Customer Security Requirements
Cirro Bio implements security controls to protect your data and ensure the confidentiality, integrity, and availability of the Cirro platform. However, as a Cirro customer, you are responsible for securing your data and ensuring that your use of Cirro complies with your organization's security policies and procedures. This document outlines the security requirements that you are responsible for when using Cirro.
Account Management
Cirro supports a SAML 2.0-compliant identity provider for Single Sign-On (SSO).
It is your responsibility to manage user accounts and credentials through your identity provider, including but not limited to:
- Enable multi-factor authentication (MFA) for all users.
- Manage user roles and permissions.
- Suspend inactive accounts and offboard users promptly.
- Monitor and log sign-in activity.
Endpoint Security
Users may access Cirro from any location with an internet connection. It is your responsibility to ensure the security of devices used to access Cirro.
Recommended security practices include, but are not limited to:
- Enable automatic screen lock after 15 minutes of inactivity.
- Install and regularly updating antivirus software.
- Keep software up to date to patch vulnerabilities.
- Enable full disk encryption and remote wipe capability.
- Verify device compliance before granting access to Cirro.
- Prevent write-access to removable storage devices.
Data Management
Encryption
Cirro uses TLS 1.2 (or higher) to protect data in transit. It is your responsibility to ensure that data remains properly encrypted when transferred to and from Cirro.
For data at rest, Cirro employs AWS-managed encryption by default.
If you have specific encryption needs, Cirro supports Bring Your Own Key (BYOK) through AWS Key Management Service (KMS). In this case, it is your responsibility to securely manage your encryption keys.
Backup
While Cirro utilizes S3 for data storage, which is designed for high durability and availability, it is your responsibility to ensure that data is properly backed up and protected.
The United States Cybersecurity and Infrastructure Security Agency (CISA), recommends following the 3-2-1 backup rule. For more details, refer to the Data Backup Options document.
Recommended backup strategies include:
- S3 Cross-Region Replication or AWS Backup.
- Third-party backup solutions.
- Regularly backing up data to an on-premises location.
Classification
It is your responsibility to classify data stored in Cirro and ensure that it is handled in accordance with your organization's data classification procedures and applicable regulations.
Session Expiration
Cirro provides optional session timeout settings for users. It is your responsibility to inform Cirro Support of any specific session timeout requirements.
Additional AWS Responsibilities
Customers are responsible for securing their AWS accounts by following best practices. For more information, refer to the AWS Startup Security Baseline page. This includes, but is not limited to:
- Logging and Monitoring: Use AWS CloudTrail to log and monitor AWS API calls and S3 object-level activity.
- Resource Management: Use AWS Config to track and manage AWS resources and configurations.
- Threat Detection: Leverage AWS GuardDuty to detect and respond to security threats.
- Security Posture Management: Use AWS Security Hub or a third-party security posture management system to centrally manage security alerts and compliance checks.
- Access Management: Use AWS IAM Identity Center (or AWS IAM) to control and manage user access to AWS resources.
- Vulnerability Scanning: Use AWS Inspector or third-party tools to regularly scan AWS resources for vulnerabilities.
Other Key Responsibilities
- Notify Cirro Bio of any changes made to technical or administrative contact information.
- Develop and maintain disaster recovery and business continuity plans that address the inability to access or utilize Cirro Bio services.
- Notify Cirro Bio of any security incidents or breaches in a timely manner, in compliance with applicable laws and regulations.
- Ensure supervision, management, and control of the use of Cirro Bio services by their employees, agents, and contractors.
- Ensure compliance with industry-specific regulations and standards, such as HIPAA, GDPR, as applicable.
- Ensure all API integrations with Cirro are secure and comply with security best practices.