Skip to content

Data Security

The TOPMed Imputation Server, in coordination with NIH/NHLBI, protects the confidentiality, integrity, and availability of data in accordance with the NIST SP 800-53 Moderate baseline. This exceeds the NIST SP 800-171 compliance requirement of the NIH Genomic Data Sharing Policy (NOT-OD-24-157), as explained in the NIH's FAQ on this topic. As of May 2023, we have completed a rigorous security review and received a federal Authorization to Operate (ATO) from NIH/NHLBI.

All data is securely stored in a secure server hosted on Amazon Web Services (AWS). A wide array of security measures are in force:

  • All interactions with the server are secured with HTTPS.
  • Input data is deleted from our servers as soon as it is no longer needed.
  • We only store the number of samples and markers analyzed; we do not access your data in any way.
  • All results are encrypted with a strong one-time password, ensuring that only you can access them. We do not store the password.
  • After imputation is complete, the user has 7 days to retrieve the results using an encrypted connection. The data is automatically deleted at the end of this period.
  • The complete source code is available via public GitHub repositories:

Who Has Access?

To upload and download genotype data, users must register with a unique email address and a strong password. Each user can only download imputation results for samples they have uploaded themselves; other users of the Imputation Server will not have access to your data.

What Security or Firewalls Protect Access?

A wide array of security measures are in force on the imputation servers:

  • All stored data is encrypted at rest using FIPS 140-2 validated cryptographic software as well as encrypted in transit.
  • Access controls follow the principle of least privilege. All administrative access is secured via two-factor authentication using role-based access controls and temporary credentials.
  • Network access is restricted and filtered via web application firewalls, network access control lists, and security groups. Public/private network segmentation also ensures only the services that need to be are exposed to the public internet. All internal traffic and requests are logged and scanned for malicious or unusual activity.
  • Advanced DDoS protection is in place to assure consistent site availability.
  • All administrative user activities, system activities, and network traffic is logged and scanned for anomalies and malicious activity. Findings are alerted to administrative users.

What Encryption of the Data Is Used While the Data Are Present?

Imputation results are encrypted with a one-time password generated by the system. The password includes lowercase and uppercase letters, special characters, and numbers, with a maximum of three duplicate characters.