Can we choose which AWS region our data is stored in?

Not at the moment. The data is stored in EU - Ireland.

What access does Labstep have to our data?

Labstep follows the principle of least privilege, so only relevant Labstep employees can have access to data stored on our AWS account. Labstep employees are trained on this matter and would only ever access data for debugging purposes. All interactions with data are logged and audited at regular intervals.

How is access to our data monitored, logged and controlled?

We issue temporary access tokens only to relevant employees needing data access. All requests to read data are logged. This allows us to monitor who requested data, when and the data type.

What security is in place, including the website, databases and backups?

Labstep encrypts data at rest and in transit. Labstep keeps daily backups of the database and files uploaded. At the infrastructure level, we have in place the following:

• Private VPC;

• Network firewall;

• Intrusion detection;

Labstep performs an external penetration test annually to ensure OWASP top 10 and other standards are followed.

Do we have visibility of successful/attempted logins to our instance?

At the application level, Labstep provides a security audit log to each customer. This gives the account admin a detailed report of all account security-related activity. You can see when users have last logged in and out of your organisation account, from which device, their IP address for the session, and more.

Note: this is only available in the Enterprise tier.

At the infrastructure level (AWS), Labstep maintains a complete audit trail of all activity (including logins etc.). We constantly monitor this activity and have automated alerts for suspicious activity. Information about this activity can only be shared on request and with a valid reason (e.g. suspected rogue activity from a Labstep employee).

Are the backups for different organisations separate? Or is it one backup for all instances?

One backup for all organisations.

Is Labstep GDPR compliant?

Yes. Read more about how here.

What disaster recovery do you have in place?

Labstep has a plan to spin up a new environment on AWS (in a different geographic region if the main geographic region goes out of service) with a copy of the latest Database and Files backup. This will be done within 24 hours. This is tested twice a year.

If the AWS fails or Labstep closes down, what access do we have to our live data or the backups? E.g. Do you have some sort of escrow agreement or contingency with another cloud vendor?

For the duration of the recovery, data won’t be accessible. Within 24 hours, the service will resume, and data will be accessible. It is worth noting that Labstep ensures high availability by running multiple instances in different availability zones, so it is highly unlikely the service will completely stop.

Labstep keeps backups both in AWS and Google Cloud Platform (GCP) for redundancy.

Are the backups useful for recovering data outside of the Labstep system? i.e. is there value in us having access to the backups, or are they only really useful to restore within the Labstep system?

Backups are only useful inside the Labstep infrastructure for security reasons. Backups are encrypted using keys that are managed and live inside the data centre (neither Labstep nor the cloud provider can read directly or export these keys). So they can only be decrypted and read within the data centre.

Is there a way for us to restore to a point in time due to human error on our part? i.e. authorised user deletes notebook entries

Data in Labstep is archived and not hard deleted. So at any given time, you can restore a deleted entry.

Furthermore, all data changes at the application level are logged and presented within the app (e.g. change of experiment name or notebook entry) as an activity log. In the case of notebook entries, the user can restore the entry to a previous point in time using our Time Machine feature.

How can we extract all of our data to migrate in human and/or computer-readable form to migrate to a different ELN solution or have an offline copy of everything?

There are various ways to extract data in Labstep. You can do it within the app, using our Export Client, API, or contacting your customer success manager, who can assist you with extracting all of your data in one go.

Data can be extracted in PDF or JSON format.

What is your backup policy?

The backup policy of Labstep involves backing up all critical data stored within the platform to ensure that it can be quickly recovered in the event of any data loss or corruption. This backup process is performed daily, and backups are stored in two different data centres (Ireland and Paris).

Labstep regularly performs comprehensive tests of its backup and recovery processes to ensure their continued efficacy.

To ensure the highest level of data security, all backup data is encrypted using industry-standard encryption algorithms.

Is there a formal commitment to maintaining your current compliance with ISO27001 and FIPS 200?

Yes, Labstep is committed to maintaining compliance with the above standards.