
  • Network security groups and firewalls ensure that no unauthorized connections can be made to any of our servers.
  • Database servers and other data stores are never directly accessible from the public Internet in order to prevent external attacks.
Organizational and Personnel security
  • Access to the office is restricted via personal, digital key tags. Visitors have to be accompanied at all times.
  • All laptops, phones and other devices used by employees and contractors are fully encrypted.
  • Laptops are protected with endpoint security, including anti-virus and anti-malware.
  • Passwords and other digital credentials are securely stored within a corporate password manager and access to critical systems requires Multi-Factor Authentication (MFA, also known as 2FA).
  • All employees and contractors attend a security training at least twice a year.
Other
In the event of a data breach

At Mahalo, we do everything in our power to protect your data. If a security breach should occur, we will act quickly to mitigate the damage and keep you informed of the possible implications.

Development

Our Secure Development Policy describes the entire software development lifecycle and all the measures we take to ensure the best possible security. This includes our release cycles, feature and bugfix procedures, code review requirements and QA processes.

Continuity

If anything unexpected should happen to our company we want to minimize the impact this has for our clients. Therefore we provide coverage on the short and long term:

  • Short term coverage through a continuity solution: we have deposited funds in a separate legal entity to ensure hosting continues for at least 3 months. All studies in Mahalo automatically profit from this arrangement.
  • Long term coverage through a Source Code Escrow: clients have the option to become a beneficiary of the application source code in case of bankruptcy or product discontinuation. The code can be deployed in an own environment, or our hosting provider can continue the services. Please contact us if this option is of interest.
User responsibilities

You can contribute to the security of your data. We advise everyone not to store patient-identifiable information (surnames, social security numbers, postal codes, date of birth, etc.) within Mahalo.

We also recommend that you follow these best practices when it comes to securing your account and workstation:

Accessing the system
  • Use a strong password. A good password should be easy to remember but difficult to guess.
  • Don’t use a password you’re already using somewhere else. A lot of data breaches happen because identical passwords are used across different services. Password managers can help you use highly secure, unique passwords for different services without having to type or remember them - check your institute policies about what you’re allowed to use.
  • Keep your password private. Don’t share it with anyone and never write it down. Mahalo personnel will never ask for your password.
  • Avoid using general email addresses such as info@example.com that multiple people have access to. All actions in a study are tracked in the audit trail. Using general email addresses makes it harder to track who accessed the system and made changes to a study.
  • Lock your screen if your device is unattended and log out of the application if you no longer need to access the system. A session in Mahalo automatically expires after 20 minutes of inactivity.
  • Secure your computers with antivirus and anti-malware software.
  • Always check that you are on the right domain and not on a fake website (phishing). Be especially vigilant when following links from email messages.
Working with data
  • Avoid adding personally identifiable information (PII) unless the encryption module is used. Avoid storing surnames, Social Security numbers or postal codes and preferably not even dates of birth, unless you are encrypting your data.
  • If you want to share your Mahalo data export, the safest method is to add the person to your Mahalo study so they can export the data themselves. If you prefer to share the file instead, encrypt the data file with a password and share the password via a different communication channel than the one you use to share the data file.
©2024  Mahalo Digital Ventures, Inc.