Subprocessor List
In accordance with Article 28(2) of the General Data Protection Regulation (GDPR) and the terms of our Data Processing Agreement, PharmaTrialsCortex, Inc. (“PharmaTrialsCortex,” “we,” “us,” or “our”) maintains this list of third-party subprocessors engaged to process personal data on behalf of our customers (data controllers).
This page is updated whenever a subprocessor is added, removed, or materially changed. Customers who have executed a Data Processing Agreement with PharmaTrialsCortex are entitled to advance notification of changes as described in the Changes to Subprocessors section.
Current Subprocessors
The following third-party subprocessors are currently engaged by PharmaTrialsCortex to process personal data in connection with the provision of our Services:
Infrastructure & Hosting
| Subprocessor | Purpose | Data Processed | Location | DPA/SCCs |
|---|---|---|---|---|
| Cloudflare, Inc. | Content delivery network (CDN), web application firewall (WAF), DDoS mitigation, DNS management | IP addresses, HTTP headers, request metadata | United States (global edge network) | DPA with SCCs |
| Render Services, Inc. | Backend application hosting, database hosting (PostgreSQL), background job processing | All application data including clinical trial data, user accounts, audit trails | United States (Oregon) | DPA with SCCs |
Monitoring & Error Tracking
| Subprocessor | Purpose | Data Processed | Location | DPA/SCCs |
|---|---|---|---|---|
| Sentry (Functional Software, Inc.) | Application error tracking, performance monitoring, crash reporting | Error context (stack traces, request metadata, user IDs); no clinical trial data is transmitted | United States | DPA with SCCs |
Communications
| Subprocessor | Purpose | Data Processed | Location | DPA/SCCs |
|---|---|---|---|---|
| Twilio SendGrid | Transactional email delivery (account notifications, password resets, query alerts, system notifications) | Email addresses, email subject lines, delivery metadata | United States | DPA with SCCs |
Analytics
| Subprocessor | Purpose | Data Processed | Location | DPA/SCCs |
|---|---|---|---|---|
| Google LLC (Google Analytics) | Marketing website analytics only (not used in clinical platform applications) | IP addresses (anonymized), page views, session data, referral sources | United States | Google Data Processing Amendment; SCCs |
AI & Machine Learning
| Subprocessor | Purpose | Data Processed | Location | DPA/SCCs |
|---|---|---|---|---|
| Microsoft Corporation (Azure OpenAI Service) | AI-powered features: protocol parsing, auto-coding suggestions, smart query generation, anomaly detection | Pseudonymized clinical data excerpts, form field values, protocol text (no PII transmitted) | United States (East US) | Microsoft DPA; SCCs; HIPAA BAA available |
| Anthropic PBC | AI-powered features: natural language processing, clinical text analysis (secondary/failover provider) | Pseudonymized clinical data excerpts, form field values (no PII transmitted) | United States | DPA with SCCs |
AI Gateway
| Subprocessor | Purpose | Data Processed | Location | DPA/SCCs |
|---|---|---|---|---|
| Cloudflare, Inc. (AI Gateway) | AI API proxy providing caching, rate limiting, analytics, and model failover for all LLM API calls | AI request/response payloads (pseudonymized; no PII) | United States (global edge network) | DPA with SCCs (same as CDN/WAF DPA) |
Data Processing Safeguards
For all subprocessors listed above, PharmaTrialsCortex has implemented the following safeguards:
- Contractual protections: Each subprocessor has executed a Data Processing Agreement (or equivalent) with PharmaTrialsCortex that includes obligations no less protective than those in our customer DPA.
- Standard Contractual Clauses: For transfers of personal data from the EEA/UK to the United States, Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are in place.
- Due diligence: Each subprocessor has been assessed for security posture, data protection practices, and compliance certifications prior to engagement.
- Minimum necessary access: Subprocessors receive only the minimum data necessary to perform their designated function.
- AI data handling: AI/ML subprocessors process only pseudonymized data. PII fields (name, date of birth, contact information) are stripped or encrypted before transmission. AI providers are contractually prohibited from using customer data for model training.
Changes to Subprocessors
Notification Process
In accordance with Article 28(2) of the GDPR and our Data Processing Agreement:
- Advance notice: We will notify customers at least 30 days before engaging a new subprocessor or making a material change to an existing subprocessor’s scope of processing.
- Notification method: Notifications are sent via email to the primary contact and data protection contact listed in the Customer’s account.
- This page: This Subprocessor List page is updated concurrently with the notification. The “Last Updated” date at the top of the page reflects the most recent change.
Subscribing to Updates
To receive email notifications when this Subprocessor List is updated:
- Existing customers: Notifications are automatic. Ensure your account’s data protection contact email is current.
- Prospective customers: Contact privacy@pharmatrialscortex.com to subscribe to subprocessor change notifications.
Change History
| Date | Change | Subprocessor |
|---|---|---|
| 2026-02-23 | Initial publication | All subprocessors listed above |
Objection Process
If you object to a new or changed subprocessor, you may exercise the following rights under our Data Processing Agreement:
Filing an Objection
- Submit your objection in writing to privacy@pharmatrialscortex.com within 14 days of receiving the subprocessor change notification.
- Your objection must include:
- The specific subprocessor you are objecting to.
- The grounds for your objection (e.g., data protection concerns, regulatory requirements, contractual obligations).
- Any proposed alternatives or mitigations.
Resolution Process
- Good faith discussion: PharmaTrialsCortex will engage with you in good faith to understand and address your concerns. We may offer alternative configurations, additional safeguards, or substitute subprocessors.
- Timeline: We will respond to your objection within 14 days and work toward resolution within 30 days.
- Escalation: If resolution cannot be reached through discussion, you may escalate the matter to PharmaTrialsCortex’s Data Protection Officer at dpo@pharmatrialscortex.com.
Termination Right
If we cannot resolve your objection to your reasonable satisfaction within 30 days:
- You may terminate the affected Services without penalty upon 30 days’ written notice.
- We will provide data export in standard formats (CDISC ODM, CSV, JSON) within 90 days of termination.
- Any prepaid, unused portion of the subscription term will be refunded on a pro-rata basis.
This termination right does not apply to objections that are unreasonable, made in bad faith, or based on grounds unrelated to data protection.
For questions about our subprocessors or data processing practices, contact our Data Protection Officer at dpo@pharmatrialscortex.com or our privacy team at privacy@pharmatrialscortex.com.