Initial Certification: 04/2016

Brainlab AG provides the cloud-based service Quentry, which facilitates the collaboration of medical professionals. Quentry enables medical professionals to share medical images, to display medical images in a web-based viewer and to add comments such as medical opinionsCustomers of Brainlab are provided with meaninful information on how to make use of the service in compliance with EU data protection law. Particularly, they are advised that the legitimate use of the service requires the collection of patients' consent and release from medical confidentiality and that they must verify the identity of other customers prior to sharing medical information with them. Quentry comes with a functionality which allows the de-identification of meta data about patients prior to data being uploaded to the service. Customers who adhere to Brainlab's privacy advice can be sure that processing of sensitive health data by means of Quentry is in line with the high requirements of EU data protection law.

https://www.quentry.com

Press Release Image 

Image

European Privacy Seal for Brainlab AG

Product/Version

Bild

Quentry® service as provided to EU customers

Function as provided in March 2016

Qualification: IT-based service

View the Quentry Certificate 

Cert. No.

EP-S-QCYQ9S

Validity

06/04/2016 - 30/04/2018

Monitoring

12/2016 (O.K.) 

08/2017 (O.K.)

Public report

Quentry Short Public Report Image   

Manufacturer/Provider

Brainlab AG

Olof-Palme-Straße 9
81829 München
Germany

BEST

Brainlab AG implemented a sophisticated multi-layered encryption solution which provides a high level of confidentiality regarding sensitive patient data that is processed within Quentry. Brainlab went to great lengths to implement a solution that approximates the level of a true end-to-end encryption to the greatest extent possible. Note: End-to-end encryption is impossible in the Quentry context since the service involves processing of patient data in the cloud.

In detail, confidentiality of personal data within Quentry is secured by means of an interplay of the following encryption methods:

  • All communication between the user (client) and the Quentry-server is secured over TLS.
  • User data and patient data are encrypted during transmission to the Quentry-server by TLS communication.
  • User login process (External Authentication Service) is encrypted and secured by TLS-Webserver-Authentication and TLS-Web-Client-Authentication.
  • During processing, patient data is encrypted in the CPU/RAM of the Quentry-server through a multi-layered encryption process.
  • Only after the patient data is encrypted, the data is stored in a secured environment.  

ATTENTION

Regarding the processing of patient data, it must be highlighted that users of Quentry qualify as controllers whereas Brainlab acts as processor on behalf of the customers. Brainlab provides customers with meaningful information on how to make use of the service in compliance with EU data protection law. Particularly, customers are advised that the legitimate use of the service requires the collection of patients' consent and release from medical confidentiality. The customer must verify the identity of other customers prior to sharing medical information with them. More detailed information on this topic is available under"Details" as well as in the Short Public Report.

Brainlab uses Salesforce as a cloud service provider for the authentication of users (customers). For the time being, Brainlab relies on standard contractual clauses (SCC) for the transfer of minimum authentication data to the U.S. In this context, it must be stressed that Brainlab will adhere to future guidance of the Article 29 Working Party regarding the impact of the so-called "Schrems judgment" of the European Court of Justice on the eligibility of SCC to legitimize international data transfers and make changes to the authentication solution (if necessary).

SUMMARY

Brainlab provides the cloud-based service Quentry that can be accessed via https://www.quentry.com. Quentry enables medical professionals to share medical images, to display medical images in a web-based viewer and to add comments such as medical opinionsThe service relies on Amazon Web Services as cloud provider (sub-processor). Since medical data is processed in the cloud, Quentry is not able to provide for true end-to-end encryption. However, Brainlab implemented a sophisticated multi-layered encryption solution which provides a high level of protection against unauthorized access to patient data. More details on this topic are available under "BEST" above and in the Short Public Report

In respect to the processing of medical data relating to patients, customers of Quentry such as hospitals qualify as controllers whereas Brainlab acts as a processor on behalf of these controllers. Customers are provided with meaningful information on how to make use of the service in compliance with EU data protection law. Particularly, they are advised that the legitimate use of the service requires the collection of patients' consent and release from medical confidentiality. Customers must verify the identity of other customers prior to sharing medical information with them. Quentry comes with a functionality which allows the de-identification of patient meta-data prior to data being uploaded to the service.

When it comes to the processing of customer data when providing the Quentry service, Brainlab qualifies as controller. Salesforce provides cloud-based services for the authentication of customers on Brainlab's behalf.

DETAILS

The user ("controller") is responsible for the collection of consent and release from medical confidentiality from the patient. However, Brainlab advises and requires the customer (user) within the upload process to confirm that the user obtained consent and release from medical confidentiality from the patient. This holds true even if only de-identified patient data is processed, because images themselves may qualify as personal data.

When obtaining patients’ consent, users must inform data subjects (patients) about the following in particular:

  • Patient data is processed in the cloud.
  • Brainlab processes patient data as a processor on behalf of the user. Customers must conclude a controller–processor agreement with Brainlab prior to uploading any patient data to the cloud.
  • Brainlab relies on Amazon Web Services as cloud provider (sub-processor). Encrypted patient data is stored exclusively in a data center in Ireland for customers who are located in Europe. Sub-processors responsible for maintenance may be located in third countries outside of the European Economic Area (EEA). Standard contractual clauses between Brainlab and Amazon Web Services are in place.
  • End-to-end encryption is impossible in the Quentry context since the service involves processing of patient data in the cloud. However the encryption approximates the level of a true end-to-end encryption to the greatest extent possible.  
  • Brainlab is capable of decrypting encrypted patient data, but safeguards are in place that this is only performed in exceptional cases such as major database maintenance or system restoration. A secure process ensures the coordinated decryption and re-encryption of the database. Individual employees of Brainlab are not able to decrypt patient data on their own.
  • If applicable: That the user shares patient data with hospitals / doctors in countries outside of the EEA which do not provide an adequate level of data protection.

Prior to establishing a connection with other Quentry users, customers must confirm that they verified the identity of the other user by means of an appropriate channel (e.g., via phone).  

Technical Evaluator

Dr. Michael Foth
IBS Schreiber GmbH
Zirkusweg 1
20359 Hamburg
Germany

Legal Evaluator

Johanna Laas
intersoft consulting services AG
Beim Strohhause 17
20097 Hamburg
Germany

Image

Disclaimer:

This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk.

© 2008 - 2019 | EuroPriSe GmbH - European Privacy Seal | Handelsregister-Nr. (Commercial Register No.): Bonn HRB 20387

No responsibility for the accuracy of the information. Contact | Privacy Notice | Imprint

Product/Version

REISSWOLF f.i.t.

v1.5; service function as provided in 05/2018

Qualification: IT product and IT-based service (processor service)

View the REISSWOLF f.i.t. certificate

Version of Certification Criteria

11/2011

Cert. No.

EP-S-X5TSCN

Validity

24/05/2018 - 31/05/2020

Monitoring

01/2019

09/2019

Public Report

f.i.t. Short Public Report Image Image 

Manufacturer/Provider

REISSWOLF Systems GmbH

Im Heegen 13
22113 Oststeinbek
Germany

BEST

Access policies can be used to restrict system usage to specific times of the day and/or IP addresses to reduce the attack vector for third-party access. A user session is controlled by means of a cross-tab synchronised session countdown.

ATTENTION

Regarding the processing of personal data on third persons by means of f.i.t., it must be highlighted that the (usually) corporate users of the service qualify as controllers whereas REISSWOLF Systems GmbH acts as a processor on behalf of the users. Customers are advised that the legitimate use of the service may require the collection of the data subject's consent and/or declaration of release from confidentiality.

SUMMARY

REISSWOLF f. i. t. is a web-based archiving system for data storage and access. It serves the purpose of uploading, storing, managing and exchanging data in the sense of a document management system. f.i.t. is a web application that can be used with common internet browsers. 

DETAILS

REISSWOLF f. i. t. is primarily designed for commercial use. It is distributed by REISSWOLF Systems GmbH and operated as Software as a Service (SaaS) in a data center in Germany.

The ToE includes

  • The web-based service REISSWOLF f.i.t. (for details, please cf. the short public report)

It does not include

  • REISSWOLF f.i.t. mobile app
  • REISSWOLF f.i.t. hotfolder
  • Office module
  • Teamviewer
  • Other alternative interfaces to clients

Technical + Legal Evaluator

Ann-Karina Wrede
Innungsstraße 7
21244 Buchholz
Germany

Initial Certification: 05/2018

REISSWOLF f.i.t. provides a web-based service that enables companies to upload, store, manage and exchange data in the sense of a document management system. Users of the service are controllers in respect of personal data on third persons that is processed by means of f.i.t.. The service is designed in a way that facilitates the users' compliance with EU data protection law.

Image

Disclaimer:

This register is kept with the utmost care. However, EuroPriSe does NOT guarantee the accuracy of information found on the Site. Your reliance on information found on the Site is at your own risk.

Image

European Privacy Seal for REISSWOLF f.i.t.