Privacy, Data Protection & GDPR: Frequently Asked Questions

This section outlines our answers to the most frequently asked questions from our clients and users about data privacy issues, and GDPR in particular. If you cannot locate any answer to your question, please do not hesitate to contact us at privacy@inofab.health.

Is Inofab GDPR Compliant?

Inofab complies with all laws that apply to its business, including the European General Data Protection Regulation, or GDPR, which has been in effect since May 25, 2018. Inofab is fully committed to compliance with the GPDR as a part of its commitment to achieve the highest level of data protection and privacy.

We, as Inofab, comprehend the significance of following the standards and code of conducts laid down by GDPR into our data processing activities and ensure that our customers feel secure and confident in continuing using Inofab products and services.

Our core engineering value is privacy by design. We have invested into various privacy enhancing technologies (PETs); we have further developed new features to increase the resilience of privacy practices and we have taken various technical and administrative measures to ensure the continuity of our legal and technical compliance. We document all our data related activities in line with the accountability principle.

Considering GDPR is a new and general privacy framework, we are monitoring any legal developments. We particularly follow the technical guidance provided by the European Union Agency for Cybersecurity (ENISA). We, through our good-faith efforts, believe we are in compliance, both now and as future developments come along.

Where is Data Stored and Processed?

All data is stored and processed with Amazon Web Services (AWS). As part of our commitment to GDPR compliance, we only use AWS servers within the jurisdiction of the EU.

Certifications for Accountability

Inofab takes the security of your information and being in compliance with the applicable legislation regarding information security and data protection very seriously. In this context, Inofab takes care to conduct its operations within a framework compatible with national and international standards. To this effect, Inofab has obtained the following certifications to ensure compliance and prevent any breach and violations that may negatively affect the users.

We are proud to state that Inofab, as a medical device producer, is certified to “ISO 13485:2016 - Quality management systems”. ISO 13485:2016 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Such organizations can be involved in one or more stages of the life-cycle, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development or provision of associated activities.

ISO 13485 certification also creates advantages for ensuring long-term normality, security, and credibility of processes and business activities. ISO 13485 mandates adoption of a risk-based approach, and the organization is required to determine which risks may affect the ability of processes or resources to achieve the planned results.

ISO 13485 contributes to the maintenance of data security, creates a framework for ensuring the integrity of data, security of databases, and communication between integrated systems. ISO 13485 mandates identification of precautions and provisions regarding the operation of the software, requires the retention of records and documentation of conformity to applicable regulatory requirements. For example, necessary applications for the security and confidentiality of patient information, stipulates specific performance qualification criteria such as confirmation of the effectiveness of the software functions and functionalities the software is designed to perform for the long run.

Inofab, under the strict requirements of ISO 13485, has created a specific business continuity and information security policies and has been implementing these policies in due diligence. Most of the requirements of ISO 13485 meet certain requirements of the GDPR.

As known, there is not any recognized GDPR certification scheme widely available yet. Inofab is tracking all developments in this field and giving priority to follow ISO standards until GDPR-specific schemes enter into force.

Inofab is in the process of acquiring the following ISO compliance standards:

  • ISO/IEC 27001 - Information Security Management System (ISMS)
  • ISO/IEC 27017 - Security Controls for the Provision and Use of Cloud Services
  • ISO/IEC 27018 - Protection of Personally Identifiable Information (PII)

Security Is Our Core Value

Security is the core value of Inofab. As known, Article 32 of the GDPR requires organizations to implement appropriate technical and organizational measures to secure personal data.

Inofab adheres to all industry standards of cyber security, in particular the frameworks and guides provided by the ENISA. Inofab has improved security level by using techniques such as pseudonymization of personal data and encryption of personal data at rest and transit.

Inofab has invested in its infrastructure in order to enhance its ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

Inofab has a detailed information policy, incident management plan and data breach notification procedure for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Inofab has adopted various application security measures and implements data encryption, both in transit and at rest. All network traffic is also encrypted via SSL and application traffic over SSL/TLS. Our infrastructure is protected by multilayer access control with granular content permissions; all user credentials stored in one-way salted hash. Data backups on our server are also encrypted with AES256 and signed by RSA with 2048 key length.

Inofab works with certified information security service providers for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing.

Relationship with Third Parties

Inofab oversees the vendor contracts with due diligence and requires all third parties to comply with Inofab’s data protection and privacy policy. We constantly monitor continuing to review our security measures.

Our Privacy Compliance in a Nutshell

  • Inofab has an in-house Data Protection Officer (DPO).
  • Privacy policies are continually updated pursuant to changing data processing requirements and new risks.
  • Throughout Inofab services, data is stored and transferred only in encrypted form.
  • Secure servers hosted by AWS are used by Inofab.
  • Personal data is stored by Inofab only on servers that are appropriate as per GDPR.
  • Inofab acts in full collaboration with the competent data protection authorities and notifies regulators of breaches and report breach to customers and users immediately.
  • Inofab mandates strict confidentiality requirements for its employees.
  • Inofab mandates that all business partners respect the same data management, security, and privacy practices we adhere to.