Security Policy

At PharmaTrialsCortex, security is not an afterthought — it is a foundational design principle. Our clinical trial technology platform processes sensitive health data, and we recognize the critical importance of maintaining the confidentiality, integrity, and availability of this data. This Security Policy describes the technical and organizational measures we implement to protect our Services and your data.

This document is intended to provide transparency into our security posture. For contractual security commitments, please refer to our Data Processing Agreement and Service Level Agreement.

Encryption

Data in Transit

All data transmitted between clients and PharmaTrialsCortex services is encrypted using Transport Layer Security (TLS) 1.3. We enforce the following standards:

• Minimum TLS version: TLS 1.2 (TLS 1.0 and 1.1 are disabled).
• Preferred TLS version: TLS 1.3 with forward secrecy.
• HTTP Strict Transport Security (HSTS): Enabled with max-age=31536000, includeSubDomains, and preload directives.
• Certificate management: TLS certificates are issued by trusted Certificate Authorities and automatically renewed.
• Internal service communication: All inter-service communication within our infrastructure uses mutual TLS (mTLS).

Data at Rest

All stored data is encrypted at rest using industry-standard algorithms:

• Database encryption: AES-256 encryption for PostgreSQL databases via transparent data encryption (TDE) and volume-level encryption.
• Field-level encryption: Personally identifiable information (PII) fields are individually encrypted using AES-256 via django-crypto-fields, providing an additional layer of protection beyond volume encryption.
• Backup encryption: All database backups are encrypted with AES-256 before storage.
• File storage encryption: Documents, exports, and uploaded files are encrypted with AES-256 server-side encryption.
• Key management: Encryption keys are managed through hardware security modules (HSMs) and rotated regularly. Keys are never stored alongside encrypted data.

Password Storage

Passwords are hashed using the Argon2id algorithm (the winner of the Password Hashing Competition), which provides resistance to GPU-based and side-channel attacks. We never store passwords in plaintext or reversible encryption.

Access Controls

Authentication

• Multi-factor authentication (MFA): Available for all accounts and required for accounts with access to clinical trial data.
• Password policy: Minimum 12 characters with complexity requirements (uppercase, lowercase, numeric, and special characters), enforced by server-side validation.
• Account lockout: Accounts are locked after 5 consecutive failed login attempts for 30 minutes.
• Session management: Sessions expire after 15 minutes of inactivity as required by 21 CFR Part 11. Session tokens are stored in httpOnly, Secure, SameSite=Strict cookies.
• JWT tokens: Access tokens have a 15-minute lifetime. Refresh tokens have a 24-hour lifetime and are rotated on each use.
• Single Sign-On (SSO): Enterprise customers can integrate with their institutional identity providers via OAuth 2.0/OIDC or SAML 2.0.

Authorization

• Role-based access control (RBAC): All access is governed by fine-grained roles (Account Manager, Auditor, Clinician, Data Manager, Nurse, Statistician, PII Viewer) with predefined permission sets.
• Principle of least privilege: Users are granted the minimum permissions necessary for their job function.
• Site-scoped data isolation: Clinical trial data is scoped to the study and site level. Users can only access data for studies and sites to which they are explicitly assigned.
• No shared accounts: Each user must have a unique individual account as required by 21 CFR Part 11 Section 11.100.
• Access reviews: Customer administrators are responsible for periodic access reviews. PharmaTrialsCortex provides audit reports to facilitate this process.

Infrastructure Access

• PharmaTrialsCortex engineering staff access production infrastructure only through secured, audited jump servers with MFA.
• Production database access requires explicit authorization, is logged, and is limited to authorized personnel for specific maintenance or support tasks.
• Customer data is never accessed without explicit customer authorization except as required for service operation (e.g., automated backups, system monitoring).

Audit Logging

Comprehensive audit logging is a cornerstone of our compliance architecture, required by 21 CFR Part 11 Section 11.10(e) and ICH-GCP:

• Immutable audit trails: Every access, creation, modification, and deletion of clinical trial data generates an immutable audit trail record. Audit records cannot be modified or deleted by any user, including system administrators.
• Audit record contents: Each record includes the user identity, timestamp, IP address, user agent, action performed, field name, old value, new value, and reason for change.
• Electronic signature logging: All e-signature events are logged with the signer’s identity, timestamp, and signature meaning as required by 21 CFR Part 11 Sections 11.50 and 11.100.
• Authentication events: All login attempts (successful and failed), logouts, password changes, MFA enrollments, and account lockouts are logged.
• API access logs: All API requests are logged with the request method, endpoint, response status, user identity, and IP address.
• Infrastructure logs: System-level events (server access, configuration changes, deployment events) are logged and shipped to centralized log management.
• Log retention: Audit logs are retained for the regulatory-mandated retention period (typically 25 years for clinical trial data) in encrypted, tamper-evident storage.
• Log monitoring: Real-time monitoring and alerting on anomalous access patterns, failed authentication attempts, and privilege escalation events.

Vulnerability Management

Dependency Scanning

• Automated scanning: All application dependencies are continuously scanned for known vulnerabilities using automated tools integrated into our CI/CD pipeline.
• Security advisory monitoring: We subscribe to security advisories for all critical dependencies (Django, PostgreSQL, React, Node.js) and apply patches promptly.
• Dependency updates: Security patches are applied within 24 hours for critical vulnerabilities (CVSS 9.0+), 7 days for high vulnerabilities (CVSS 7.0-8.9), and 30 days for medium vulnerabilities (CVSS 4.0-6.9).

Static Analysis

• Code scanning: All code changes undergo static analysis security testing (SAST) using tools including Bandit (Python security linter), Ruff (linting), and ESLint security plugins.
• Secret scanning: Automated secret detection in the codebase to prevent accidental exposure of API keys, credentials, or tokens.
• Code review: All code changes require peer review before merging, with security-focused review for changes affecting authentication, authorization, encryption, or data handling.

Infrastructure Security

• Operating system patching: Server operating systems are kept current with automated security patch management.
• Container security: Docker images are scanned for vulnerabilities before deployment. Base images are updated regularly.
• Network segmentation: Application, database, and cache layers are isolated in separate network segments with firewall rules limiting communication to necessary ports and protocols.
• DDoS protection: Cloudflare WAF and DDoS mitigation are deployed in front of all public-facing services.

Incident Response

PharmaTrialsCortex maintains a documented Incident Response Plan that follows the NIST Cybersecurity Framework (CSF) incident response lifecycle:

Classification

Incidents are classified by severity:

Severity	Description	Response Time
Critical (P1)	Active data breach, system compromise, or data loss affecting clinical trial data	15 minutes
High (P2)	Potential security breach, vulnerability actively being exploited, or service outage	1 hour
Medium (P3)	Vulnerability discovered but not exploited, security misconfiguration	4 hours
Low (P4)	Minor security issue, policy violation, security improvement needed	24 hours

Response Process

1. Detection and Analysis: Incidents are detected through automated monitoring, user reports, or vulnerability scanning. The incident response team assesses the scope, impact, and severity.
2. Containment: Immediate measures are taken to contain the incident and prevent further damage. This may include isolating affected systems, revoking compromised credentials, or blocking malicious IPs.
3. Eradication: The root cause is identified and eliminated. Affected systems are patched or rebuilt.
4. Recovery: Systems are restored to normal operation with validation that the threat has been eliminated.
5. Post-Incident Review: A blameless post-incident review is conducted to identify lessons learned and improve defenses. Findings are documented and shared with affected customers where appropriate.

Customer Notification

Customers are notified of security incidents affecting their data in accordance with our Data Processing Agreement:

• Personal Data Breach: Notification within 48 hours of becoming aware of a breach affecting personal data.
• 21 CFR Part 11 incidents: Notification within 24 hours for unauthorized access to or modification of electronic records or audit trails.
• Service incidents: Status updates provided through our status page and direct communication.

Penetration Testing

• External penetration testing: We engage independent, qualified third-party security firms to conduct penetration testing of our Services at least annually.
• Scope: Testing covers web application security, API security, infrastructure security, and social engineering vectors.
• Methodology: Testing follows industry-standard methodologies (OWASP Testing Guide, PTES, NIST SP 800-115).
• Remediation: All findings are triaged by severity and remediated according to our vulnerability management SLAs.
• Reports: Executive summaries of penetration test results are available to enterprise customers under NDA upon request.

Compliance Certifications

PharmaTrialsCortex is designed to meet the requirements of the following regulatory frameworks:

Framework	Scope	Status
21 CFR Part 11	Electronic records and signatures for clinical trial data	Compliant by design; validated per GAMP 5
ICH-GCP E6(R2/R3)	Good Clinical Practice for data management	Compliant
GDPR	Protection of personal data of EU/EEA residents	Compliant; DPA available
UK GDPR	Protection of personal data of UK residents	Compliant
HIPAA	Protection of US health information	BAA available; compliant when BAA executed
CCPA/CPRA	California consumer privacy rights	Compliant
SOC 2 Type II	Security, availability, and confidentiality controls	In progress (target: Phase 4)
ISO 27001	Information security management system	Planned

Shared Responsibility: PharmaTrialsCortex provides a secure platform, but security is a shared responsibility. Customers are responsible for managing user access within their organization, configuring study-level permissions, maintaining strong passwords, and ensuring their use of the Services complies with applicable regulations.

Responsible Disclosure

We value the security research community and encourage responsible disclosure of vulnerabilities in our Services.

Reporting a Vulnerability

If you discover a security vulnerability, please report it to us at security@pharmatrialscortex.com. Please include:

• A description of the vulnerability and its potential impact.
• Detailed steps to reproduce the issue.
• Any proof-of-concept code or screenshots.
• Your contact information for follow-up.

Our Commitment

• Acknowledgment: We will acknowledge receipt of your report within 24 hours.
• Assessment: We will assess the reported vulnerability and provide an initial response within 5 business days.
• Remediation: We will work to remediate confirmed vulnerabilities according to our vulnerability management SLAs.
• Recognition: With your permission, we will credit you in our security acknowledgments for valid reports.
• No retaliation: We will not pursue legal action against researchers who act in good faith and comply with this policy.

Rules of Engagement

When conducting security research, please:

• Do not access, modify, or delete data belonging to other users or customers.
• Do not perform testing that could degrade, disrupt, or deny service to other users.
• Do not perform social engineering against PharmaTrialsCortex employees.
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate it (we request at least 90 days).
• Limit testing to your own accounts and test environments.

Contact

For security-related inquiries, reports, or requests:

• Security Team: security@pharmatrialscortex.com
• Data Protection Officer: dpo@pharmatrialscortex.com
• General Support: support@pharmatrialscortex.com

For urgent security incidents, email security@pharmatrialscortex.com with “URGENT” in the subject line. We monitor this inbox around the clock.