Guides
DiscoverWorkspaces

Pennsieve Platform Security Overview

Suggest Edits

Introduction

The Pennsieve platform is a secure cloud-based environment designed to enable research teams, labs, consortiums, and inter-institutional projects to manage, share, and curate scientific data. This document outlines the security measures implemented by Pennsieve to protect your valuable data and ensure compliance with industry standards.

Please feel free to reach out to the Pennsieve team if you have additional questions.

Infrastructure Security

Pennsieve is built on Amazon Web Services (AWS), one of the world's most advanced and secure cloud infrastructure providers. AWS offers a foundation of security that meets the requirements of the most security-sensitive organizations globally.
AWS Security Benefits

Global Infrastructure Security: Leveraging AWS's secure data centers and network architecture
Physical and Environmental Safeguards: AWS's state-of-the-art facilities with 24/7 security
Continuous Monitoring: Real-time infrastructure monitoring and automated security assessments

Data Protection

Encryption in Transit

All data transmitted to and from the Pennsieve platform is protected using industry-standard encryption protocols:

  • TLS/SSL Encryption: Pennsieve requires Secure HTTPS connections for all web traffic
  • Encrypted API Connections: All API calls and data transfers utilize secure, encrypted connections.
  • Secure File Transfers: Data uploads and downloads are protected with strong encryption, leveraging AWS services.

Encryption at Rest

Your data stored within Pennsieve is encrypted to prevent unauthorized access:

  • Server-Side Encryption: Data is automatically encrypted when stored. Pennsieve leverages AWS S3 to store data, which is designed to provide 99.999999999% durability and 99.99% availability of objects over a given year.
  • Encrypted Storage Buckets: All data repositories employ encryption technology. Encryption keys can be set individually for each workspace on the Pennsieve platform.
  • Encrypted SQL Databases: Data and metadata are stored in AWS RDS, DynamoDB, or GrapheneDB and are encrypted at rest using AWS KMS.

Access Control

User Authentication

Pennsieve leverages AWS Cognito for identity management, which provides:

  • Secure Login System: Pennsieve requires strong password policies and multi-factor authentication options
  • Single Sign-On (SSO) Support: Pennsieve integrates with ORCID for single Sign-On support.
  • Session Management: Automatic timeouts and secure session handling

Authorization Framework

Data access authorization is managed through the Pennsieve Authorization Service.

  • Role-Based Access Control (RBAC): Granular permission system for different user roles
  • Dataset-Level Permissions: Control who can view, edit, or manage specific datasets
    Team and Organization Management: Hierarchical access structure for research teams

Secure Development Practices

Compliance and Certifications

Pennsieve currently does not claim HIPAA or NIST 800-171 compliance. We are working with the University of Pennsylvania towards attestation in Q4 2025.

Monitoring and Incident Response

  • Incident Response Plan: Pennsieve leverages DataDog and PagerDuty to monitor platform health and incidents. A Pennsieve software engineer is always on call to respond to incidents and procedures are in place for addressing security incidents.
  • Activity Logging: Pennsieve provides comprehensive logging of activities in Datasets and provides users with insight into activities. In addition, it tracks activity through comprehensive audit logs.

Data Isolation

  • Tenant Isolation: Pennsieve provides strong separation between different organization's data. Each workspace can have individual encryption for files, and the organization's metadata are stored in individual schema's in the Pennsieve databases.
  • Secure Multi-Tenancy: The Pennsieve architecture is designed to prevent cross-tenant data access through its comprehensive authorization mechanisms.

Backup and Recovery

  • Automated Backups: Pennsieve data is backed up daily, and backups are persisted for 7 days.
  • Disaster Recovery: Pennsieve has established procedures to recover data following an incident rapidly. Files on the platform can be recovered by the user for up to 1 month after accidental deletion.
  • Data Integrity Checks: Pennsieve leverages both MD5 and SHA-256 hashing algorithms to ensure data integrity of files during transit.

The Pennsieve Agent

The Pennsieve Agent is a lightweight, non-privileged terminal application running a gRPC service on localhost port 9000 for local communication. It connects to the Pennsieve platform using user-generated API keys and secrets, which can be revoked by the user at any time.

The agent requires only outbound HTTPS access to api.pennsieve.io and api2.pennsieve.io, ensuring all data transmission is encrypted. It interacts exclusively with files explicitly added to a user-defined manifest for upload, avoiding unnecessary access to other files or directories.

The app is maintained by a team and regularly releases updates for stability, security and featuresets.

Updated about 11 hours ago