Start a conversation

Security Statement

Security at Castor is compliant with the most recent standards in order to protect your data in the best possible way, which means our priority is storing your data as securely as possible. We try to be as transparent as possible because we do not believe in ‘security through obscurity’.


Security in Castor EDC 

  • Each user has their own individual account; sharing of passwords is not permitted and we enforce strong password choices when creating or changing passwords.
  • User login is through SSL/TLS1.2 protocols.
  • To reduce the possibility of unauthorised access to data by other researchers or institutes, the authorisation to access data is determined per person per institute and is always maintained by the study administrator.
  • The application code has been written in such a way that the risk of SQL injection and related attacks is minimised.
  • Continuous Penetration Tests ensure that our application and infrastructure security is always state-of-the-art.


Security of the servers

  • Our servers are hosted globally at three ISPs: 
  • All hosting platforms are certified for or compliant with relevant certifications (ISO27001, ISO9001) and/or national or international standards like HIPAA.
  • Unauthorised access to the data centers is not possible.
  • The data centers are protected by digital surveillance equipment
  • All backups are stored at a separate geographical location to ensure maximum security and continuity, in line with the General Data Protection Regulation (GDPR).


Castor Availability 

  • Castor EDC runs on fully managed virtual private servers. All servers are continually and proactively monitored - in the event of any emerging problems or loss of availability, action is immediately taken according to our standard operating procedures.
  • Backups are made four times a day and are moved to another geographical location on a daily basis.


Network Security

  • We utilise a number of tools to continuously check for errors and prevent intruders from accessing the system.
  • The application runs on a protected server with only strictly necessary services and ports open to the external access.
  • A hardware firewall ensures that no unwanted connections can be made to any of our servers.
  • In order to prevent unauthorised access by third parties, the database server is not accessible from the Internet.



  • The application uses a stack including PHP 7.0 and MySQL 5.5, and is hosted on recently updated Ubuntu Linux servers.
  • Our servers are regularly updated, and zero-day exploits are patched as quickly as possible to prevent vulnerabilities.



Incident Response

While we do everything in our power to protect your data, we acknowledge that absolute security does not exist on the Internet. We cannot guarantee that Castor will never become the target of data theft. However, we can guarantee that we will take all measures available to us to prevent this. In the event of a breach, we will do everything we can to minimise damage and to provide details and timely updates regarding the incident to our users.

User responsibilities

You can contribute to the security of your data. We advise our users not to store patient-identifiable information within Castor - which includes surnames, Social Security numbers, zip/post codes and dates of birth. The safest solution is to use the Castor record ID and to connect your computer to the patient data within your own network. This will ensure that patient information can never be traced back to a patient.

Continuity Solution & Source Code Escrow

If anything unexpected should happen to our company, we want to minimise the impact this has for our clients. Therefore we provide coverage on the short and long term:

  • Short term continuity solution: we have deposited funds in a legal entity separate from the company to facilitate the current hosting arrangements for a minimum of 3 months. All studies in Castor EDC automatically profit from this arrangement.
  • Long term coverage via Source Code Escrow: clients have the option to become a beneficiary of the application source code in case of bankruptcy or product discontinuation. The code can be deployed in a client owned environment, or our hosting provider can continue the existing services. Please contact us if you are interested in participating.

We also recommend that you keep your login details safe and secure - it is advised never to write them down. It is also advised to ensure that your computers are protected with antivirus and anti-malware software. Always check that you are accessing one of the secure Castor website addresses and be aware that phishing attempts can closely imitate a familiar website. A Castor employee will never ask for your password.


Questions? If you have any questions about the security of Castor, you can send us an email at

Choose files or drag and drop files
Was this article helpful?
  1. Castor Support Team

  2. Posted
  3. Updated