ARC REDCap Security and Privacy

The ARC REDCap platform access controls are implemented following the Principle of Least Privilege. For end users, access to the platform is integrated with UBC’s Campus Wide Login (CWL) system as described in the ARC System Access Control standard (ARCS-22). Privileged accounts used to administrate the platform are further limited to specific members of the UBC ARC team and from a dedicated internal network. Passwords and paraphrases must follow the requirements of UBC Information Security Standard U2 (ISS-U2) and access to The ARC REDCap platform requires Multi-Factor Authentication.

Furthermore, a Project Owner can define different roles and access configurations for users of the platform. To learn more about the ARC REDCap platform access management, consult our ARC REDCap Access Management and Security Guideline.

The platform is accessible via a supported web browser and only authenticated users with a valid CWL can access the application server. The following network controls are in place:

• All connections require the use of a secure network protocol including signed certificates with a minimum of SHA2 and cryptographic hash cypher with a minimum of SHA256.
• Production web servers reside on a DMZ network protected by a next generation firewall. External access is only available over TLS (version 1.2 minimum) encrypted connections with Forward Security enabling cypher suites and HSTS enabled.
• Production database servers reside on a separate network segment and are not accessible to the external network. Connections between the web application servers and database servers are TLS encrypted.
• Pre-Production web and database servers are only accessible from the internal administrative network for testing purposes. Their configuration is otherwise identical to the production systems.

The ARC REDCap platform is located in British Columbia, Canada. The majority of the platform physically resides within the UBC University Data Centre at the Point Grey campus: A modern secure data center with security features such as pass-card restricted and logged entry, generator-backed UPS protected power, and video surveillance.

To ensure optimal protection, operation and performance, The ARC REDCap platform underlying infrastructure including Operating Systems have supported versions installed. All the ARC REDCap platform servers are equipped with Endpoint Detection and Response to prevent unauthorized access and movement of potential malicious elements.

The ARC REDCap platform is regularly scanned using a variety of recognized scanning tools. Reports are reviewed and inform the maintenance and patching priorities to ensure compliance with the ARC System Maintenance standard (ARCS-21), and UBC Information Security Standard M5 (ISS-M5). Additionally, ARC has dedicated cybersecurity, system and platform administrator to keep track of the latest vulnerabilities potentially affecting the platform, and ensuring they are addressed in a timely fashion.

The ARC REDCap platform maintenance and patching is defined in the ARC System Maintenance Standard (ARCS-21).

To facilitate required upgrades and patches The ARC REDCap platform has pre-set maintenance windows, and maintenance includes the following:

• Security patching based on priority (as defined in UBC ISS-M5);
• Underlying infrastructure regular maintenance;
• Regular software updates and upgrade to ensure efficient and security operation;
• Testing prior to new update or patch release, as well as verification post-release to ensure implementation was successful;
• Documented update and user communication procedures;
• Change Management procedures;
• Contingency planning.

The The ARC REDCap platform software provided by the projectREDCap.org developers is installed “AS-IS”. UBC ARC does not conduct any additional review of the software code provided. Release notes and change logs posted as part of the regular releases at projectREDCap.org are monitored and urgent fixes and/or security patches identified will be prioritized to apply to the version available at the UBC ARC instances. For additional detail concerning the REDCap application in general please refer to: REDCAP Technical overview documentation.

The ARC REDCap platform logs are compiled in a central logging system. Logs are generally intended to be used for maintenance and troubleshooting, as well as detecting and investigating information security events. Access for other purposes must be approved using one of the following methods:

• Internally, within UBC, in accordance with UBC Information Security Standards;
• Externally to law enforcement via Campus Security;
• Externally to other entities via authorization from the Office of the University Counsel.

The ARC REDCap platform electronic information is encrypted in transit using HTTPS encrypted connection with TLS1.2 or higher.

A complete database extract is performed nightly; this extract is encrypted and maintained per the database retention schedule. In addition to this extract, the entire The ARC REDCap platform application server is also captured via a system snapshot, which is retained following UBC retention schedules. For further detail refer to the ARC REDCap Backup standard (ARCS-15).

The ARC REDCap platform storage is intended for information that is being actively processed on the system. Information is subject to deletion as defined in the UBC ARC REDCap Terms of Service.
All information stored on the platform is managed in accordance with the ARC Data Retention and Destruction standard (ARCS-05).
No facility exists to request the deletion of information stored in backups of the REDCap platform. Information stored on backup systems will be deleted automatically based on the retention schedule defined in section 5.2 and as mandated by the ARC REDCap Backup standard (ARCS-15).

UBC ARC REDCap, operates under a shared responsibility model. UBC ARC is responsible for the underlying platform and ensuring the operation of the software, the Project Owner is responsible for the data collected, its use, and disclosure. The REDCap software itself is developed and supported by the REDCap consortium as a collaborative software development project.

UBC ARC does not collect any personal information as part of the operation of the REDCap platform. UBC ARC only collects the necessary business information required for the provision of the service.

UBC ARC does not use or disclose any of the information collected by projects within the REDCap platform except where required by law or as directed by the Project Owner. The Project Owner is responsible for the data collected, its use, and disclosure.

Privacy & Information Security – Fundamentals training is a mandatory requirement for faculty, staff, researchers, student employees and contractors who use UBC Electronic Information and Systems. Visit privacymatters.ubc.ca for more information.

In addition to UBC Privacy and Information Security training, ARC staff must complete the mandatory ARC Information Security Awareness curriculum which is specifically oriented to professionals providing support to UBC researchers and managing ARC systems and platforms.

Tutorials, and live training events are available for new and existing ARC REDCap platform users. See our Training and Events section for more information.