Security

The Terra platform and the data it contains is secured according to best practices in information security, suitable for safeguarding human health data.
Security Hero

We are committed to protecting patient data

The Broad Institute, Microsoft, and Verily support the medical research community as it deals with matters of public health. Our security posture addresses the rights of the patients whose data make this work possible, as well as the needs and concerns of the researchers. We work with internal and 3rd party security experts to define the system and security needs of the system, to assess that security controls are implemented, to monitor that controls continue to be effective, and to respond appropriately to incidents or anomalies.
View the full text of our security posture

Compliance certifications and memberships

We use best practices and industry standards, mostly aligned to NIST-800-53 Rev 4 Moderate, to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our users meet their own compliance standards.
FISMA1

FISMA

The Terra system has been granted Authority to Operate as a FISMA Moderate impact system.
FedRamp2

FedRAMP

Terra is FedRAMP authorized as a Moderate Impact system with an Agency Authorization. You can find Terra listed in the FedRAMP Marketplace.

We adhere to information security best practices

Terra Authenticate1

Authenticate

All components require authentication at every step, not just the perimeter
Terra Authorize

Authorize

All data requires explicit authorization to access

Terra Audit2

Audit

All data access is logged (to a different system), with alerts for anomalous events
Terra Encrypt

Encrypt

All data-in-transit and all data-at-rest is encrypted

All systems undergo continual threat assessment and detection.

Full summary of our security approach

We implement the core data security functions of Identify, Protect, Detect, Respond, and Recover at all times, and we maintain a posture of continual assessment through a variety of security automation in the “DevSecOps” mode of operation.

Terra uses Google Cloud Platform which has extensive compliance
certifications and physical security.

Infrastructure Security

Dedicated Security Team
Our Security Team is on call 24/7 to respond to security alerts and events.

Network Protection
Our network is protected through the use of key GCP security services, regular internal assessment and external audits, threat intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture
Our network security architecture relies on GCP’s built-in logical separation. Little of our infrastructure is exposed to the Internet and utilizes GCP’s Load Balancers with CloudArmor. We use Google’s Kubernetes Engine to minimize VM and network exposure and rely on GCP’s own threat detection to keep those safe.

Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year, Terra employs third-party security experts to perform a broad penetration test.

Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.

Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Threat Intelligence Program
Terra participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.

Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption

Encryption in Transit
All communications with Terra UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public and private networks.

Encryption at Rest
Service Data is encrypted at rest, by default, in GCP using AES-256 key encryption. Additional options for Customer Controlled encryption might be available depending on a variety of circumstances.

Availability

Disaster Recovery
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Application Security

Secure development (SDLC)

Secure Code Training
At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Terra security controls.

Framework Security Controls
Terra leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance
All code is reviewed by humans with machine assistance. All code is tested with unit and integration tests. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities based on threat models.

Separate Environments
Testing and staging environments are physically separated from the Production environment (different GCP Orgs). No Service Data is used in our development or test environments.

Vulnerability Management

Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.

Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.

Static Code Analysis
The source code repositories for both our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.

Dependency Analysis
All source code dependencies are scanned for known vulnerabilities, including THEIR dependencies.

Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, Terra employs third-party security experts to perform detailed penetration tests on different applications within our family of products.