All Collections
Help Articles
Access and Permissions
Penelope | Privacy and Security Information
Penelope | Privacy and Security Information

A run-down on Penelope's security and privacy policies and risk management framework

Updated over a week ago

Table of Contents


Penelope case management software is a secure, cloud-based solution used by tens of thousands of people at social service organizations worldwide.

Our software and cloud services are trusted by governments, universities, and military organizations, along with large organizations in the fields of family services, home visiting, disability support, counselling, criminal justice, and hundreds of multi-service agencies who offer programs in their communities.

Penelope by Bonterra is ISO certified, meaning that our business opera<ons have been independently assessed and approved to meet the rigorous ISO/IEC 27001:2013 standards and guidelines for information security management systems.

Bonterra customers around the globe store confidential client information in Penelope that is protected by data privacy and security legislation. Data may be protected by the HIPAA/HITECH ACT in the United States (where Penelope is a Business Associate for the majority of its clients), the Privacy Act 1988 in Australia, PIPEDA in Canada, the E.U. General Data Protection Regulation, and/or other statutes.

This document summarizes Bonterra’s risk management framework and describes the administrative, technical, and physical safeguards used to ensure the confidentiality, integrity, and availability of data stored in Bonterra case management software.

Included are both the safeguards Bonterra has put in place as a trusted partner of your organization and also the ways in which Bonterra can support your organization’s efforts to implement secure policies and procedures, and meet your legislative requirements.

NOTE: It is up to each organization to ensure that they meet their own legislative requirements, and that they are satisfied that the provisions described herein are reasonable and appropriate for their organization.

Risk Management Framework

Penelope uses a comprehensive risk management framework modelled after NIST SP 800-37 rev2 and NIST SP 800-39. A formal risk management team, with representatives from Corporate Systems, Security, Technology, and Executive areas, evaluates ongoing audits and incidents, conducts an annual multi-faceted risk assessment, and implements the resulting risk response plan.

The risk assessment approaches used include threats-based analyses (as per NIST SP800-30 rev2), business process and information system analyses, and penetration testing for our hosting facilities. Risk owners are also identified within each business unit for monitoring and escalation, impact analysis, and reporting to the risk management team.

Bonterra has also developed a comprehensive set of policies and procedures with accompanying staff training programs that govern all activities relating to the protection of confidential data, including Personally Identifiable Information (PII) and Protected Health Information (PHI). Additionally, third-party security audits in the form of penetration testing is conducted at least once a year, and vulnerability scans are performed at least three times per week and prior to all significant releases.

Bonterra is continuously improving our practices and security provisions within our products, cloud hosting platform, and our business operations, in part to respond to a continuously changing threat environment.

As such, Penelope's policies and practices are subject to change at Bonterra's discretion. Penelope's policy changes will never result in a material reduction in the level of security specified herein. The level of security described herein also assumes that current clients are running up-to-date versions of Penelope and is not claimed for older versions of the software.

Data Security

Bonterra, in our capacity as a trusted partner, Business Associate, and software provider, can assist your organization in using administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of your sensitive client data.

With Penelope cloud hosting, your organization will benefit from the safeguards afforded by our hosting environment, as well as Penelope’s built-in security features. What follows is an overview of the many data security measures taken by Bonterra to ensure that the privacy of your clients is protected.

Administrative Safeguards | Security Management Process

Penelope is ISO/IEC 27001:2013 certified, and has adopted and implemented information security policies and procedures in relation to:

• Information asset ownership and classification

• Management responsibility for security

• Physical and logical access security

• Network, media and O/S security management and control

• Transmission and authentication

• Audit and monitoring

• Inventory, configuration management, and change control

• Risk assessment, mitigation, and remediation

• Vulnerability management

• Incident reporting and incident management

• Compliance reporting

• Workforce security training and sanctions

Assigned Security Responsibility

Bonterra's risk management framework identifies staff members responsible for the development and implementation of policies and procedures within each business unit as well as those responsible for approval processes, compliance monitoring, and application of sanctions for non-compliance.

Workforce Security

Bonterra has implemented highly restrictive access policies and procedures based on the principle of least privilege in our provision of services. Least privilege access rights and secure access procedures are used in the maintenance of instances and application of database upgrades, including controlled use of administrative privileges, encrypted sessions, secure authentication, auditing/monitoring, and risk review.

Using the principle of least privilege means that Penelope limits our exposure to PII/PHI to the minimum necessary to accomplish the intended purpose, and in the majority of instances it is not necessary for us to view or acquire PII/PHI at all while completing diagnostic investigations or authorized service requests.

Information Access Management

Bonterra has implemented policies and procedures for authorizing access to PII/PHI and the databases and servers that store PII/PHI based on need to know and least privilege. Bonterra authorizes our staff to perform specific types of service requests based on expertise and security training.

Penelope collects and stores the names of individuals within our client organizations who are authorized to make security-related requests, such as service requests involving use or disclosure of PII/PHI, as well as the individual authorized to make technical security-related requests such as Penelope update requests and ODBC access requests. Bonterra uses a formal authorization and logging process for all services that involve the creation, viewing, deletion, and transmission of PII/PHI, as well as any requested services that require access to your database (see also Security Incident Tracking below).

Security Awareness and Training

Bonterra has implemented a security awareness and training program for all members of its workforce (including management). General awareness and customized role-based training is provided to staff as appropriate. Periodic re-training is implemented in response to environmental or operational changes that affect the handling or security of PII/PHI. In addition, periodic security reminders are sent to staff to facilitate the implementation of policies and procedures, notify staff of any updates to them, and implement training/re-training programs. Staff training includes topics covering staff roles in protecting against malicious software, secure password management, and monitoring of log-in attempts.

Additional one-on-one review is available as desired, and a process is in place to collect feedback and provide clarification. All Bonterra employees sign a statement of understanding following training and review of relevant policies and procedures, ensuring that they not only received training but confirming they understand expectations and have read and understood our policies and procedures. Security awareness training is reviewed and updated as per technology changes.

Security Incident Procedures

Bonterra has implemented security incident policies and procedures that include detailed logging of all actual and suspected incidents with breach risk assessment and compliance reporting. Bonterra security incident tracking includes (but is not limited to) logging of all uses and disclosures of PII/PHI to or by Bonterra, whether authorized or not.

Customer Policies and Procedures

Bonterra can assist your organization with implementing your policies and procedures to ensure that members of your workforce have appropriate access to electronic PII/ PHI and to prevent those workforce members who do not have access from obtaining access.

Authenticated and configurable user accounts mean that all staff requiring any level of access to Penelope have a named user account configured based on need-to-know access. Penelope’s user model ensures that even occasional users can have their own authenticated user account for the system (see technical safeguards below). Role-based user groups in Bonterra and detailed security classes allow organizations to create and enforce strict access controls both across and within client records.

Altering authorized access or terminating access is easily maintained by workforce members with appropriate privileges.

Optional ODBC access is also authenticated by user and must be restricted to IP addresses fully controlled by the customer.

Provisions Applicable for Customer Staff Training and Awareness Program

Part of your staff training and awareness program will include providing best security practice information about creating and protecting secure passwords, avoiding malware, workstation security, and login monitoring, among other topics.

In addition to the information provided elsewhere in this document, users should be made aware that Bonterra monitors all login and logout activity and tracks unsuccessful login attempts.

Users are locked out after five unsuccessful attempts and accounts must be unlocked by a system administrator. All login attempts are logged in the general and authentication log files.

Contingency planning

Bonterra has developed emergency response and disaster recovery (ER/DR) policies and procedures for both non-adversarial (e.g. natural disaster) and adversarial (e.g. vandalism) threats to PII/PHI stored in databases at our hosting facilities.

These policies and procedures include ER/DR exercises with test databases to ensure team readiness in the face of an emergency resulting from a variety of scenarios, and an emergency mode operation plan to ensure business continuity in the face of disruption or disaster.

Daily backups of all databases and attachment directories are stored at a secure colocation. Penelope's ER/DR plan is reviewed annually as part of our annual risk assessment and also on an ongoing basis in response to any applicable system changes.

Each organization is responsible for developing policies and procedures around creating or accessing attachments in Penelope (which can be downloaded locally to a workstation), pivot tables and other data queries/export files, and information printed from Penelope.

NOTE: user account passwords are encoded and are therefore irretrievable by anyone, even Bonterra, irrespective of access rights.

Periodic technical and non-technical evaluation

Bonterra's risk management framework identifies security officials within each business unit responsible for ongoing monitoring of compliance, impact, and effectiveness of privacy and security policies and procedures that are developed by the risk management team. Periodic feedback is provided to the risk management team and incorporated into the annual risk assessment unless more immediate action is deemed appropriate by the team. In addition, all technical changes made by Bonterra through component upgrades, server environment changes, network configuration, and Penelope enhancements are evaluated for their impact on the security of PII/PHI.

Business Associate Contracts

Bonterra provides all U.S. clients that are covered entities under HIPAA with a Business Associate Agreement (BAA) updated as per the requirements of the HIPAA omnibus rule. Organizations can also provide their own BAA for Bonterra to review. It is the responsibility of each organization that is a Covered Entity under HIPAA to ensure that there is a BAA in place with Bonterra where required.


Penelope includes certain optional functionality that may interface with third-party software or services. Some optional/value-added integrations may involve products that are hosted outside our facilities and for these, Bonterra has a BAA or other applicable security agreements in place.

Data Security - Physical Safeguards

Workstation Use

Bonterra has implemented policies and procedures to ensure the physical security of workstations used to maintain the servers, to perform services that may involve PII/PHI, and/or to store access information to Penelope databases.

The specific functions, authorized roles, procedures for performing and documenting those functions, and the physical environment of the workstations are defined.

Workstation Security

Bonterra's policies and procedures ensure that workstations used to maintain the servers containing PII/PHI, perform services that may involve the viewing or acquisition of PII/ PHI, or to store access information to Bonterra databases are accessed only by authorized staff using authenticated accounts both for the workstation itself and for the PII/PHI or server.

Workstations are in locked and alarmed premises only accessible to Bonterra staff and sensitive data is stored in encrypted drives.

Device and Media Controls

Bonterra has implemented policies and procedures to address the final disposition of PII/PHI and/or the hardware on which it is stored. Unsolicited PII/PHI sent via email is immediately deleted from the staff workstation and removed from the ‘trash.’

Electronic PII/PHI that is transmitted to us to complete an authorized service request (e.g. data migration) is deleted and permanently removed from the workstation upon service completion.

All copies of a Penelope database (including backups and attachments) are deleted from our servers and the disk is scrubbed following termination and acknowledgement that data has been received and can be accessed by the former licensee.

All services and other incidents involving deletion of PII/PHI are documented in detail as per our security incident tracking protocol. If you transmit PII/PHI to Bonterra via electronic media, we will delete all PII/ PHI from the media prior to disposal. Bonterra maintains records of the movements of all hardware and electronic media.

A retrievable exact backup copy of Penelope databases containing PII/PHI is created before any maintenance, upgrades, or movement of equipment is performed.

Data Security - Technical Safeguards

Access Controls

Bonterra's access control and authentication policies and procedures ensure that access to Penelope servers at any of our data facilities is restricted to authorized staff via multilayered, two-factor authenticated accounts.

ODBC access to Penelope hosted databases to perform a service in response to a written authorized request from your organization is authenticated by name/password and IP.

Access to a client database through the user interface (i.e. via a Penelope login account) is provided by, and is therefore the responsibility of, your organization.

However, Bonterra does require minimum secure standards for server access and a secure user account configured based on need-to-know access with secure login credentials for UI access. All access is documented in detail.

All SSH access by Bonterra staff to Penelope servers at our hosting facilities is

automatically terminated after a period of inactivity if not manually terminated. User login sessions to Penelope also terminate after a period of inactivity determined by your organization.

All access to PII/PHI stored on servers hosted by Penelope is encrypted in transit as per Bonterra's transmission policies and procedures.

Access to your hosted database must use SSL encryption - the minimum level of encryption used is SHA-256 with a minimum supported cipher of TLSv1.2.

Any data that is transported on physical media from Penelope to your organization is encrypted using a minimum of 256-bit AES encryption and requires a lengthy passkey composed of a random mix of alphanumeric, upper and lower case letters, and special characters.

Provisions within Penelope that assist your organization with implementing technical policies and procedures to allow access only to those persons that have been granted access rights to systems containing PII/PHI include:

Unique User Identification

  • Penelope login accounts uniquely identify users via a system-generated unique ID number as well as by their login name and password. Organizations can determine the login name for each user. Password management practices are modelled after NIST SP 800-63b. Users are provided with visual cues when setting passwords to ensure they meet minimum strength and complexity requirements.

  • Strength and complexity are calculated algorithmically, and include factors such as variety and type of characters (numbers, letters, non-alphanumeric), and minimum length. Organizations can also implement a password reset schedule. As password advice from NIST or other similar security bodies is introduced, we will change the approaches in our products to match over time.


  • Passwords are encoded (i.e. not stored in clear text and cannot be unencrypted) and are therefore not accessible to anyone irrespective of access. Within Penelope, many screens contain a user login name and time stamp for record creation and modification.

  • Data stored in Penelope databases on Bonterra's servers are securely encrypted in transit using industry best practice standards. Any data transferred to a Bonterra client outside of Bonterra is encrypted.

Tracking of User Actions

  • All user activities within the system are tracked in a comprehensive general log file and, for certain types of activities, in a secondary selective log file (like authentication actions).

Access Control

  • Access to information within Bonterra is hierarchical based on need-to-know principles, and alterations to access can easily be made by users with the appropriate authorization. As such, access to client records in an emergency, for example, can be accomplished via escalation or alterations in account permissions.

  • Penelope user sessions are automatically terminated after a period of inactivity set by the organization through a combination of system and server configuration settings.

Audit Controls

  • Bonterra has implemented audit controls on our servers that record and examine the activity in information systems that contain PII/PHI.

  • Multiple controls have been implemented to track both authorized and unauthorized or suspicious activities. Audit logs track back-end access via postgres user accounts and front-end access via activity logs.

  • Detailed records of incidents involving access to PII/PHI, databases storing PII/PHI, and servers housing information systems with PII/PHI, are also kept.

Data Integrity (Penelope)

Bonterra has implemented policies and procedures to protect PII/PHI from improper alteration or destruction and to verify that a person or entity seeking access to PII/PHI is the one claimed.

Bonterra has implemented policies and procedures that require staff to obtain written authorization from an organization’s documented or designated security official via the organizational email account on file. This is to verify that a person seeking access to Penelope is the one claimed, in the event that a request is made of Penelope to reset a password for a system administrator account where no staff have access to create accounts or login as a system administrator, for example. Penelope also requires that all ODBC accounts are authorized by the documented or designated security official on file and that all accounts are named, password protected, and restricted to the external IP of the site requiring access.

Your Data Integrity

Provisions within Penelope that assist your organization in ensuring that PII/PHI is not improperly altered or destroyed and that the person seeking access to PII/PHI is the one claimed include:

• Penelope authenticates users via password-protected user accounts and provides an audit trail for all activities within the system.

• Onscreen user and date/time stamps are available in many areas of the program.

• In addition, for notes, documents, letters, surveys, assessments and other clinical documentation, information can be locked with the name of the user(s) that created and locked the information displayed on the screen with a date/time stamp.

• Digital signature functionality is available for documentation that corroborates the user who completed the form and, if desired, a manager or supervisor that reviewed the information.

• Deletion passwords can be set for key components of health records.

• Penelope has been designed with robust referential integrity that assists in protecting against inadvertent or malicious deletion of data.

• Within Penelope, user access is authenticated by login and passwords, and optional additional second-factor (SMS or email) means.

• Penelope enforces the usage of strong complex passwords or pass phrases. Strength and complexity requirements are in line with NIST SP 800-63b. Organizations are encouraged to educate their users on industry best practices on password/pass phrase management, including any requirements consistent with their own policies and procedures.

Data Security - Transmission Security

Bonterra has implemented technical security measures to guard against unauthorized access to PII/PHI being transmitted over an electronic communications network

Data integrity controls are in place that ensure electronically transmitted PII/PHI is not improperly modified without detection.

A security certificate from a valid signing authority verifies the connection to the appropriate server. All data is encrypted in transit using a minimum of SHA-256 with a minimum supported cipher of TLSv1.2.

Bonterra's policies and procedures ensure that any data temporarily on Penelope client machines remains within Bonterra's secure network and is stored in an encrypted drive.

Data Security - Cloud Hosting

Our SaaS offerings allow you to focus on your core business, while reducing risk and saving money by outsourcing your data hosting, application management, data protection, and much of your disaster recovery needs to a trusted provider. Learn more about the security provided by our data centre providers around the world:


Where is data hosted






CSA Cloud Security Alliance

Controls, ISO 9001, PCI DSS Level 1,

SOC 1, SOC 2, SOC 3, ISO 27001,

ISO 27017, ISO 27018, NIST, HIPAA




See above, plus PIPEDA.




See above, plus IRAP.




See above, plus G-Cloud, EU/US

Privacy Shield, Cyber Essentials Plus, CISPE

New Zealand



See Australia above.

Rest of World



See Canada above.

For a complete list of AWS certifications in your region, visit heps:// compliance/programs/.

Why AWS?

By partnering with AWS, Penelope is able to provide our customers with industry-leading cloud hosting services trusted by governments, banks, and large enterprises worldwide.

AWS meets the very highest standards of reliability, availability, redundancy, and data security, and has achieved third-party validation for thousands of global compliance standards. Visit heps:// for more information.

Privacy of PII, PHI, and Other Confidential Information

Penelope software is highly committed to ensuring that information remains confidential, is not viewed, acquired, or otherwise accessed by any Bonterra employee except in response to a specific authorized request from your organization or otherwise as required by law.

Penelope software’s Business Associate Agreement defines permitted and non-permitted uses and disclosures of protected health information based on the principle of least privilege.

These terms form our standard practices irrespective of jurisdiction. As such, data is not used or disclosed by Bonterra staff except as authorized by your organization to perform specific service requests or as required by law.

Furthermore, all incidents that involve either a use or disclosure of PII/PHI to or by

Bonterra staff, as well as all activities involving access to information systems that store PII/PHI, are tracked by Bonterra as per security incident tracking and breach assessment procedures, allowing for timely, accurate, and compliant accounting of disclosures of PII/ PHI for all clients, irrespective of jurisdiction.

It is up to each organization to ensure that their staff comply with organizational policies and procedures in their interactions with Bonterra software.

However, Penelope supports your efforts by logging any incidental or otherwise unauthorized uses and disclosures to Penelope by staff or third parties associated with your organization in our security incident tracking tool.

Data Privacy - Client Data Rights

Bonterra helps you respond to client requests relating to data rights as defined in the General Data Protection Regulation (GDPR). Specifically, we have developed Penelope use cases to help our customers, irrespective of jurisdiction, respond to data-related requests from their clients.

Right to information - A client can ask for information about what personal data of theirs is being processed and why.

Right to access - A client can access or request copies of their own personal data.

Right to rectification - A client can ask for modifications to their personal data if they believe it is not up to date or accurate.

Right to withdraw consent - A client can withdraw previously given consent for processing of their personal data.

Right to object - A client may object to or suspend the processing of their personal data.

Right to object to automated processing - A client can object to a decision based on automated processing.

Right to be forgotten (right to erasure) - A client may ask for the deletion of their data (depends on your retention policies and applicable laws).

Right for data portability - A client may ask for transfer of their personal data (provided back to them or transferred to another organization).


Please contact us with any questions or concerns you may have about Penelope's security and privacy standards. We are pleased to provide additional information as appropriate.

Did this answer your question?