SECURITY QUESTIONS

1bIs the system FDA Validated?

No

Does the system comply with 21CFR Part 11 audit and logging requirements?

Yes

Is The System FDA Validated?

No

Is the system FDA Validated?

No

Please Describe how changes to data are logged and recorded?

Changes are not permitted of the data

Does the system maintain an verifiably accurate Network Time Protocol (NTP) time source?

Please Elaborate.Yes, everything is recorded in UTC.

Does the system provide a timestamp for all logged events based on the above NTP?

Yes

Is the system capable of logging all changes to data hosted in the system?

Changes are not permitted of the data

Can these logs include who made the change?

Changes are not permitted of the data

Can these logs include what data was change?

Changes are not permitted of the data

Can these logs include a approval audit trail?

Changes are not permitted of the data

Do these logs make reference or preserve the "prior state" data?

Changes are not permitted of the data

Please describe the controls in place to prevent audit logs from being tampered with.The logs are stored as csv files which cannot be altered after creation.

Database records cannot be modified.

Are you Safe harbor compliant?

Yes

Do you provide accurate and timely notification to your users regarding what information will be collected?

Yes

Do you give users an "opt-out" for information sharing?

There is no option to share information.

Do you provide users notification regarding who you share information with, and provide an opportunity to "opt-out" of information sharing with your partners?

There is no option to share information.

Do you provide users access to the information you hold about them, and do you provide the opportunity to correct or change this data as appropriate?

Yes

Do you perform a periodic security assessment to ensure the security of collected information?

Yes

What controls are in place to ensure the integrity of the information, to ensure that it is complete and accurate for the purposes that it is being used for?

All customer systems are fully automated, and as such, customer information is not directly accessible by anyone but the CTO and CEO.

Please describe your complaint and resolution process with regard to the information that you collect.

All complaints can be directed to support@palette-software.com. Any issues that cannot be immediately resolved will be pushed to the CEO for resolution.

Do you have a 3rd party attestation of Controls or Certification such as an SSAE-16, ISO 2700X or a penetration test? Please provide any additional details that would demonstrate System controls.

No

Please describe the available layers of security within this system that provide "defense in depth" in order to secure the system and the data stored in or downstream from this system.

Customer's data is stored in a 'single tenant' AWS account. As such, only the customer and Palette Software have access using Amazon's industry approved access control systems.

Please describe this system's Role Based Access Control capabilities, please include any Directory or SSO integration points and options.

It does not provide role based or any SSO integration.

TECHNICAL QUESTIONS

Please describe the process for maintaining Segregation of Duties at your facilities supporting this service.

We use AWS IAM user provisioning, which provides fine grain access controls. For example, Support staff do not have access to modify system settings.

Please describe this system's capabilities to support Segregation of Duties and supporting access control.

We use AWS IAM user provisioning, which provides industry-leading fine grain access controls.

Please Describer your system authentication method and how user access is added and revoked.

We use AWS IAM user provisioning, which can easily add or revoke access.

What additional controls are available which may enhance user account controls?

None

Please list and explain all configurable or non-configurable password management controls including but not limited to: ( password complexity requirements, password expiration, password cycling, password recovery, system availability windows, password encryption, hashing and obfuscation, account lockout).

Password complexity is extremely high. Passwords are 40 to 50 characters long, expiring evert 90 days, passwords cannot be renewed, passwords cannot be recovered, all passwords are hashed when retained using md5.

Please describe the systems Enterprise Single Sign-On (SSO) and Federated Identity capabilities. Please include Supported Technologies (i.e. SAML V2, OAUTH, etc.) as well as specific vendor integration partnerships and capabilities. Please not any know instances where your product DOES NOT integrative with SSO or Federated Identity Technologies or vendors.

No SSO integration.

Please describe your system's native muti-factor authentication capabilities, please not any integration partners which are able to non-natively provide this capability.

We can support AWS multi-factor authentication, both hardware and software tokens.

Please describe your system's provisioning and deprovisioning process. Please include any key technology employed and key integration partners which may be required.

Users can be provisioned by Palette Technical Support. Roadmap in next 6 months provides for user provisioning using Palette UI.

What is the standard SLA to have a user provision or deprovisioned in your system?

Same or next business day.

What encryption technologies are employed by your system, and where are they employed?

md5 and SSL. All data is encrypted into files and then transmitted over SSL.

Please describe the capabilities to encrypt data at rest and in transit.

md5 for at rest and SSL for transit.

Please Describe your system's capability to detect, report, and prevent network based intrusion events.

We use Alert Logic Threat Manager which is an industry recognized expert solution for detecting and preventing network intrusions.

Do you have a 3rd party attestation of Controls or Certification such as an SSAE-16, ISO 2700X or a penetration test? Please provide any additional details that would demonstrate System controls.

Not yet.

Please describe the process for importing an exporting of data in to and out of this system. What data portability standards and practices are native to this system.

Data is stored in two places. One place is in md5 hashed files that can be decrypted using the Palette Software license key string. A second place is in a Greenplum SQL database, which can export data using standard SQL commands with standard PostgreSQL drivers.

Please describe the data validation controls that are in place to that ensure the correct type, the completeness and the accuracy of data stored within this system.

We have data validation tests to quality assess the results.

Please describe the Standard system messages warnings, error messages if process fails, automatic alert if interface job fails, with explanatory text to assist users. Please describe the configurability of this user feedback to provide more or less information depending on the security context.

If the system should stop processing or transmitting data, the system will alert the admin by email of the issue.

Please describe the process for reporting and distributing data, please include available controls for managing distribution and availability of reports based on access control needs within the organization.

Data is available by connecting to the Greenplum SQL database. Palette provides a Tableau workbook that users can modify or publish to a Tableau Server. In addition, any reporting tool can connect to the Greenplum SQL database for custom output.

Please describe the system capabilities for reporting of system and data health and data reconciliation.

All components of Palette have logging outputs to a log watch endpoint.

Is the data provided real-time, or via periodic updates, and what frequencies are available?

Data is processed continuously and in real time.

Please describe the data retention configuration options and availability.

Data retention is customer definable depending upon business requirements and cost considerations.

Please describe the process for detecting and preventing the unauthorized modification, update, or deletion of records within the system.

The master password to write or delete data in the Greenplum SQL database is not available to any human user. Read-Only passwords are given to users. The master password can only be used by the application per the rules of application and therefore nothing unauthorized can be executed by human users.

Describe your process for detecting, marking inactive, archiving, and deleting inactive records. Please include any authorization or workflow options.

Records are marked for deletion dependent upon customers retention business requirements.

Describe your process for detecting and deduplicating duplicate records. Please include any authorization or workflow options.

We have a model for record uniqueness which prevents any duplicate records from being accidentally duplicated into the reporting systems.

What is the logical maximum capacity of data or records assuming there is no hardware constraint?

10 TB

Does your system provide for export of customer data?

Absolutely.

Is this export provided in a human readable, industry standard format? Please list available formats for export.

Industry standard SQL.

Upon termination, does this service provide a period past the termination date for information retrieval? Is so how long is this period?

Yes, and we pass all systems directly and immediately to customer, so customer has full access and control of data after possible termination event.

Please describe the system's ability to ensure the completeness and accuracy of data handled by the system, including but not logging, error detection, auditing etc.

We log every data collection and transmission event, which provides end-to-end audit-ability. We are alerted if any event fails.

Please describe your system's ability to produce audit trails and error reporting/logging for all transactions and functions within the system.

Every aspect of the software has full operational logging.

Please describe any minimum system requirements for this system.

Red Hat Enterprise Linux, 32 GB RAM, 10GB SSD + 1TB SSD, 8 vCPU.

Please provide a system compatibility matrix for this system to determine compatibility with ISI standard architecture.

We only support the following specification: Red Hat Enterprise Linux, 32 GB RAM, 10GB SSD + 1TB SSD, 8 vCPU.

Please describe what standard automation and workflow process are provided standard without customization, as well extensibility through APIs.

Data is processed automatically. No customization is required to get CPU/log reporting of Tableau User sesssions and user filter selections. Charge back values require support team configuration.

Please describe the system's capabilities for data import and export capabilities.

Full export capabilities using standard SQL commands with a PostgreSQL drivers.

What objective measure and standards are used to determine this system's performance? Based on these standards, what is the system performance of this system relative to it's competitors?

System consumes less than 2% of CPU resources on each Tableau Server node (Primary or Worker).

What standard functional and performance warranties or SLAs are offered?

Palette is provided with understanding that uptime will be 99% on a monthly basis for issues that under control of Palette.

Please describe your Backup and recovery process. Attach or reference additional documents as necessary. Please include standard recovery time SLAs.

We use standard PostgreSQL database synchronization methods to provide backup and recovery. These methods are considered to be extremely reliable and efficient.

Please provide an overview of your disaster recovery plan (DRP)including measures such as offsite backup storage, recovery SLAs, warm/hot site availability.. Etc.

At customer's discretion, we can provide disaster recovery for a fee equivalent to the running costs of a maintaining a backup replica. Customer's business requirements determine the SLA, and Palette will provide a quote for delivering this additional capability.

How often is DRP tested?

At customer's discretion.