PharmaTrialsCortex Clinical Intelligence
Back to site

Data Processing Agreement

Last updated: v1.0

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or Master Service Agreement (“Agreement”) between the customer identified in the Agreement (“Controller,” “Customer,” or “you”) and PharmaTrialsCortex, Inc. (“Processor,” “PharmaTrialsCortex,” “we,” or “us”).

This DPA sets out the terms under which PharmaTrialsCortex processes personal data on behalf of the Controller in connection with the provision of PharmaTrialsCortex’s clinical trial technology services, including SmartEDC, TMFEye.ai, and eCTMS (the “Services”). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and equivalent provisions of the UK GDPR and Swiss Federal Act on Data Protection (“FADP”).

This DPA shall take precedence over any conflicting provisions in the Agreement with respect to the processing of personal data.

Definitions

In this DPA, the following terms shall have the meanings set forth below. Terms not defined here shall have the meanings given in the GDPR or the Agreement:

  • “Applicable Data Protection Law” means all laws and regulations relating to the processing of personal data applicable to the performance of this DPA, including the GDPR, UK GDPR, FADP, CCPA/CPRA, HIPAA (where applicable), and any national implementing legislation.
  • “Controller” means the entity that determines the purposes and means of the processing of personal data, as identified in the Agreement.
  • “Data Subject” means an identified or identifiable natural person whose personal data is processed under this DPA.
  • “Personal Data” means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Services.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
  • “Processing” means any operation performed on personal data, as defined in Article 4(2) of the GDPR.
  • “Processor” means PharmaTrialsCortex, Inc., which processes personal data on behalf of the Controller.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data adopted by the European Commission in Implementing Decision (EU) 2021/914.
  • “Subprocessor” means any third party engaged by the Processor to process personal data on behalf of the Controller.

Scope of Processing

Subject Matter and Duration

The Processor shall process personal data for the duration of the Agreement and as necessary to wind down processing activities upon termination, in accordance with the termination provisions of this DPA.

Nature and Purpose of Processing

The Processor processes personal data to provide the Services, which include:

  • Hosting and operating the SmartEDC electronic data capture platform, TMFEye.ai trial master file system, and eCTMS clinical trial management system.
  • Storing, managing, and facilitating access to clinical trial data, including eCRF entries, audit trails, electronic signatures, adverse event reports, and participant records.
  • Providing data export, reporting, and analytics functionality.
  • Maintaining audit trails, access logs, and security controls as required by 21 CFR Part 11 and ICH-GCP.
  • Providing technical support and system administration.
  • Performing automated backups and disaster recovery.

Categories of Data Subjects

  • Clinical trial participants (via pseudonymized identifiers).
  • Investigators, study coordinators, data managers, monitors, and other clinical research personnel.
  • Customer employees and contractors who access the Services.

Types of Personal Data

  • Research Personnel Data: Name, email address, job title, organizational affiliation, role assignments, login credentials (hashed), IP addresses, access logs.
  • Pseudonymized Participant Data: Subject identifiers, visit dates, clinical observations, laboratory results, adverse event data, informed consent records, appointment schedules.
  • Protected Health Information (PHI): Where applicable and as authorized by a Business Associate Agreement, data elements constituting PHI under HIPAA.
  • Audit Data: Immutable records of data access, modifications, and electronic signatures including user identity, timestamp, IP address, and change details.

Special Categories of Data

Where the Controller instructs the Processor to process special categories of data (Article 9 GDPR) such as health data in clinical trial records, the Controller is responsible for ensuring a valid legal basis exists, such as explicit consent of the data subject or processing for scientific research purposes with appropriate safeguards (Article 9(2)(a) or (j)).

Controller Obligations

The Controller shall:

  1. Ensure that the processing of personal data has a valid legal basis under Applicable Data Protection Law, including any required consents from data subjects.
  2. Provide lawful instructions to the Processor regarding the processing of personal data. The Controller acknowledges that the Services are designed for clinical trial operations and shall not instruct the Processor to process personal data in a manner inconsistent with this purpose.
  3. Ensure that data subjects have been informed about the processing of their personal data in accordance with Articles 13 and 14 of the GDPR, including disclosure of PharmaTrialsCortex as a processor.
  4. Respond to data subject requests (Articles 15-22 GDPR) with reasonable assistance from the Processor as described in this DPA.
  5. Comply with all obligations applicable to controllers under Applicable Data Protection Law.
  6. Notify the Processor without undue delay if any instruction infringes Applicable Data Protection Law.
  7. Conduct and maintain a Data Protection Impact Assessment (DPIA) where required by Article 35 of the GDPR.

Processor Obligations

The Processor shall:

  1. Process on Instructions: Process personal data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or member state law to which the Processor is subject (in which case, the Processor shall inform the Controller before processing, unless prohibited by law from doing so).

  2. Confidentiality: Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  3. Security Measures (Article 32): Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

    • AES-256 encryption of personal data at rest and TLS 1.3 encryption in transit.
    • Role-based access controls with principle of least privilege.
    • Multi-factor authentication for all personnel with access to personal data.
    • Automatic session timeout after 15 minutes of inactivity.
    • Account lockout after 5 consecutive failed login attempts.
    • Immutable audit trails recording all access to and modifications of personal data.
    • Regular security testing, including vulnerability scanning and penetration testing.
    • Incident response procedures with defined escalation paths.
    • Regular backups with encryption and tested restoration procedures.
    • Employee security training and background checks.

  4. Subprocessors: Comply with the subprocessor provisions set forth in this DPA.

  5. Data Subject Rights: Assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests from data subjects exercising their rights under the GDPR.

  6. Assistance with Compliance: Assist the Controller in ensuring compliance with Articles 32-36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

  7. Deletion or Return: At the choice of the Controller, delete or return all personal data after the end of the provision of Services, and delete existing copies unless EU or member state law requires retention. For clinical trial data, regulatory retention requirements (e.g., 25-year retention under ICH-GCP) take precedence.

  8. Demonstrate Compliance: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits and inspections.

Subprocessors

Authorization

The Controller provides general written authorization for the Processor to engage subprocessors to process personal data. A list of current subprocessors is maintained at /legal/subprocessor-list.

Obligations on Subprocessors

The Processor shall:

  1. Impose contractual obligations on each subprocessor that are no less protective than those set out in this DPA, by way of a written contract in accordance with Article 28(4) of the GDPR.
  2. Remain fully liable to the Controller for the performance of each subprocessor’s obligations.
  3. Conduct due diligence on the security and data protection practices of prospective subprocessors before engagement.

Notification of Changes

The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of subprocessors, providing the name, location, and nature of processing. The Controller may object to the appointment of a new subprocessor within 14 days of notification. If the Controller raises a reasonable objection, the parties shall discuss the concern in good faith. If resolution cannot be reached, the Controller may terminate the affected Services without penalty.

Data Transfers

Transfers Outside the EEA

The Processor shall not transfer personal data to a country outside the EEA, UK, or Switzerland unless one of the following safeguards is in place:

  1. Adequacy Decision: The European Commission has issued an adequacy decision for the recipient country (Article 45 GDPR).
  2. Standard Contractual Clauses: The transfer is subject to the SCCs (Commission Implementing Decision (EU) 2021/914), with appropriate modules selected based on the transfer scenario (Module 2: Controller to Processor; Module 3: Processor to Processor).
  3. Data Privacy Framework: The recipient is certified under the EU-U.S. Data Privacy Framework, the UK Extension, or the Swiss-U.S. Data Privacy Framework.
  4. Derogations: A derogation under Article 49 of the GDPR applies.

Transfer Impact Assessments

For transfers relying on SCCs, the Processor shall:

  1. Conduct a transfer impact assessment evaluating whether the laws and practices of the recipient country ensure an essentially equivalent level of protection.
  2. Implement supplementary technical measures (e.g., encryption, pseudonymization) and organizational measures to address any identified risks.
  3. Make the transfer impact assessment available to the Controller upon request.

Current Transfer Mechanisms

PharmaTrialsCortex’s primary infrastructure is located in the United States. Transfers from the EEA/UK to the US are protected by a combination of SCCs with supplementary measures and, where applicable, the EU-U.S. Data Privacy Framework.

Data Breach

Notification

The Processor shall notify the Controller of a Personal Data Breach without undue delay and in any event no later than 48 hours after becoming aware of the breach. Notification shall include, to the extent known:

  1. A description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and records affected.
  2. The name and contact details of the Processor’s data protection officer or other point of contact.
  3. A description of the likely consequences of the breach.
  4. A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its adverse effects.

Cooperation

The Processor shall:

  1. Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  2. Provide the Controller with additional information as it becomes available.
  3. Not notify any supervisory authority, data subject, or third party of the breach unless instructed to do so by the Controller or required by Applicable Data Protection Law.
  4. Maintain a record of Personal Data Breaches, including the facts, effects, and remedial actions taken.

Regulatory Requirements

For breaches involving data subject to 21 CFR Part 11, the Processor shall additionally notify the Controller of any unauthorized access to, modification of, or destruction of electronic records or audit trails within 24 hours of discovery.

Audit Rights

Controller Audits

The Controller, or a qualified third-party auditor appointed by the Controller (subject to reasonable confidentiality obligations), shall have the right to conduct audits of the Processor’s processing activities to verify compliance with this DPA. The Controller shall:

  1. Provide at least 30 days’ prior written notice of an audit.
  2. Conduct the audit during normal business hours with minimal disruption to the Processor’s operations.
  3. Limit the scope of the audit to processing activities performed on behalf of the Controller.
  4. Not conduct more than one audit per calendar year, unless required by a supervisory authority or following a Personal Data Breach.

Processor Cooperation

The Processor shall:

  1. Cooperate with the audit and provide access to relevant facilities, systems, personnel, and records.
  2. Provide relevant compliance documentation, including security audit reports (SOC 2 Type II, ISO 27001, or equivalent), penetration test summaries, and data protection impact assessments.
  3. Permit the auditor to interview relevant personnel.

Audit Reports

Where available, the Processor may satisfy audit requests by providing copies of current third-party audit reports (such as SOC 2 Type II reports or ISO 27001 certificates) that cover the processing activities relevant to this DPA.

Termination

Effect on Personal Data

Upon termination or expiration of the Agreement:

  1. The Processor shall cease processing personal data on behalf of the Controller, except as necessary to return or delete the data.
  2. At the Controller’s election, the Processor shall either:
    • Return all personal data to the Controller in a structured, commonly used, and machine-readable format (CDISC ODM, CSV, or JSON); or
    • Securely delete all personal data and certify such deletion in writing.
  3. The Controller must make its election within 90 days of termination. After 90 days, the Processor shall delete all personal data unless retention is required by Applicable Data Protection Law.
  4. Clinical trial data subject to regulatory retention obligations (e.g., 21 CFR Part 11, ICH-GCP) shall be retained in encrypted, access-controlled archival storage for the required period, after which it shall be securely deleted.

Survival

The obligations in this DPA shall survive termination of the Agreement to the extent necessary to complete the processing, return, or deletion of personal data and to fulfill any ongoing regulatory retention obligations.

Liability

Allocation

Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement.

Regulatory Fines

Each party shall be responsible for any administrative fines imposed on it by a supervisory authority to the extent that such fines relate to a breach of Applicable Data Protection Law attributable to that party.

Indemnification

The Processor shall indemnify the Controller against any losses, damages, and expenses (including reasonable legal fees) arising from the Processor’s breach of this DPA or Applicable Data Protection Law, to the extent caused by the Processor’s act or omission.

To execute this DPA, contact legal@pharmatrialscortex.com. This DPA is automatically incorporated into all PharmaTrialsCortex subscription agreements and master service agreements as of the effective date stated above.