Compliance, Data Storage, and Security

Overview of TrialKit's Compliance Practices and Data Security Measures

 

Regulatory Guidelines

The TrialKit platform is a product of Crucial Data Solutions, a U.S. corporation. TrialKit is used as a pharmaceutical and device data collection tool around the globe in all phases of research, post-market studies, and registries. In ongoing efforts to protect the integrity of data and maintain robust up-to-date security, Crucial Data Solutions maintains procedures and policies under the guidance of several regulatory programs, many of which it is subject to being audited under.

US Food and Drug Administration US 21 CFR:

  • Part 11 – Electronic Records; Electronic Signatures
  • Part 312 – Investigational New Drug Applications
  • Part 820 – Quality System Regulations
  • HIPAA - Health Insurance Portability and Accountability Act of 1996


European Medicine Agency:

  • EudraLex, Volume 4, cGMP Medicinal Products for Human and Veterinary Use:
  • Annex 7 – Outsourced Activities
  • Annex 9 – Self Inspection
  • Annex 11 – Computerized Systems
  • Annex 15 – Qualification and Validation

International Standards:

  • GAMP 5 – A Risk-Based Approach to Compliant GxP Computerized Systems
  • GDPR – General Data Protection Regulations – EU Directive 95/46/EC
  • ICH E6 R1 - Guideline for Good Clinical Practice – CPMP/ICH/135/95
  • ICH E6 R2 - Guideline for Good Clinical Practice - Integrated Addendum
  • ICH Q9 – Quality Risk Management
  • ICH Q10 – Pharmaceutical Quality System
  • ISO 9001:2015 – Quality Management Systems
  • ISO/IEC 27001:2013 – Information Security Management
  • SOC Type 2 – Service Organization Controls

Processing

TrialKit Cloud’s networking and data storage employs 3rd party services provided by Amazon Web Services (AWS) around the globe, for both primary hosting and data backup/recovery. AWS is a leader in global industry compliant data storage and security. It is listed and active under the following international and governmental certifications listed below, based on the region of hosting. Crucial Data Solutions will configure hosting in the region under which the data owner requires.

Global

  • CSA
  • ISO 9001
  • ISO 27001
  • ISO 27017
  • ISO 27701
  • ISO 27018
  • SOC 1
  • SOC 2
  • SOC 3
United States
  • FedRAMP - Government Data Standards
  • FISMA - Federal Information Security Management
  • HIPAA - Protected Health Information
  • HITRUST CSF - Health Information Trust Alliance Common Security Framework
  • NIST - National Institute of Standards and Technology
  • CJIS - Criminal Justice Information Services
  • DOD SRG - Department of Defense Data Processing
  • FIPS - Government Security Standards
  • FERPA - Educational Privacy Act

Europe

  • HDS - Personal Health Data Protection in France
  • C5 - Operational Security Attestation in Germany
  • G-Cloud - Government Standards in the UK
  • CISPE - Coalition of Cloud Infrastructure Services Providers in Europe

As a software company, Crucial Data Solutions maintains rigorous standards in its Quality Management and Security Measures. As part of that, TrialKit Cloud is hosted in AWS where it can inherit the built in security boundaries and controls offered through its AWS provider. CDS is routinely audited by 3rd party clients, including some of the largest organizations in the world.

The sub-services configured by CDS within the AWS VPC boundaries are:

  • RDS for PostgreSQL databases
  • Ec2 virtual servers
  • S3 for backups and logs
  • SNS for notifications

Data Privacy

Crucial Data Solutions does not access or use customer data without explicit consent on a per customer basis. Read the Privacy Policy for more information.

While TrialKit's cloud architecture is certified under a variety of global programs listed above, due to the wide variance and ever-changing nature of modern day data privacy requirements, CDS recommends using qualified legal counsel for individual projects to be certain the correct documentation and protections are in place to support the privacy of data subjects in the region that the data will be collected in. That includes documentation that may be required between you (the data owner) and the data subjects (study sites and participants), and documentation that may be required between you as a data controller and your various processors (TrialKit being one processor or sub-processor).

Some jurisdictions may even require data storage location to be local for the data subjects - which Trialkit does support through it's access to multi-regional AWS facilities. Supporting licensing agreements must be in place for unique data location and boundaries outside the US.

 

Data Storage and Hosting

TrialKit Cloud networking and data storage employ 3rd party services provided by Amazon Web Services (AWS) around the globe, for both primary hosting and data backup/recovery.

Location of data hosting location is determined at the time of study licensing and is indicated on the agreement along with any applicable contracts and addendums required by the client or regulatory authorities.

Crucial Data Solutions (CDS) is contracted with the following AWS facilities:

  • EU West - Ireland
  • EU West - Paris
  • US East - Ohio
  • US West - Oregon

Backup and Retention

Data is backed up on 5-minute intervals throughout the day and retained for the last 30 days within Amazon Web Services (AWS) local zone. Daily backups are also performed to a separate DR AWS region in the event of local disaster that impacts primary hosting facilities. Those backups are retained for 90 days after deletion.

Processing for internal CDS records follow the same policy at minimum. 

Security

Data connections and storage are encrypted using the healthcare industry-standard AES 256/TLS 1.2 SSL and 2048-bit RSA public keys. VPN and Firewall ACLs control access at the cloud level. Network vulnerability assessments and penetration testing are performed routinely.

Client data on the TrialKit cloud is stored in isolated schemas within the database. Access to the data within a schema is managed directly by the named client Administrators or other user-defined permission role levels. Audit trails display the history of user roles and permissions along with the last access.

User-based Application-level security uses 2-factor authentication and optional Oauth2 single sign-on tools.

Private cloud environments configured and managed by CDS are available.

CDS maintains a large number of security-related controls scattered through0ut the following areas:

  • Infrastructure 
  • Product 
  • Internal procedures
  • Organizational

Audits of these controls are supported by CDS for Enterprise clients.