Security Assurance Plan
The Security Assurance Plan defines the framework of requirements that CURE51 imposes on itself and flows down to its critical service providers, notably its host, Amazon Web Services (AWS). To ensure a constant level of protection, an annual review is conducted to confirm full alignment between contractual commitments and observed operational security measures.
STANDARDS AND CERTIFICATIONS
To guarantee the highest security standards regarding data management, CURE51 is committed to complying with the strictest data protection standards:
Hébergeurs de données de santé (HDS), v2.0, avril 2024.
2. CURE51 SCOPE
Managed services provider. CURE51 provides a complete managed hosting service. CURE51's Information Security Management System (ISMS) encompasses all resources (human, technical, and organizational) dedicated to the design, development, operation, and support of applications.
HDS certification scope. CURE51’s hosting system is based on an architecture structured around the 5 layers defined by the French Agence du numérique en santé (ANS) framework.
Physical infrastructure (subcontracted to AWS). CURE51 relies on AWS expertise, which ensures compliance for the first two infrastructure layers. AWS HDS certification is available upon request.
Activity 1: provision and maintenance of physical sites used to host the hardware infrastructure of the IS used for processing Personal Health Data (PHD);
Activity 2: provision and maintenance of the hardware infrastructure of the IS used for processing PHD.
Services and operations (managed by CURE51). CURE51 directly manages layers 3 to 5, guaranteeing the security and availability of the Information System (IS) dedicated to PHD:
Activity 3: provision and maintenance of the virtual infrastructure of the IS used for processing PHD;
Activity 4: provision and maintenance of the IS application hosting platform;
Activity 5: administration and operation of the IS containing PHD.
COMPLEMENTARY SECURITY MEASURES
CURE51 maintains and manages the protection of PHD within its applications at all stages of their lifecycle.
3.1 Secure Development
Agile organization, code review, and testing. Development is organized using Agile methods (Scrum, Kanban, etc.). Developers perform unit, functional integration, and end-to-end tests. Code is peer-reviewed before deployment.
Vulnerability management. Automated vulnerability scanning of libraries is implemented during integration. Deployment is blocked if high vulnerabilities (CVSS ≥ 7) are detected.
Software Quality Assurance. QA tests all applications before production (manual and automated tests).
Environment separation. Development and test environments are logically separated from production. No PHD is used in development or test environments.
Automated code testing. Code is automatically tested against predefined scenarios to ensure changes do not degrade security levels.
Third-Party penetration testing. Beyond permanent vulnerability management, CURE51 regularly mandates independent cybersecurity experts to conduct penetration tests for an objective assessment of infrastructure robustness.
3.2 Authentication security
Password policy. CURE51 enforces a rigorous password policy aligned with international robustness standards (complexity and length) to protect against brute-force attacks. A secure password manager is used.
Multi-Factor Authentication (MFA). Access to applications processing PHD is strictly conditioned on MFA.
Role-Based Access Control (RBAC). Access is limited to authorized profiles based on the principle of least privilege.
3.3 Securing data in transit
All traffic transitioning over public networks is protected by encryption protocols compliant with the most recent industry standards. CURE51 mandates the use of the HTTPS/TLS protocol with a minimum version of TLS 1.2, thereby prohibiting the use of obsolete or vulnerable cryptographic suites.
3.4 Change Management
CURE51 follows a change management procedure including:
Description of the modification;
Risk analysis related to security or PHD protection;
Impact on Business Continuity/Disaster Recovery Plans (BCP/DRP);
Planning and implementation;
Post-implementation review.
3.5 Security
Physical facilities. CURE51 uses servers provided by AWS in data centres located in Europe. No PHD is transferred or stored outside the European Economic Area (EEA). To ensure continuous operation (24/7) and constant availability of services, AWS data centres are equipped with redundant power systems and are subject to environmental controls. AWS is HDS and ISO/IEC 27001:2022 certified.
Protective measures. CURE51 deploys a multi-layered defence strategy based on state-of-the-art security solutions. The network is protected by a set of complementary technical measures:
Flow control: network segmentation, firewalls and strict access control lists;
Integrity of exchanges: systematic encryption of flows via the TLS protocol;
Host security: deployment of anti-malware solutions and use of bastions for secure administration.
Security architecture and high availability. The network architecture is designed according to the principle of defence in depth, structured in several layers of watertight security:
Redundancy and resilience: each application and security layer is replicated across multiple availability zones (AZs) to ensure service continuity;
Service isolation: exposure on the public network is limited and controlled, with each layer of the architecture protected by dedicated firewalls.
Logical access management and traceability. Access control to sensitive environments is based on a policy of maximum restriction:
Administrative privileges: access to the production infrastructure is reserved exclusively for duly authorised system administrators, in accordance with the principle of least privilege;
Auditability of PHD: any consultation or manipulation of PHD is subject to rigorous control and systematic logging. These event logs are stored in secure environments and protected against any alteration.
3.6 Backups
CURE51 has implemented a backup policy for all production systems and environments. This policy covers both application data (databases, S3 buckets) and technical configurations, via GIT directories. In accordance with security requirements, these backups are encrypted before being transferred to secure storage areas and are made immutable to prevent any malicious alteration or deletion. Restoration tests are performed periodically according to the criticality level of the resources concerned. Access to backups is strictly limited to duly authorised system administrators, thus ensuring maximum protection against unauthorised access. Backups are immutable.
3.7 Event logs
CURE51 has implemented an event logging policy with system administration logs. Activities across all CURE51 applications are also logged.
3.8 Security incident management
A continuous alert system allows for constant monitoring of security incidents and their resolution by system administrators as quickly as possible. Collaborators are trained in security incident response processes, including communication channel management and escalation paths.
3.9 Encryption
Encryption of stored data. CURE51 uses low-level disk encryption. The encryption has a strength of at least AES-256 or equivalent. Encryption keys are managed via a dedicated key management service (KMS), with strict segregation of administrative rights. The key lifecycle (generation, rotation, revocation) is documented.
Communication encryption. On public networks, all communications with CURE51 user interfaces and APIs are encrypted using the HTTPS/TLS standard (TLS 1.2 or higher). This ensures that all traffic between CURE51 and users and partners is secure during transit.
Backups. All backups are encrypted before being transmitted to a remote storage area.
3.10 Availability and Continuity Plan
Redundancy. All infrastructure is redundant in order to minimise the risk of downtime and data loss. Databases are configured with near-instantaneous replication to ensure that, under normal operating conditions, the complete loss of the main node receiving writes does not result in more than a few seconds of data loss.
Service Level Agreement. CURE51 guarantees a monthly availability rate of ninety-nine per cent (99%), excluding scheduled maintenance. Compliance with these commitments (SLA) is subject to a monthly audit based on AWS health reports, which are systematically sent to the customer. In addition to technical availability, the monthly review includes an analysis of compliance with contractual clauses, the responsiveness of AWS support, and an analysis of third-party security reports.
Recovery Point Objective. CURE51's IT backup policy commits to daily backups of production databases.
Disaster Recovery Plan. The disaster recovery plan ensures that the production platform can be completely recreated in the event of a total failure of the production environment. All codes and configurations are stored in secure locations and are independent of the production environment.
3.11 Organisational security
CISO. A Chief Information Security Officer (CISO) is appointed. He assists in the management of the ISMS, manages security incidents and reports directly to senior management.
Training. Staff who process PHD are subject to regular checks and ongoing training on how to reduce the risks associated with the processing of PHD.
Background and skills checks. CURE51 checks the background of all new collaborators. These checks are also carried out for service providers. Background checks may include verification of technical and general skills and previous employment.
Confidentiality agreement. All collaborators must sign non-disclosure and confidentiality agreements. This confidentiality agreement remains valid after the end of the employment contract.
Definition of roles and responsibilities. CURE51 is committed to ensuring that all roles and responsibilities are clearly defined and understood by the persons to whom they are assigned.
Disciplinary procedure. CURE51 has put in place disciplinary procedures in the event of misconduct, as set out in the internal regulations.
Safety awareness.
All collaborators undergo security awareness training as part of the hiring process, which is reviewed annually thereafter. Basic rules and best practices are also regularly reinforced at CURE51's premises;
All developers are made aware of best development practices;
The security team also provides additional updates on security awareness via email, articles and presentations at internal events.
Audits.
CURE51 is committed to a cycle of continuous improvement and to regularly auditing its systems:
Internal audit plan: all processes are audited by internal audit teams or external service providers;
Management review: management reviews ensure that management systematically reviews the ISMS, evaluates opportunities for improvement, and decides on the measures necessary to ensure the relevance, adequacy, and effectiveness of the ISMS;
Technical audits: in addition to vulnerability management, including analysis and testing, CURE51 employs third-party security experts to perform detailed penetration testing. External technical audits are incorporated into CURE51's annual audit plan;
Compliance certification audit: CURE51 has engaged in a certification process with an accredited body to ensure that its ISMS complies with internationally recognised industry standards.
3.12 Reversibility and end of service
At the end of the contract, CURE51 will return all of the Client's PHD within ninety (90) working days, while guaranteeing continuity of access during this transition. In accordance with HDS standards and the General Data Protection Regulation (GDPR), this portability is achieved via open and structured formats (JSON, CSV, XML) and interoperability standards such as HL7 FHIR in order to preserve the semantic integrity of the information. Security, including encryption and logging, is rigorously maintained until the final transfer. Once the return has been validated, CURE51 irreversibly erases the data from all its infrastructures and provides the Client with a formal certificate of destruction, certifying that no copies are retained by its services or subcontractors.
