Legal
Data Processing
Last updated: April 1, 2026
TrialAmicus operates in one of the most data-sensitive environments in the world — clinical research. This page describes how we process data on behalf of our customers, our compliance commitments, and the technical and organizational measures we implement to protect sensitive clinical trial information.
1. Our Role as Data Processor
When you use the TrialAmicus platform, we act as a data processor on your behalf. This means:
- Your organization (the data controller) determines the purposes and means of processing
- TrialAmicus processes data only on your documented instructions
- We do not use your data for any purpose beyond providing the Services you have contracted for
- We never sell, share, or monetize your clinical data
For personal data collected directly through our website (such as contact form submissions), TrialAmicus acts as a data controller. Please refer to our Privacy Policy for details on this processing.
2. What Data We Process
The following categories of data may be processed through the TrialAmicus platform:
| Data Category |
Examples |
Purpose |
| Clinical Trial Documents |
Protocols, amendments, investigator brochures, lab manuals, ICFs |
AI-powered protocol interpretation and guidance |
| User Account Data |
Names, email addresses, role assignments |
Authentication, access control, audit logging |
| Platform Usage Data |
Queries submitted, responses generated, timestamps |
Audit trail, compliance logging, service improvement |
| Organizational Data |
Site names, study identifiers, team structures |
Study management, role-based access control |
TrialAmicus does not intentionally collect or process special categories of personal data (such as patient health information). Our platform is designed for use with de-identified or study-operational documents. Customers are responsible for ensuring that uploaded documents comply with applicable data protection requirements.
3. Legal and Regulatory Compliance
TrialAmicus is designed to support compliance with the following regulatory frameworks:
21 CFR Part 11
ICH E6(R2) GCP
GDPR
HIPAA-aligned
CCPA
FDA 21 CFR Part 312
21 CFR Part 11 Compliance
Our platform supports compliance with FDA 21 CFR Part 11 requirements for electronic records and signatures through:
- Secure, controlled access with unique user identification
- Immutable audit trails with timestamps and user identification
- System validations to ensure data integrity
- Encrypted storage and transmission of all records
GDPR Compliance
For customers processing data subject to the EU General Data Protection Regulation (GDPR), TrialAmicus:
- Processes personal data only on documented customer instructions
- Ensures all personnel are bound by confidentiality obligations
- Implements appropriate technical and organizational security measures
- Assists customers in responding to data subject rights requests
- Notifies customers of personal data breaches without undue delay
- Deletes or returns all personal data upon termination of services
- Provides all information necessary to demonstrate compliance
4. Technical Security Measures
TrialAmicus implements the following technical measures to protect processed data:
Encryption
- AES-256 encryption for all data at rest
- TLS 1.3 encryption for all data in transit
- Encrypted backups with geographic redundancy
Access Controls
- Role-based access control (RBAC) with least-privilege principles
- Multi-factor authentication for all platform users
- Separate, isolated data environments per organization
- Regular access reviews and credential rotation
Infrastructure Security
- Hosted on enterprise-grade cloud infrastructure with SOC 2 compliance
- Regular vulnerability assessments and penetration testing
- Intrusion detection and monitoring systems
- Automated threat detection and alerting
- Disaster recovery and business continuity planning
5. Organizational Security Measures
- All employees and contractors with data access are subject to confidentiality agreements
- Regular security awareness training for all personnel
- Background checks for personnel with access to customer data
- Documented security policies and procedures
- Designated data protection responsibilities within our organization
6. Sub-processors
TrialAmicus may engage trusted sub-processors to assist in delivering our Services. All sub-processors are:
- Bound by data processing agreements with equivalent protections to those we offer
- Subject to regular security assessments
- Selected based on their ability to maintain appropriate security standards
We will notify customers of any intended changes to our sub-processor arrangements and provide an opportunity to object to such changes. A current list of sub-processors is available upon request by contacting admin@trialamicus.io.
7. Data Retention and Deletion
We retain processed data in accordance with the following principles:
- Customer Data is retained for the duration of the service agreement
- Audit logs are retained for a minimum of 7 years to support regulatory compliance and inspection readiness
- Upon termination of services, Customer Data is securely deleted or returned within 30 days, unless longer retention is required by applicable law
- Deletion is performed using industry-standard secure erasure methods
8. Data Breach Notification
In the event of a personal data breach affecting Customer Data, TrialAmicus will:
- Notify affected customers without undue delay and no later than 72 hours after becoming aware of the breach
- Provide details of the nature of the breach, categories of data affected, and likely consequences
- Describe the measures taken or proposed to address the breach
- Cooperate fully with customers and relevant supervisory authorities as required
9. Data Processing Agreement
Enterprise customers who require a formal Data Processing Agreement (DPA) to comply with GDPR or other applicable data protection laws may request a DPA by contacting us. Our DPA incorporates the standard contractual clauses approved by the European Commission for international data transfers where applicable.
10. International Data Transfers
TrialAmicus primarily processes data in the United States. Where data is transferred outside the European Economic Area, we rely on appropriate transfer mechanisms including standard contractual clauses to ensure adequate protection of personal data.