Atlantia Trust Centre

Introduction

In today's digital world, protecting data, especially personal data, is more important than ever. Under the General Data Protection Regulation (GDPR), businesses and organisations are required to implement Technical and Organisational Measures (TOMs) to ensure the confidentiality, integrity, and availability of personal data. These measures help prevent unauthorized access, data breaches, and ensure compliance with legal obligations.

At Atlantia, we take data protection seriously. Our Security Measures cover key areas such as access control, encryption, data retention policies, incident response planning, and employee training, ensuring data is handled securely and responsibly.

Explore our approach to Security and Data Protection, and how we safeguard personal information through a robust security practices and proactive risk management.

Technical Measures
Access Control	Atlantia implements measures to ensure that access to Personal Data is controlled in line with business requirements and data minimisation principles. Access Controls to IT Assets and Systems are implemented on the basis of Least Privilege. User access is restricted to authorised persons during the active phase of studies. Access reviews are conducted periodically to ensure that access is restricted appropriately. Required changes are tracked to completion. Privileged access to databases, firewalls, operating systems, and production networks is restricted to authorised users with a business need. Production systems can only be remotely accessed by authorised employees via an approved encrypted connection.
Authentication Policy	Atlantia implements Authentication standards to ensure effective user identity management, this is done by: - Unique account authentication to systems and applications is enforced. - All passwords must be configured according to the documented standard. - MFA used for all systems which process study data.
Backup & Recovery	Atlantia manages Information Backup and Recovery to ensure the ongoing availability of personal data in the event of an incident. Information Backup and Recovery procedures are managed, and recovery is tested.
Configuration Management	Configuration Management standards are implemented to control the initial and on-going configuration of software, hardware, services, hosted and network assets which process Personal Data.
Secure Storage & Transfer of Data (Data Handling)	Atlantia ensures the secure handling of all Personal Data during storage and transfer. Secure data transmission protocols are used to encrypt confidential and sensitive data when transmitted over public networks. IT Assets and System Backups are encrypted. All Production Systems can only be remotely accessed by authorized employees via an approved encrypted connection. Encryption keys are managed using a secure identity and access management service. An Endpoint Protection, Detection and Response tool is used to protect end points and are encrypted.
Device Management	Atlantia implements measures to ensure the security of Devices which process Personal Data. New devices are configured in accordance with the documented device standard and issued accordingly.
Logging & Monitoring	Atlantia implements measures to ensure that Logging and Monitoring is in place across all systems. Trial Management Systems have audit logging. Dlegation Log records access to all studies are audited. An infastructure monitoring tool is utilized to monitor systems, infrastructure, devices and performance, and generates alerts when specific predefined thresholds are met. Logs are stored for all device and network monitoring. Dashboards are used to review and action as needed.
Network & Infrastructure Security	Atlantia implements measures to provide appropriate standards of Network and Infrastructure security in line with the levels of risk to the Personal Data. An intrusion detection system is used to provide continuous monitoring of the company's network and early detection of potential security breaches. Firewalls are configured to prevent unauthorized access. Firewall rule sets are reviewed at least annually. Required changes are tracked to completion. Network segmentation is implemented to prevent unauthorized access to customer data. Anti-malware technology is utilized against malicious attacks and is configured to be updated routinely, logged, and installed on all relevant systems.
Threat & Vulnerability Management	Atlantia implements Threat and Vulnerability Management measures to identify, manage, mitigate, and remediate security threats. Penetration testing is performed at least annually. An RMM tool is used for patch management.

Organisational Security
Acceptable Usage	The organisation implements a set of rules that ensure the acceptable usage of all assets where personal data is processed. Staff receive appropriate training on the policy and supporting processes. Acceptable Usage of IT Assets is implemented and monitored.
IT Asset Management	Atlantia implements measures to ensure the secure management of all IT Assets which process Personal Data. IT Assets are managed securely, with processes in place for managing assets in line with best practice.
Asset Inventory Management	Atlantia implements Asset Inventory Management standards to record, manage and report on Information Systems Assets (Hardware and Software) used for processing or storing personal data across the organisation. IT Assets are managed securely, with processes in place for managing assets in line with best practice.
IT Change Mangement	Atlantia manages IT Change Management appropriately with effective oversight and approval procedures to protect the on-going confidentiality, integrity, and availability of the systems which process Personal Data. All changes to software and infrastructure components of the service are authorized, formally documented, tested, reviewed, and approved prior to being implemented in production environments. Risk assessment s are performed on all changes, addressing security and data protection risks. Issues are identified and the risks are formally assessed.
IT Security Audit	Atlantia conducts regular IT Security Audits to ensure adequate security standards for personal data processing are implemented and maintained. Access and event logging continuously monitors and reports on device and network activity. Penetration testing is performed at least annually.
Management of Technical Measures	Information security policies and procedures are documented and reviewed at least annually. Other policies and procedures are reviewed bi-annually or if changes occur.
Physical Security	Atlantia implements appropriate Physical Security measures in areas where Personal Data is processed. Areas which process Customer and Participant Data have restricted access for authorized personnel only. Data processing locations within company buildings are secured. A visitor management system is implemented at all company locations which tracks all visitors and communicates any required terms and conditions.
Remote Working	Atlantia ensures that Remote Working standards are in place to provide appropriate protection of Personal Data while being processed by staff and contractors working remotely. Remote Working standards are in place to provide appropriate protection of Customer and Participant Personal Data processed.
Security Incident Response Plan	Atlantia ensures that an Incident Response Plan is documented to provide an appropriate response in the event of an incident affecting the systems which process Customer and Participant Data. Appropriate Business Continuity and Disaster Recovery Plans are documented and tested to maintain information security continuity in the event of the unavailability of key personnel or infrastructure.
Staff Training & Awareness	All staff involved in processing personal data receive appropriate Data Protection and Data Security Training at least annually. Staff complete GDPR Awareness Training as part of the on-boarding process. Staff receive IT security training as part of the on-boarding process.

Data Protection
Data Retention and Deletion	Atlantia ensures that Personal Data Deletion is performed in line with Data Retention, Equipment Management, Device Management and Application Development Policies. Study data is retained in line with Sponsor requirements and is deleted at the end of the Retention Period, in accordance with the Data Processing Agreement. Hard copy study data is destroyed securely.
Data Protection Governance	A comprehensive Data Protection programme is implemented and overseen by the DPO and Management Team.
Data Protection Program	A Data Protection Policy is fully documented and implemented with all staff required to review and acknowledge.
Data Protection Risk Management	A comprehensive Risk Management program is implemented, with Data Protection Impact Assessments completed where necessary.
Data Protection Statements and Notices	Customers Data Protection Statements are displayed by Atlantia to Trial Participants.
Data Subject Rights	Atlantia assists Customers to ensure that they can effectively manage any Data Subject Rights requests from Trial Participants.
Data Breach Management	Breach Management Procedures are implemented to ensure that Atlantia informs the Customers of any suspected Security Event or Data Breach.
Atlantia Supplier Due Diligence	Appropriate due diligence is undertaken with suppliers/third parties, in line with contractual obligations. Adequate safeguards are put in place to protect personal data transferred outside the EU/EEA.