Security

Last Updated: May 28, 2025

Our Security Commitment

At RAN BIOLINKS CANADA LTD, the developers of MAESTRO IMS, security is the foundation of our platform. We understand that healthcare inventory data — including supply chain records, audit trails, quality control data, and operational information — requires the highest level of protection. Our platform is built with security as a core principle, implementing industry-leading safeguards at every layer of the technology stack.

Compliance Alignment

MAESTRO IMS operates within infrastructure aligned to the following security and compliance frameworks:

  • SOC 2 Type II Aligned: Our infrastructure and operational controls align with SOC 2 Type II requirements covering security, availability, processing integrity, confidentiality, and privacy
  • ISO 27001 Framework: Information security management practices following the ISO 27001 control framework
  • PIPEDA: Compliance with Canada's Personal Information Protection and Electronic Documents Act
  • PIPA & FIPPA: Alignment with British Columbia's privacy legislation for both private and public sector organizations
  • 21 CFR Part 11 Ready: Electronic records and electronic signatures capabilities designed to meet FDA requirements where applicable

Data Encryption

MAESTRO IMS employs comprehensive encryption strategies to protect your data:

  • Data at Rest: All data stored in our systems is encrypted using AES-256 encryption via AWS Key Management Service (KMS), ensuring that information remains secure even if physical storage is compromised
  • Data in Transit: All data transmitted to and from our platform is protected with TLS 1.3 encryption with HSTS enforcement, preventing interception during transfer
  • Password Security: User passwords are hashed using Argon2 with configurable work factors — the most secure password hashing algorithm currently available
  • Key Management: We employ AWS KMS for centralized key management with strict access controls, automated key rotation, and full audit logging of key usage

Infrastructure Security

Our infrastructure is designed for maximum security and reliability:

  • Canadian Data Residency: All customer data is stored in AWS ca-central-1 (Montreal) region, ensuring data remains within Canadian borders. See our Data Residency page for details
  • Virtual Private Cloud: MAESTRO IMS operates within isolated VPC environments with private subnets, network ACLs, and security groups restricting traffic to authorized sources only
  • Web Application Firewall: AWS WAF provides protection against common web exploits, SQL injection, cross-site scripting, and other OWASP Top 10 threats
  • DDoS Protection: AWS Shield provides automatic DDoS mitigation at the network and transport layers
  • Network Segmentation: Application, database, and caching layers are isolated in separate security zones with strictly controlled inter-zone communication

Application Security

We implement comprehensive security measures throughout the MAESTRO IMS application:

  • Secure Development: We follow secure coding practices aligned with the OWASP Top 10, with automated security scanning integrated into our CI/CD pipeline
  • Input Validation: All user inputs are validated and sanitized server-side to prevent injection attacks and other security vulnerabilities
  • CSRF Protection: Anti-CSRF tokens protect against cross-site request forgery attacks on all state-changing operations
  • XSS Prevention: Strict content security policies and output encoding prevent cross-site scripting attacks
  • HSTS Enforcement: HTTP Strict Transport Security headers ensure all connections use HTTPS
  • Dependency Scanning: Automated scanning of third-party dependencies for known vulnerabilities with rapid remediation processes

Access Controls

MAESTRO IMS implements robust access control mechanisms designed for healthcare environments:

  • Role-Based Access Control (RBAC): Granular role definitions (Admin, Manager, Staff, Viewer, Auditor) with location-scoped permissions. Users can only access inventory data for their assigned facilities
  • Multi-Factor Authentication (MFA): TOTP-based two-factor authentication supported and encouraged for all user accounts, with organizational policies to enforce MFA
  • Single Sign-On (SSO): Integration with Azure Active Directory for centralized authentication management, user provisioning, and deprovisioning
  • Separation of Duties: Critical operations (e.g., approving stock adjustments above threshold values) require authorization from multiple users to prevent fraud
  • Session Management: Configurable session timeouts, secure session storage, and automatic logout after periods of inactivity
  • API Authentication: RESTful APIs secured with token-based authentication with configurable throttling and rate limiting

Audit and Monitoring

Comprehensive monitoring ensures complete visibility and rapid detection of potential security issues:

  • Immutable Audit Logs: Every inventory transaction, user action, and system event is recorded in immutable, append-only audit logs. Records include who, what, when, where, and contextual metadata
  • 7-Year Retention: Audit logs are retained for a minimum of 7 years to meet healthcare regulatory requirements, with tamper-evident storage
  • PHI Tracking: Special audit categories for operations involving Protected Health Information, with compliance tags for regulatory reporting
  • Real-time Monitoring: AWS CloudWatch and CloudTrail provide continuous monitoring of infrastructure and application events
  • Automated Alerts: Configurable alerts for security events, anomalous access patterns, and critical system events

Data Backup and Disaster Recovery

We ensure data availability and resilience:

  • Automated Backups: PostgreSQL databases are backed up automatically with point-in-time recovery capability for up to 35 days
  • Read Replicas: Database read replicas provide both performance scaling and additional redundancy
  • Cross-Region Backup: Encrypted backups are replicated to a secondary AWS region within Canada for disaster recovery
  • Recovery Testing: Backup restoration processes are regularly tested to verify data integrity and recovery procedures
  • High Availability: Auto-scaling application servers behind load balancers ensure the platform remains available even during component failures, targeting 99.9% uptime

Vendor Security Management

We ensure our supply chain is secure:

  • Vendor Assessment: All third-party vendors and integration partners undergo security assessments before integration
  • Contractual Requirements: Security and data protection requirements are explicitly included in vendor contracts and data processing agreements
  • Minimal Data Sharing: We limit the data shared with vendors to only what is necessary for their services, following the principle of data minimization

Incident Response

In the unlikely event of a security incident:

  • Incident Response Plan: We maintain a documented incident response plan with defined escalation procedures and response timelines
  • Customer Notification: We commit to promptly notifying affected customers in the event of a security incident, in accordance with PIPEDA breach notification requirements and contractual obligations
  • Post-incident Analysis: After any security incident, we conduct thorough root cause analysis and implement measures to prevent similar incidents in the future
  • Regulatory Reporting: We comply with all mandatory breach reporting requirements under applicable Canadian and international privacy laws

Employee Security

Our security practices extend to our team:

  • Background Checks: All employees undergo background checks before hiring
  • Security Training: Employees receive regular security awareness training and updates on emerging threats
  • Principle of Least Privilege: Employees are granted access only to the systems and data necessary for their roles
  • Secure Remote Work: Secure VPN and endpoint protection ensure security for remote workers

Healthcare Inventory Data Security

Given the sensitive nature of healthcare inventory operations, we implement additional security measures:

  • GS1 Data Integrity: Barcode scanning data (GTIN, lot/batch, expiry, serial numbers) is validated at point of capture and stored with full chain-of-custody tracking
  • Quality Control Records: QC inspection results and non-conformance event (NCE) records are protected with role-based access and immutable audit trails
  • Stock Adjustment Controls: Separation of duties for stock adjustments above configurable thresholds, with mandatory justification recording
  • Transfer Chain of Custody: Multi-site transfers maintain complete chain-of-custody records from origin to destination
  • Data Classification: All data is classified according to sensitivity, with appropriate security controls applied based on classification level

Security FAQs

Q: How does MAESTRO IMS ensure data segregation between customers?

A: MAESTRO IMS employs a multi-tenant architecture with strict logical separation of customer data at the organization level. Each organization's data is isolated using application-level access controls enforced on every database query. Additionally, all access is mediated through our RBAC system, which prevents cross-organization data access.

Q: Does MAESTRO IMS conduct regular security assessments?

A: Yes. We conduct regular vulnerability scanning, dependency audits, and code reviews. Our infrastructure undergoes periodic third-party security assessments. Results drive continuous improvements to our security posture.

Q: Where is MAESTRO IMS data stored?

A: All customer data is stored in AWS ca-central-1 (Montreal, Canada) by default, ensuring Canadian data residency. See our Data Residency page for comprehensive details about our data sovereignty commitments.

Q: Can customers conduct their own security assessments?

A: Yes. Customers can request to conduct their own security assessments or receive our most recent assessment reports. Please contact your account representative to arrange this.

Contact Our Security Team

If you have any questions about our security practices or need to report a security concern, please contact us at [email protected].

For responsible disclosure of security vulnerabilities, please email [email protected] with details of the vulnerability. We commit to acknowledging your report within 24 hours and will work with you to address the issue promptly.