Data protection and information security at Twist

Protecting customer and partner data is a critical responsibility and top priority at Twist. Our customers and partners trust us with confidential information that could become the basis of their intellectual property. For Twist, protecting critical customer data involves implementing robust security measures to safeguard sensitive and confidential information from unauthorized access, breaches and cyber threats as well as using encryption, secure storage systems, and strict access controls. We have established clear data handling policies, regularly train employees on security best practices, and stay compliant even ahead of relevant national and international data protection regulations. Regular security audits and updates to systems are essential to address emerging vulnerabilities. 

Twist’s Information Security program, like our Quality, Privacy and Biosecurity programs, is built upon the foundation of international standards and is overseen by experts in the field and rigorously and continuously scrutinized.

Twist is ISO 27001-certified to the most up to date 2022 revision of the standard. An accredited, independent certification body audits Twist each year to make sure that all working parts of Information Security program — our People, our Processes, and our Technology — comply or exceed the standard. Our Board of Directors oversees all efforts at the highest level of the company.

People 

• All company employees are trained in our Cybersecurity Awareness program, which includes phishing and social engineering. The program includes yearly training, quarterly testing, and weekly informational campaigns to keep digital safety high in our team’s consciousness.
• We perform employee background checks, clearly delineate roles and responsibilities, apply a strict philosophy of least privilege governing access control, and we build segregation of duties into our policies and operations.
•  We partner with compliance experts, penetration testers, security operation center teams, law firms specializing cybersecurity, and national and global agencies including the Center for Internet Security (CIS), MITRE, the United States Computer Emergency Readiness Team (US-CERT), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).
• Our Executive Leadership Team (ELT), Audit Committee (AC), and Product Approval Committee (PAC) are all regularly briefed on the company’s cybersecurity posture and provide guidance on strategy and priorities.
• The Board is briefed on our cybersecurity landscape and roadmap, maturity on a semi-annual basis.

Process

• Annual audits and re-certification for ISO 27001 to ensure data protection practices comply with applicable laws and cybersecurity best practices.
• Annual risk assessment run by Information Security team and sponsored by the CIO.
• Annual penetration testing performed by an accredited, third-party agency.
• Continuous vulnerability scanning and mitigation both in our code and in our services.
• Quarterly access control reviews for all significant Applications.
• Incident Response, Business Continuity, and Disaster Recovery policies and procedures to deal with cybersecurity incidents or natural disasters.
• Supply chain management with vendor selection security assessments and vendor assessments.
• Company privacy policy and privacy practices that are in line with applicable personal data protection laws and regulations.

Technology

• Production infrastructure housed in AWS SOC-audited data centers.
• AI-driven endpoint protection and gateway security.
• Identity lifecycle management.
• Single Sign-On, Multi-factor Authentication, and VPN.
• Secrets and privileged access management.
• At-rest and in-transit encryption with KMS.
• Next-gen firewall technology, segmented networks, and certificate-based authentication.

Biosecurity at Twist Bioscience

Twist Bioscience is a leading provider of synthetic DNA on a global scale and is committed to promoting responsible use of its products. To that end, the company has invested significant resources in developing and continuously improving a comprehensive biosecurity program. This program includes participation in national and international initiatives to enhance algorithms, metadata, and tools used by researchers to assess potential biological risks posed by specific DNA and protein sequences.

Twist understands the importance of advancing biosecurity as a core technology provider and strives to contribute to a safe biotechnology environment. The company has engaged- and collaborated with governments, academic institutions, international non-governmental organizations and other DNA synthesis providers to develop a set of consistent biosecurity best practices. As the field of biotechnology and synthetic biology continues to evolve, Twist remains active in writing the biosecurity playbook to ensure that appropriate safeguards are in place.

National and international regulations

To comply with all U.S. government guidance and regulations, Twist Bioscience implements strict biosecurity and export 

control screening measures to ensure that all orders are fulfilled appropriately. These measures include adhering to the Screening Framework Guidance for Providers and Users of Synthetic 

Nucleic Acids published in 2023 by the U.S. government and the Harmonized Screening Protocol established by the International Gene Synthesis Consortium. The U.S. Federal Select Agent Program (FSAP) is the primary regulatory framework governing the control of certain synthetic DNA sequences within the United States. In addition, as Twist Bioscience manufactures all products in the U.S. (Wilsonville, OR, and South San Francisco, CA), the sale of synthetic DNA is subject to compliance with the Export Administration Regulations (EAR) administered by the U.S. Department of Commerce, which dictates that certain nucleic acid sequences may require a license prior to export.

By adhering to these regulatory frameworks, Twist Bioscience ensures that DNA sequences that pose a significant risk if misused are not synthesized or shipped to organizations that may not use them responsibly.

Screening of sequences and customers

In order to avoid synthesis of potentially dangerous sequences, Twist Bioscience has implemented a comprehensive screening program. 

All double-stranded DNA sequences ordered are screened to identify whether they originate from an organism or toxin that is domestically or internationally controlled for possession. These controlled organisms or toxins include variola (which causes smallpox), dangerous strains of avian influenza, and other pathogens that pose a significant threat to animal, plant, or human health. Controlled organisms and toxins are highly regulated, and possession is restricted.

If a controlled sequence (or a portion thereof) is detected during screening, Twist Bioscience contacts the customer to verify customer identity and their intended use for the sequences, past publication  record on similar research, and to ensure any required licenses are issued before shipment.

Moreover, Twist Bioscience uses various government lists, such as 

the U.S. Treasury Specially Designated Nationals list, the U.S. State Department Denied Parties List, and the Department of Commerce  Entity List to screen each customer, ensuring that synthetic DNA is not sold to potentially dangerous individuals or organizations. Additionally, Twist confirms the validity of each organization to which they sell and requires customers to agree not to resell synthetic DNA produced by Twist Bioscience unless they have been licensed to do so under a specific contract.Twist Bioscience only ships synthetic DNA to valid commercial addresses and will not ship to a residential address or a P.O. Box.

Staffing

Twist Bioscience assigns human resources to ensure that its employees adhere to all the policies and procedures that are part of its biosecurity program and to address any concerns that may emerge. This team includes a Trade Compliance Manager, a Screening Manager, and a Biosecurity Response Team.

Reporting

Twist Bioscience collaborates with various governing and industry organizations to address biosecurity concerns. These organizations include the Federal Bureau of Investigation (FBI), the Centers for Disease Control and Prevention 

(CDC), the U.S. Commerce Department Bureau of Industry and Security, and the U.S. Department of Agriculture’s Animal and Plant Health Inspection Service. Additionally, Twist is a member of, and currently chairs, the International Gene Synthesis Consortium (IGSC), an industry trade group consisting of more than 25 of the world’s largest synthetic DNA manufacturers. IGSC members may use an existing mechanism to notify each other of suspicious orders received to prevent the ordering of dangerous DNA sequences from other vendors.

Record keeping

At Twist Bioscience, we have implemented internal policies that meet or exceed recommendations set out in the 2023 U.S. Department of Health & Human Services Screening Framework Guidance of Providers and Users of Synthetic Nucleic Acids with regard to retention of documentation for each biosecurity screening of a DNA sequence that has been ordered. Twist maintains this documentation for a period of at least eight years.

Red teaming

Twist Bioscience has challenged the effectiveness of its biosecurity program by engaging skilled consultants to attempt to breach its security measures, a practice commonly known as red teaming in cybersecurity. The consultants place real orders that are intended to deceive the screening process. Despite these attempts, none of the experts’ obfuscation methods have succeeded, indicating that the biosecurity program implemented by Twist Bioscience is highly robust.

We recognize that biosecurity is an ever-evolving field, and we strive to keep up with best practices and adapt to emerging concerns. We believe that life sciences research has the potential to improve public health and emergency preparedness, and we encourage flexible governance to address new information and changing dynamics.

To ensure that our screening protocols meet or exceed best practices, we actively engage with leading experts and participate in programs, such as the Intelligence Advanced Research Projects Activity Functional Genomic and Computational Assessment of Threats program and supporting the International Biosecurity & Biosafety Initiative for Science (IBBIS).

While implementing these policies and procedures requires investment in both time and resources, we remain committed to advancing scientific research to benefit society. Synthetic biology has the potential to improve human health and the environment, and we are proud 

to provide high-quality synthetic DNA while maintaining disciplined biosecurity screening ensuring public safety.