Security & Compliance
Data protection, HIPAA, GDPR, GxP, SOC 2, and IT security guidance for BCILattice.
Security Overview
BCILattice is built on a local-first, data-sovereignty model. The most sensitive asset, raw brain signal recordings, never leaves the researcher's machine unless they explicitly choose to upload it. This architecture minimises attack surface and simplifies compliance with HIPAA, GDPR, and institutional data governance policies.
| Security Property | Detail |
|---|---|
| Compute | All signal processing and ML training runs locally on the researcher's machine |
| Raw data | Never automatically uploaded; opt-in only, per file |
| Cloud sync | Session metadata and pipeline configs only (opt-in) |
| Data in transit | TLS 1.3 for all cloud communication |
| Data at rest (cloud) | AES-256 server-side encryption |
| Local database | Database bound to loopback only, not reachable from other machines |
| No external ports opened | BCILattice does not accept inbound network connections |
Local Data Protection
BCILattice stores all session data, preprocessed datasets, and trained models on your local file system. The data directory is configurable (default: user home directory). BCILattice does not apply its own encryption to local files, local data security is governed by your OS and disk encryption policy (e.g., BitLocker, FileVault, LUKS).
- The local database is password-protected and bound to loopback only, not reachable from the network
- The local backend is bound to loopback only, not reachable from other machines
- Raw data files are never modified in place, BCILattice creates derived copies in a separate data directory
- Application logs do not contain patient identifiers or raw signal data
Cloud Security
Encryption
| Scope | Method |
|---|---|
| Data in transit (client ↔ BCINexus API) | TLS 1.3 (minimum TLS 1.2) |
| Data in transit (BCINexus internal) | TLS 1.3 (service-to-service) |
| Data at rest (cloud storage / S3) | AES-256 (SSE-S3 or SSE-KMS) |
| Data at rest (RDS PostgreSQL) | AES-256 (AWS RDS encryption) |
| Backups | AES-256 (same key policy as primary store) |
| Passwords (BCINexus accounts) | bcrypt (cost factor 12), passwords never stored in plaintext |
Authentication & Access
- JWT tokens, BCILattice authenticates to BCINexus using short-lived JWT tokens (15-minute access token, 30-day refresh token stored in OS keychain)
- SAML 2.0 / SSO, Institution and Enterprise plans can authenticate via your LDAP / Active Directory / SAML 2.0 IdP (Okta, Azure AD, Google Workspace, ADFS)
- Multi-factor authentication (MFA), TOTP-based MFA available for all BCINexus accounts; enforceable via organisation policy on Enterprise plans
- Role-based access control, Lab plan: Owner / Admin / Member / Viewer roles per workspace. Enterprise: custom role policies available.
- API keys, Machine-to-machine access uses scoped API keys with expiry. Keys are hashed at rest (SHA-256 + salt).
Audit Logging
Institution and Enterprise plans include tamper-evident audit logs covering:
- User authentication events (sign-in, sign-out, failed attempts, MFA events)
- Dataset uploads, downloads, and deletions
- Pipeline creation, modification, and sharing
- Team workspace membership changes
- Settings changes (billing, roles, integrations)
- API key creation and revocation
Audit logs are stored with cryptographic integrity guarantees and can be exported to SIEM systems (Splunk, Datadog, ELK) via webhook or log streaming.
HIPAA Compliance
BCILattice supports HIPAA-compliant use on Institution and Enterprise plans with a signed Business Associate Agreement (BAA).
How BCILattice supports HIPAA
| HIPAA Requirement | BCILattice Approach |
|---|---|
| PHI stays local | All compute runs locally; patient recordings are never uploaded without explicit action |
| Access controls | OS-level authentication; role-based team access (Lab/Enterprise); MFA enforcement |
| Audit controls | Full audit trail for cloud-stored data (Institution/Enterprise) |
| Transmission security | TLS 1.3 for all cloud communication |
| Data at rest | AES-256 for cloud storage; local encryption via OS (BitLocker/FileVault) |
| Business Associate Agreement | Available for Institution/Enterprise plans, contact legal@bcinexus.io |
| Breach notification | BCINexus commits to notifying covered entities within 24 hours of a confirmed breach |
To obtain a BAA, email legal@bcinexus.io with your organisation name and the subject line "BAA Request".
GDPR Compliance
BCILattice is GDPR-compliant for organisations in the European Union and EEA. BCINexus acts as a Data Processor when handling any personal data you upload.
| GDPR Article | BCILattice Provision |
|---|---|
| Art. 28, Data Processing Agreement | DPA available for Institution/Enterprise plans; standard SCCs included |
| Art. 17, Right to Erasure | Account data deletion available via account settings; full erasure within 30 days |
| Art. 20, Data Portability | Export all session and pipeline data in open formats (JSON, CSV, EDF) |
| Art. 32, Security measures | TLS 1.3, AES-256, access controls, audit logs |
| Art. 33, Breach notification | Notification within 72 hours of confirmed breach (GDPR Art. 33 requires 72 h to supervisory authority) |
| Data residency | EU data residency available (AWS eu-west-1, Ireland). Request at account setup or via support. |
BCINexus is registered under the GDPR as a data processor. Our Privacy Policy and Data Processing Agreementare available at Legal Documents and on request from privacy@bcinexus.io.
GxP / 21 CFR Part 11
BCILattice supports regulated pharmaceutical and medical device research workflows under GxP (Good Practice) standards and FDA 21 CFR Part 11 (Electronic Records; Electronic Signatures).
| Requirement | BCILattice Provision |
|---|---|
| Audit trail | Timestamped, user-attributed log of all system actions |
| Access control | Unique user IDs, role-based permissions, MFA |
| Electronic signatures | Signature workflow with password confirmation for critical actions (Enterprise) |
| Data integrity | SHA-256 checksums on all stored datasets; no silent data modification |
| System validation | Validation pack (IQ/OQ/PQ templates) available for Enterprise plans |
| Change control | Software version lock and change documentation on request |
The GxP Validation Pack includes Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) templates. Available with Enterprise plans. Contact legal@bcinexus.io.
SOC 2 & ISO 27001
| Framework | Status | Availability |
|---|---|---|
| SOC 2 Type II | Report available | Under NDA for Institution/Enterprise customers, email enterprise@bcinexus.io |
| ISO 27001 | Aligned (certification in progress) | Security controls documentation available on request |
| ISO 27701 (Privacy) | Controls implemented | Documentation available on request |
| NIST Cybersecurity Framework | Aligned | Mapping document available for enterprise security reviews |
Vulnerability Management
- Dependency scanning, All dependencies are scanned for CVEs continuously using Dependabot and Snyk
- SAST, Static analysis (Bandit for Python, ESLint security plugin for TypeScript) runs on every commit
- Penetration testing, Annual third-party penetration test of the BCINexus cloud platform
- Responsible disclosure, Report vulnerabilities to security@bcinexus.io. We aim to acknowledge within 24 hours and patch critical issues within 72 hours.
- CVE policy, Critical CVEs in bundled dependencies are patched within 14 days. High severity within 30 days.
Incident Response
| Severity | Definition | Response SLA |
|---|---|---|
| Critical | Active breach, data exfiltration, service unavailable | Acknowledge: 1 hour. Notify affected customers: 4 hours. GDPR SA notification: 72 hours. |
| High | Exploitable vulnerability, data integrity issue | Acknowledge: 4 hours. Patch/mitigate: 72 hours. |
| Medium | Security misconfiguration, non-critical vulnerability | Acknowledge: 24 hours. Patch: 30 days. |
| Low | Best-practice deviation, low-risk finding | Triage: 7 days. Patch: next release cycle. |
IT Security Checklist
For IT administrators evaluating BCILattice:
| Item | Detail |
|---|---|
| ✓ No inbound network exposure | All local ports bound to 127.0.0.1 only |
| ✓ Outbound HTTPS only | Only port 443 to *.bcinexus.io (optional; not needed for offline use) |
| ✓ No telemetry by default | Anonymous crash reporting is opt-in (disabled by default) |
| ✓ SBOM available | Software Bill of Materials available on request for enterprise |
| ✓ Signed installer | Windows: Authenticode-signed. macOS: Developer ID signed & notarised. |
| ✓ Managed deployment | MSI/PKG installers for SCCM/Intune/Jamf deployment |
| ✓ No admin required (optional) | User-level installer available for Windows; no root on macOS/Linux |
| ✓ Local DB not exposed | Database bound to loopback, not reachable from other machines |
| ✓ MFA available | TOTP-based MFA; SAML SSO for enterprise |
| ✓ Audit logs | Available on Institution/Enterprise plans; exportable to SIEM |
Security Contact
Legal / Compliance (BAA, DPA, GDPR): legal@bcinexus.io
IT Security reviews: enterprise@bcinexus.io
Privacy requests (GDPR Art. 17/20): privacy@bcinexus.io