Skip to content

Customer Security Requirements

Cirro Bio implements security controls to protect your data and ensure the confidentiality, integrity, and availability of the Cirro platform. However, as a Cirro customer, you are responsible for securing your data and ensuring that your use of Cirro complies with your organization's security policies and procedures. This document outlines the security requirements that you are responsible for when using Cirro. It is intended to supplement, not replace, your organization's existing security policies and procedures.

Account Management

Cirro supports a SAML 2.0-compliant identity provider for Single Sign-On (SSO).

It is your responsibility to manage user accounts and credentials through your identity provider, including but not limited to:

  • Enable multi-factor authentication (MFA) for all users.
  • Manage user roles and permissions.
  • Suspend inactive accounts and offboard users promptly.
  • Monitor and log sign-in activity.

Endpoint Security

Users may access Cirro from any location with an internet connection. It is your responsibility to ensure the security of devices used to access Cirro.

Recommended security practices include, but are not limited to:

  • Enable automatic screen lock after 15 minutes of inactivity.
  • Install and regularly update antivirus software.
  • Keep software up to date to patch vulnerabilities.
  • Enable full disk encryption and remote wipe capability.
  • Verify device compliance before granting access to Cirro.
  • Prevent write-access to removable storage devices.
  • Ensure that devices are configured to block installation of unauthorized applications.

Data Management

Encryption

Cirro uses TLS 1.2 (or higher) to protect data in transit. It is your responsibility to ensure that data remains properly encrypted when transferred to and from Cirro.

For data at rest, Cirro employs AWS-managed encryption by default, which uses AES-256 encryption.

If you have specific encryption needs, Cirro supports Bring Your Own Key (BYOK) through AWS Key Management Service (KMS). In this case, it is your responsibility to securely manage your encryption keys.

Backup

While Cirro utilizes S3 for data storage, which is designed for high durability and availability, it is your responsibility to ensure that data is properly backed up and protected.

The United States Cybersecurity and Infrastructure Security Agency (CISA), recommends following the 3-2-1 backup rule. For more details, refer to the Data Backup Options document.

Recommended backup strategies include:

  • S3 Cross-Region Replication or AWS Backup.
  • Third-party backup solutions.
  • Regularly backing up data to an on-premises location.

Classification

It is your responsibility to classify data stored in Cirro and ensure that it is handled in accordance with your organization's data classification procedures and applicable regulations.

Session Expiration

Cirro provides optional session timeout settings for users. It is your responsibility to inform Cirro Support of any specific session timeout requirements.

Additional AWS Responsibilities

Customers are responsible for securing their AWS accounts by following best practices. For more information, refer to the AWS Startup Security Baseline page. This includes, but is not limited to:

  • Logging and Monitoring: Use AWS CloudTrail to log and monitor AWS API calls and S3 object-level activity.
  • Resource Management: Use AWS Config to track and manage AWS resources and configurations.
  • Threat Detection: Leverage AWS GuardDuty to detect and respond to security threats.
  • Security Posture Management: Use AWS Security Hub or a third-party security posture management system to centrally manage security alerts and compliance checks.
  • Access Management: Use AWS IAM Identity Center (or AWS IAM) to control and manage user access to AWS resources.
  • Vulnerability Scanning: Use AWS Inspector or third-party tools to regularly scan AWS resources for vulnerabilities.

Health Insurance Portability and Accountability Act (HIPAA)

To use Cirro in a HIPAA-compliant manner, customers must ensure that they have a Business Associate Agreement (BAA) in place with Cirro Bio.

It is your responsibility to:

  • Ensure that Protected Health Information (PHI) is stored in file contents and not in metadata (such as file names or tags).
  • Label Cirro projects containing PHI with appropriate data classification labels.
  • Train employees and all users on HIPAA compliance and the handling of PHI.
  • Implement access controls to restrict access to PHI to authorized personnel only, such as implementing least privilege and regular access reviews.
  • Apply the appropriate data retention policies for PHI and audit log data.

Other Key Responsibilities

  • Notify Cirro Bio of any changes made to technical or administrative contact information.
  • Develop and maintain disaster recovery and business continuity plans that address the inability to access or utilize Cirro Bio services.
  • Notify Cirro Bio of any security incidents or breaches in a timely manner, in compliance with applicable laws and regulations.
  • Ensure supervision, management, and control of the use of Cirro Bio services by their employees, agents, and contractors.
  • Ensure compliance with industry-specific regulations and standards, such as HIPAA, GDPR, as applicable.
  • Ensure all API integrations with Cirro are secure and comply with security best practices.