Overviewβ
ClinicalDataS is built on a foundation of "Privacy by Design" and "Security by Default." We are committed to protecting the privacy, integrity, and confidentiality of all clinical data and personally identifiable information (PII) processed on our platform.
This policy outlines how ClinicalDataS collects, processes, secures, and manages data in strict adherence to global regulatory frameworks and industry best practices.
π Compliance Frameworksβ
ClinicalDataS is designed to support our clients in meeting the stringent requirements of major global data protection and clinical research regulations, including:
| Framework | Applicability & Focus |
|---|---|
| πͺπΊ GDPR (General Data Protection Regulation) | Data minimization, lawful processing, data subject rights, and cross-border transfer mechanisms (e.g., SCCs). |
| πΊπΈ HIPAA (Health Insurance Portability and Accountability Act) | Protection of Protected Health Information (PHI) through robust administrative, physical, and technical safeguards (Privacy & Security Rules). |
| π»π³ Decree 13/2023/NΔ-CP (Vietnam PDPD) | Consent management, cross-border data transfer assessments (DPIA), and strict handling of sensitive personal data. |
| π ISO/IEC 27001:2022 | Comprehensive Information Security Management System (ISMS) covering access control, cryptography, and incident management. |
| π₯ ICH-GCP | Ensuring data integrity, traceability, and accountability in clinical trial conduct. |
π€ Data Roles and Responsibilitiesβ
In the context of clinical trials, ClinicalDataS operates strictly as a Data Processor (under GDPR/Decree 13) and a Business Associate (under HIPAA).
- Data Controller / Covered Entity: The Study Sponsor, Contract Research Organization (CRO), or Investigational Site determines the purposes and means of processing subject data.
- Data Processor / Business Associate: ClinicalDataS processes this data solely on documented instructions from the Controller, governed by a formal Data Processing Agreement (DPA) or Business Associate Agreement (BAA).
π‘οΈ Technical & Organizational Safeguardsβ
ClinicalDataS implements enterprise-grade security controls, directly mapped to our platform features, to ensure data protection:
1. Access Control & Authentication (ISO 27001 A.5.15, HIPAA Β§164.312)β
- Granular RBAC: Role-Based Access Control restricts system access to the "Minimum Necessary" principle. Permissions are enforced at the study, site, and module levels.
- Multi-Factor Authentication (MFA/2FA): Mandatory or optional Two-Factor Authentication (via Google Authenticator) is available for all user accounts.
- Session Management: Strict password policies, automatic session timeouts, and controls for multi-device logins.
2. Data Minimization & PHI Protection (GDPR Art. 5, HIPAA Privacy Rule)β
- PHI Masking: Administrators can configure dynamic masking rules to hide or obfuscate sensitive Personally Identifiable Information (PHI) based on the user's role, ensuring data is only visible to authorized personnel.
- Form Builder Controls: Study designers can explicitly flag fields as "PHI Data" during the CRF design phase, triggering automatic protection protocols.
3. Immutable Auditability & Traceability (ICH-GCP, ISO 27001 A.8.15)β
- Comprehensive Audit Trails: Every data creation, modification, Source Data Verification (SDV), or deletion is logged with a timestamp, user identity, IP address, and before/after values. These logs are immutable and exportable.
- Email & System Logs: Centralized logging of all automated system notifications and authentication attempts for security monitoring.
4. Encryption & Infrastructure Security (ISO 27001 A.8.24)β
- Data in Transit: All communications between the client browser and our servers are encrypted using TLS 1.2 or higher.
- Data at Rest: Clinical data and uploaded documents (e.g., eConsent forms, monitoring reports) are stored in secure, encrypted cloud storage (e.g., AWS S3 with AES- is applied to all file uploads and attachments.
5. Secure AI Integration (2026 Feature)β
- Controlled AI Processing: The integrated AI Chat Assistant processes data through secure, isolated workflows. CRF data is converted into standardized, anonymized formats before being sent to the AI engine, ensuring no raw, unmasked PHI is stored or used for model training.
π€ Data Subject Rightsβ
ClinicalDataS provides tools to help Data Controllers fulfill the rights of clinical trial participants (Data Subjects):
- Right to Access & Portability: Authorized users can extract normalized datasets (e.g., CDISC ODM, CSV) for specific subjects or studies.
- Right to Rectification: Data corrections are permitted through a controlled Query and Discrepancy Note workflow, maintaining a full audit trail of the change (no destructive overwriting).
- Right to Withdraw Consent: The eConsent Module allows participants to digitally withdraw consent at any time. Upon withdrawal, the system can automatically lock further data collection for that subject while preserving the integrity of previously collected data for regulatory purposes.
ποΈ Data Retention & Secure Disposalβ
- Retention Period: Data is retained for the duration of the clinical trial and for the period mandated by the study protocol and applicable local regulations (typically 15β25 years post-trial).
- Secure Deletion: Upon expiration of the retention period or upon formal request from the Data Controller, data is either permanently anonymized or securely wiped using industry-standard methods (e.g., NIST SP 800-88), accompanied by a Certificate of Destruction.
π Cross-Border Data Transfersβ
Recognizing the global nature of clinical research, ClinicalDataS supports compliant international data flows:
- Data Residency: We offer configurable data residency options to ensure data remains within specific geographic boundaries if required by local law.
- Transfer Mechanisms: For transfers outside the EEA or other restricted regions, we support Standard Contractual Clauses (SCCs) and assist Controllers in conducting Transfer Impact Assessments (TIAs) or Data Protection Impact Assessments (DPIAs) as required by Decree 13.
βοΈ Legal Disclaimer: This document serves as a general overview of ClinicalDataS's privacy and security commitments. It does not constitute legal advice. Specific legal obligations are governed by the executed Data Processing Agreement (DPA) or Business Associate Agreement (BAA) between ClinicalDataS and the client.