Fastrial EDC system is secured in adherence to the most recent software security standards and privacy regulations. With full respect to the fact that our clients use Fastrial for handling their clinical trial data, we consider the security of our client’s data as one of our top priorities.
At Meditrial, we have always honored our Customers’ right to data security. This statement describes the security measures adopted by Fastrial EDC system in order to transparently inform all the Users about our continuous commitment to data protection.
Fastrial Software Security
- Connection to the System is available only through SSL/TLS1.2.
- Access is possible only using an individual account protected by password. We never issue shared accounts.
- Passwords strength is enforced at account creation and at password change.
- Passwords are encrypted on the system. Lost passwords are unrecoverable and can only be reset.
- Repeated failed login attempts generate an automated access suspension. Reactivation is possible after a thorough verification procedure.
- Access control rules and procedures ensure that data access is restricted based on the user’s privileges and authorizations.
- Data access authorizations are issued per single person by the Study Administrator, based on Meditrial SOPs designed and maintained according to ISO9001:2015 certification for clinical software design, deployment and support.
- We continuously conduct Penetration Tests against the application and the infrastructure to identify and promptly resolve any potential security vulnerabilities.
Fastrial Infrastructure Security
- Our servers are hosted on Google Cloud Platform. Google Cloud undergoes several independent third-party audits on a regular basis to provide the following assurance:
- ISO 27001 (Information Security Management)
ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes, and data centers that make up our shared Common Infrastructure as well as for Google Cloud Platform products.
- ISO 27017 (Cloud Security)
ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Services. Google has been certified compliant with ISO 27017 for Google Cloud Platform.
- ISO 27018 (Cloud Privacy)
ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in Public Cloud Services. Google has been certified compliant with ISO 27018 for and Google Cloud Platform.
- SSAE16 / ISAE 3402 (SOC 2/3)
The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and criteria for security, availability, processing integrity, and confidentiality. Google has both SOC 2 and SOC 3 reports for Google Cloud Platform.
- ISO 27001 (Information Security Management)
- Security of Google Cloud Platform services is based on a model built with over 15 years of experience by a dedicated team of top experts in the field.
- Physical security of Google’s servers is ensured by state-of-the-art fencing and access control systems. Data centers are monitored 24/7 by cameras with intrusion detection systems and patrolled by security guards.
- All customers contents on Google Cloud Platform, with a few minor exceptions, are encrypted by default on Google’s servers.
- In case of retiring from their systems, Google ensures complete data destruction.
- More on Google Security is available at: https://cloud.google.com/security/overview/
- Fastrial EDC system runs on three geographically distributed Data Centers located in Europe, US and Asia, all active at the same time with real-time full data sync. Data collected by the EDC are immediately propagated to all the Data Centers.
- Our System is kept under continuous monitoring by automated health checks solutions and personnel regular verifications. Any event that can potentially generate issues or risk of data loss is proactively addressed by our personnel with top priority.
- Data backups are made four times a day and stored on separate Google Buckets.
- Google Cloud Platform employs sophisticated Intrusion Detection systems that continuously monitor the attack surface of the Google network and can automatically remedy certain dangerous situations.
- By default, all incoming traffic to Virtual Servers hosted on Google Cloud Platform is blocked by a firewall. Explicit rules are set up to allow traffic only on strictly necessary services.
- The database server is not accessible from the Internet.
Fastrial Designer user creates the eCRF and administrates the study in complete autonomy, therefore he is responsible for all the activities occurring under his account.
In addition, Fastrial Designer user is responsible to configure the eCRF in compliance with all applicable local, state, national and foreign laws, regulations relating to his use of Fastrial EDC, including those related to the protection of intellectual property, data privacy, international communications and the transmission of technical or personal data.
An in-depth look of the responsibilities of the Fastrial Designer role is outlined in the Privacy Statement.
Users can improve the overall security of the system following simple operation rules:
- Fastrial EDC System is not intended to collect Personal Identifiable Information. The majority of fields shall be configured by the Fastrial Designer user to accept restricted inputs. For free text fields, the Fastrial Designer user shall train the end-users (i.e. all eCRF users who are given access account by the Fastrial Designer user) to not enter any kind of data that can be traced back to a patient’s identity.
- In the same way, despite the automated features in use to ensure DICOM images anonymizations, the Fastrial Designer user shall inform the end-users about the need to verify in details the absence of any PII within the uploaded files.
- End-users shall be recommended by Fastrial Designer user to ensure own passwords safety and make their personal computers secure by updated antivirus and anti-malware software. End-users shall be advised to routinely check the identity of the Web Application’s Sites in order to avoid fake site phishing attacks.