...
REDCap resides in a HIPAA compliant (21-CFR-11) protected space within the University of Utah Center for High Performance Computing (CHPC). The production and development servers use encrypted drives for data at rest. Data access between the database and the web server is encrypted and restricted to a monitored port. All REDCap data, which is displayed or captured by the user interface, is encrypted using Secure Socket Layer (SSL) technology. Within REDCap all data transactions including inserts, updates, deletions, import/export and reporting are logged.
...
Physical hardware is secured in a locked and guarded facility at the University of Utah Data Center. Physical access to the systems is limited to data center staff and limits CHPC staff. Login access to the servers is restricted to CHPC and CCTS IT CTSI personnel only and is only accessible after first logging into a limited VPN.
REDCap Data Backup Storage
Application Data File and database storage is backed up to disk every 3 hours, and backed up to tape every nightnightly. Dual write redundancy for electronic informed consent documents is applied to projects using REDCap econsent framework configurations. Back up retention is rotates on a 14 day period.