Compliance, Security, Privacy
Customers may request access to our SOC 2 Type 2 report or ISO 27001 certificate by submitting a Service Request. Prospective customers will be provided access under NDA.
SOC 2 Type 2
Pitcher successfully completed the SOC 2 Type 2 external attestation. This confirms Pitcher has implemented controls for the trust service principles of security, availability, confidentiality, privacy, and processing integrity, as set by the American Institute of Certified Public Accountants (AICPA).
Pharma and Life Science
Pitcher products can be successfully adapted to meet stringent pharmaceutical and life science regulations (e.g., 21 CFR Part 11). Our pharma and life science customers successfully used Pitcher solutions in a highly regulated, GxP-validated environment. Reach out to our Sales team for more information.
Pitcher successfully completed the EcoVadis corporate social responsibility and sustainability assessment, the world’s most trusted provider of business sustainability ratings. Please use EcoVadis to request access to Pitcher’s profile.
Integrated compliance framework
We operate under the externally certified Quality Management System (QMS). Pitcher QMS consists of the policies, procedures, and standards built following the industry’s best practices, like ISO 9001, ISO 27001, ISO 22301, COBIT, or ITIL.
The set of designed and regularly tested internal controls ensures the effectiveness and efficiency of our QMS.
Policies and procedures
Pitcher implemented and documented multiple policies and procedures (SOPs – Standard Operating Procedures) to ensure our operations’ quality, security, and compliance. The essential policies and procedures are:
- Information Security Policy
- Information Security Policy
- Acceptable Use of Electronic Assets Policy
- Personal Data Protection Policy
- Business Continuity Policy
- System Development Life Cycle SOP
- Test Management SOP
- Access Management SOP
- Incident Management SOP
- Project Management SOP
- Continuous Improvement SOP
Vendor Risk Management SOP
A Training Program is designed and implemented to ensure all staff members are trained on the policies and relevant SOPs on a yearly basis.
Human Resources Security
All our employees and contractors operate under strict Non-Disclosure (NDA) and Confidentiality agreements and go through external background checks before employment.
New hires start with basic security awareness training as part of the orientation and onboarding process. Then, security education and awareness training are continued throughout their career, with a minimum of 1 training per year.
A comprehensive set of policies is enforced on all staff. This includes policies for information security, access management, and incident management.
Pitcher security team executes regular simulated phishing attacks to raise awareness of the most common threats.
All equipment Pitcher staff uses is controlled by the company MDM (Mobile Device Management) solution – the MDM policy mandates, among others, system updates, device encryption, and malware protection.
Offboarding of staff and revocation of user access is done in a timely manner avoiding unauthorized access to information.
Secure System Development Lifecycle (SSDLC)
Formalized SSDLC process
A well-defined Secure System Development Lifecycle procedure is in place, covering system definition, coding quality control, and controlled release into the production environment.
A dedicated Quality Assurance (Testing) team ensures quick detection and fixes of potential bugs.
The four eyes principle is embedded prior to production release, with the additional review and final approval of the Quality, Risk and Compliance (QRC) Team.
Shift left approach
Security by Design and Privacy by Design principles are embedded in the Pitcher software development cycle.
The source code is peer-reviewed and scanned for vulnerabilities before deployment.
Continuous security scanning
Best industry tools are in place to ensure source code meets security and quality objectives. This includes verification against OWASP Top 10.
All external facing environments are subject to a daily scan.
All tenant data are logically separated.
All data, including passwords, are encrypted using private keys with 256-bit AES TSL encryption. Device data is encrypted with device native encryption methods.
Pitcher uses Amazon S3 SSE, a software-based cryptographically secure container, for the key management system. Master keys and keys used to protect personal and business data are stored in a Hardware Security Module (HSM).
On a periodic basis, Pitcher performs Information Security Risk Assessments to identify potential internal and external risks to the confidentiality, integrity, availability and privacy of Pitcher information assets.
Access to Pitcher internal systems is subject to a strict Access Management procedure. Multiple organizational (like awareness training, product owner approver) and technical (like 2FA, SSO) are in place to ensure information security.
Privileged access is controlled and restricted. Device VPNs are used for administrator access to AWS Management and local system services.Pitcher can use customers’ SSO flow for subsystem access or use secured (TSL) username/password-based authentication for platform access.
Periodic review of user accounts access is in place.
User activity is tracked. Audits of user activity can be shared on request.
Resilient system architecture
Hosted by AWS
Pitcher partnered with AWS (Amazon Web Services) as a hosting provider. We utilize the AWS solution offering to ensure our customers’ data is secure. Please refer to AWS Cloud Security Whitepaper for additional details at http://aws.amazon.com/security.
The primary data center for all the Pitcher solutions is EU-West in Dublin, Ireland. Alternative locations can be agreed upon individually. For more information on AWS data centers’ security, please visit https://aws.amazon.com/compliance/data-center/controls.
Business Continuity and Disaster Recovery
Partnership with AWS allows us to ensure high availability and uptime of our solution.
The structured approach towards all business continuity aspects at Pitcher is defined in a formalized Business Continuity Management System (BCMS). It is fully aligned with the requirements specified in ISO 22301 standard.
Formal Business Impact Analysis (BIA) and Risk Assessments (RA) are executed at least once per year to maintain the adequacy of the defined approach. Defined business continuity strategies and solutions are subject to regular testing.
Customers can integrate monitoring data and streams into their own IMS (incident management systems) as required. Pitcher also offers https://status.pitcher.com/ for live monitoring of all systems, where customers can subscribe and stay updated with incidents and updates.
Pitcher has established multiple processes to continue to challenge the existing level of quality and adequacy of our data security and privacy measures. For this, activities such as quarterly control testing, internal audits and QMS documentation reviews take place. The outcome of such activities are formally documented and used as input for our continuous improvement initiative.