Skip to content

Information Governance

Last Reviewed: 2025-01-07

Oxford Nanopore Technologies plc provides sequencing devices, and bioinformatics resources to researchers worldwide both directly and through a network of distributors and partners. These offerings comprise data analysis solutions under the EPI2ME brand. EPI2ME products include:

  • Bioinformatics workflows authored in Nextflow,
  • Bespoke analysis tools written in C, Python, Node.js, and TypeScript (amongst others),
  • A cloud compute platform, The EPI2ME Cloud Platform (“EPI2ME Platform”), and
  • Bioinformatics analysis support and advice to researchers and clinical practitioners.

Data Security

Personally Identifiable Information (PII)

To enable certain features of the analysis platform, Oxford Nanopore Technologies may collect from users:

  • An email address
  • Cryptographic tokens such as JSON Web Tokens (JWTs), similar to web browser cookies

This information is covered by the Oxford Nanopore Technologies Privacy Policy. No other personally identifiable information is processed during the analysis or storage of data in the EPI2ME Platform, and the terms of use (see Terms, Conditions and Policies page) do not permit users to use free-text annotation fields for such data.

Data in Transit

All data in transit are encrypted using HTTPS and best-practice ciphers, automatically tested and reviewed periodically; any data transferred are not in human readable form.

Data at Rest

All data stored, both temporarily for analysis and longer-term storage, are encrypted at rest with AES-256 using server-side encrypted customer managed keys with automated key rotation; any data stored are not in human readable form. Data from individual end users is stored in separate logical partitions and encrypted with distinct keys. All data stored in the metadata database and its replicas, snapshots and backups are encrypted at rest. All database traffic in transit is encrypted using TLS.

Data Residency

The data centres currently in use are located in Ireland. We are actively working on expanding worldwide local data residency and analysis. End user data resides on segregated storage and is operated on by isolated compute infrastructure at the cloud host virtualisation layer.

Data Retention

Uploaded raw data are retained for 14 days from the date of upload. Analyses are automatically stopped after 24 hours if they have not completed automatically. There is no long-term storage of data, and any outputs of an analysis are deleted 14 days after they are generated. Users requiring copies of their generated reports or analysis outputs must download them within 14 days.

Data Ownership

Raw data remain owned by the user. Metadata remains owned by Oxford Nanopore Technologies and may be used for purposes including but not limited to:

  • Platform performance measurement and analysis
  • System performance measurement and analysis
  • Quality control
  • User support
  • User-facing analysis reporting

Systems

Networking

All systems in the EPI2ME platform use best-practice, customised and monitored security group (firewall) ingress and egress rules. Ephemeral data processing machines are started without a root Secure Shell Protocol (SSH) key, so cannot be accessed through SSH by any means. The machines are configured to operate independently, and in an automated fashion only. Security groups forbid any inbound networking connection of any kind to services other than the service front end. Communication to other cloud servers such as persistent storage occur through private gateways within the local network.

Communication with the EPI2ME Platform occurs only through the application server located within a private subnet and accessible only through an application load balancer via an internet gateway. The load balancer mitigates denial of service attacks, filters malicious traffic, and offers centralized monitoring as part of a multi-layered defence strategy.

Change Controls

Changes are requested, prioritised and tracked in an internal ticket tracking system. Changes to software and systems are managed in an internal revision control system and automatic policies mandate code reviews as part of that change process. Deployment of changes to production environments is handled automatically by "continuous delivery" systems and are gated by both technical and product management teams.

Access Controls

All administrative and control systems in the EPI2ME platform use automatically monitored, change-controlled, role-based service access rights. Interactive user access to the EPI2ME Platform is by username and password with authentication managed using the Oxford Nanopore Technologies Single Sign On (SSO) system.

Programmatic access to the platform is managed through OAuth2 using the Oxford Nanopore Technologies SSO.

Managed, role-based access controls permit use of various aspects of the system including but not limited to:

  • End user visibility and availability of applications/workflows
  • End user prerelease of applications/workflows
  • Administrative access to an organisational cloud hosting account
  • Administrative application access by Oxford Nanopore Technologies representatives via temporary, time-based, strict access controls, (“break glass access”) with additional logging and monitoring.

Application of roles to individual users is gated by a multistep approval process. End users have no access to the system other than to the front-end application server granted through OAuth2 controlled programmatic access, notably the EPI2ME Desktop application.

Monitoring

Oxford Nanopore Technologies deploys multiple solutions to maintain a secure cloud environment, including both proactive and reactive measures. These measures are deployed on the cloud host organisation level so cannot be inadvertently disabled by account administrators or subverted by an attacker who has compromised the account level security.

Cloud Security Posture Management is provided through a suite of cloud host and third-party contractor tools incorporating Security Information and Event Management and providing 24/7 managed Security Operations Centre.

Oxford Nanopore Technologies performs an annual, rolling programme of penetration testing by accredited service providers together with appropriate remediation of any discoveries.

Incident Management

Through defined Information Security Management Systems, Oxford Nanopore Technologies maintains procedures to handle cybersecurity and other disruptive incidents, with defined Recovery Time Objectives and Recovery Point Objectives where appropriate.

Certifications

Oxford Nanopore Technologies PLC is accredited to ISO/IEC 27001 and ISO 9001. Related information may be found on the Terms, Conditions and Policies page.