Security and compliance

Data security and compliance are the foundations of the system

Compliance

Compliance

Compliance
CRFweb Complies with FDA 21 CFR Part 11 regulations and is independently audited. It also meets GCP (Good Clinical Practice) standards. We have utilised the CDISC ODM (Operational Data Model) as our default coding standard for all aspects of a clinical trial; both Transactional and Snapshot data extracts are available for all datasets. Snapshot and Transactional ODM files can be exported as either XML or .xls files or exported as a SAS Xport file. Our new offline data collection app, allows data to be collected safely offline and automatically synced when a secure connection is available.

Subject data is anonymised through use of subject ID numbers. We are also able to match server locations to local markets to meet local compliance standards. For example, for EU studies, our servers are located within the EU to meet GDPR requirements.

Please note. The FDA does not issue compliance certification for clinical trial applications. It is down to the sponsor to demonstrate appropriate study guidelines have been followed. Naturally that necessitates using a system built with compliance in mind, so if your study protocols and procedures are compliant, CRFweb will help ensure your study is compliant.

How to prove an EDC system is compliant? Best practice for this is to use an independent compliance specialist to perform an audit. CRFweb was last independently audited in March 2019. Details available on request.

CDISC

Security

CRFweb Security

We take security very seriously. The system was designed from the ground-up with security and compliance in mind. We utilize the CDISC ODM (Operational Data Model) as our default coding standard. We comply with FDA 21CFA part 11 regulations and have been independently audited. We also meet the US Health Insurance Portability and Accountability Act (HIPAA), Cloud Security Alliance (CSA) and GCP (Good Clinical Practice) Standards. To give confidential client data maximum security, we use the latest SSL 256-bit encryption technology.
We use servers based in Europe and the US for reliability, data transmissions use HTTPS and servers are managed with security best practices/standards including the following:
  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP
  • DOD CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 27001
  • ITAR
  • FIPS 140-2
  • MTCS Level 3
Security-min

Articles

CRFweb Articles