Legal Center
Overview
This page provides a summary of all things legal, privacy, and security related. It’s a great starting point for customers performing assessments or due diligence on the products and services of Crucial Data Solutions.
For more information regarding security, please visit our Trust Center at trust.crucialdatasolutions.com
Table of Contents
- General
- Privacy
- Does CDS offer a Data Processing Addendum (DPA)?
- Does CDS engage with any sub-processors?
- Does CDS engage in cross-border transfers of personal data?
- Does CDS Have Designated EU and UK Representatives?
- Does CDS create and maintain Records of Processing Activities on behalf of its customers?
- Does CDS permit governmental authorities access to its customers’ data?
- Privacy Policy
- Cookie Policy
- DPA
- Customer Standard Contractual Clauses (SCC) (Controller to Processors)
- Customer Standard Contractual Clauses (SCC) (Processor to Processor)
- HIPAA
- Processors
- Subprocessors
- Security
- Security Overview
- How Do We Secure Your Data
- Application Security
- Infrastructure Security
- Data Encryption
- External Security Audits and Penetration Testing
- Physical Security
- Security Awareness Training
- Access Control
- Audit Logging
- Backups and Data Retention
- Risk Summary Assessment
- Data Access Level
- Impact Level
- Critical Dependence
- Third Party Dependence
- Hosting
- Self Assessment
- Security Policy
- Disaster Recovery Plan
- Security Compliance Frameworks
General
Standard Terms of Service
The agreement between Crucial Data Solutions and its users that govern the services we provide.
Acceptable Use/Code of Conduct
Apple Distributor Requirements and Usage Rules
Apple Distributor Requirements and Usage Rules
Modern Slavery and Human Trafficking Policy
Modern Slavery and Human Trafficking Policy
Privacy
Privacy Overview
Our global privacy program is generally based on the most comprehensive and advanced data protection regulations in the world, with the EU GDPR serving as the guideline for providing optimal protections.
In the event that any particular and special requirements would directly apply to us under a local law or regulation, in our capacity as our customer’s data processor, we would address those requirements in accordance with our obligations under law and our Data Processing Addendum with such customer.
Controllers and Processors
The GDPR defines and distinguishes between two primary roles when it comes to collecting and processing personal data: data controllers and data processors.
A data controller determines the means and purposes for processing personal data, while a data processor is a party that processes data on behalf of the controller.
CDS is the data controller of personal data relating to its customers, users, and website visitors. This is further explained in our Privacy Policy.
CDS is the data processor of personal data that its customers and users submit to the platform (into their boards and items within their CDS account), and processes this data on its customer’s behalf. We do so in accordance with the Data Processing Addendum entered into with our customer. The third party service providers we use to help us process this data are our “sub-processors”.
Does CDS offer a Data Processing Addendum (DPA)?
Yes. We provide all our customers with the opportunity to enter a Data Processing Addendum, for ensuring the protection and proper processing of personal data that we process on their behalf. You can view and execute our Data Processing Addendum (DPA) online (see here).
Does CDS engage with any sub-processors?
Yes – we engage selected third party service providers to help us process our customers’ data on their behalf. A list of our sub-processors can be found here.
We hold our sub-processors to high industry standards with respect to data security and privacy, and consider both areas as critical in our vendor selection process. Among others, we have ensured that Data Processing Addendums and other relevant documentation are in place with all of our sub-processors, and perform privacy and security assessments and questionnaire-based audits, all in accordance with regulatory requirements.
Does CDS engage in cross-border transfers of personal data?
Yes. Crucial Data Solutions, Inc. (“CDS”) is headquartered in the U.S., with offices and teams located around the globe. Our sub-processors are also situated in various countries, as detailed on our sub-processors page.
When we transfer personal data from the EU to other countries. We rely on the lawful transfer mechanisms in the GDPR, such as the “adequacy decisions” made by the European Commission (e.g. the decisions deeming the UK and Israel as providing an adequate level of protection to personal data originating from the EU), and the EU Standard Contractual Clauses. (see here our Legal Portal).
As of January 2019, CDS offers multi-region capabilities, allowing our customers the choice of having their data hosted either in the USA or Ireland.
Does CDS Have Designated EU and UK Representatives?
Yes. CDS has designated Maetzler Rechtsanwalts GmbH & Co KG as its EU Representation and Prighter Ltd as its UK Representation under Article 27 of the EU GDPR. For matters related to the processing of personal data, use this contact form.
Does CDS create and maintain Records of Processing Activities on behalf of its customers?
Our customers, as the controllers of such data, should maintain a comprehensive and detailed record for their own purposes and compliance posture, including with respect to the personal data they have processed via CDS, and the data subjects to whom such data relates. CDS, as a data processor, maintains a general record of its processing activities. However, we do not monitor the specific data that is being processed on behalf of our customers, and therefore the records we maintain will not address those.
Does CDS permit governmental authorities access to its customers’ data?
CDS does not permit governmental authorities free access to any customers’ data held with us. To date, CDS has not received requests from authorities (in the US or otherwise) to disclose customer data. In the event it does happen, the request must be limited in scope, and it must address very legitimate grounds for requesting such data (e.g. suspected illegal activity related to that particular account).
In any event, disclosure would be limited only to such data which is strictly necessary under law, after the request has been reviewed by our Legal and Privacy teams to ensure it is valid and warranted. We use our best efforts to notify our customers before we make such disclosure, unless we are prohibited from doing so or are unable to due to a potential risk. More information can be found in our Privacy Policy.
Privacy Policy
Cookie Policy
DPA
Customer Standard Contractual Clauses (SCC) (Controller to Processors)
Customer Standard Contractual Clauses (SCC) (Processor to Processor)
HIPAA
HIPAA Business Associate Agreement
Processors
Crucial Data Solutions uses third party services to help manage some of the services that are provided to its direct customers. This relates only to data about our customers and users. It does not include data that is stored or processed in connection with CDS’s core product offering (TrialKit).
Entity | Hosting Region | Hosting Provider | Activity | Country Where Processing is Performed | Registered Address and Country | EU and UK Data Transfer Mechanism |
Hubspot | United States | AWS | Business and Account Administrator Contact information and tracking | United States | 2 Canal Park Cambridge, MA 02141 United States | SCCs |
Hubspot | United States | AWS | Customer support to users who log support tickets | United States | 2 Canal Park Cambridge, MA 02141 United States | SCCs |
Monday.com | United States | AWS | Collecting forms from customers and managing customer projects | United States | Tel Aviv-Yafo, 6 Yitzhak Sadeh Street, Israel | EU Adequacy Decision |
PandaDoc, Inc. | United States | AWS | Contract execution and Electronic signatures | United States | 3739 Balbao Street Suite 1083 San Francisco, CA 94121 | SCCs |
Subprocessors
Crucial Data Solutions engages the third-party entities in the table below to perform limited activities in connection with the TrialKit platform. The table shows what activity each entity performs and indicates if an entity is only relevant to a specific Service or Region. More information about each activity is provided directly below. This explains the limited processing of Customer Data the entity is authorized to perform.
Technical Support (Customer-Initiated Customer support):
The Subprocessor does not have access to Customer Data stored or processed by the Services. The Subprocessor only has access to Customer Data if Customer explicitly elects to share Customer Data in the course of a support case (e.g. screenshots).
Managing Hosting Environment:
Monitoring, troubleshooting and ongoing management of the hosting environment that stores Customer Data. Subprocessor personnel do not require access to Customer Data to perform this activity.
Entity | Hosting Region | Activity | Country Where Processing is Performed | Registered Address and Country | EU and UK Data Transfer Mechanism |
Amazon Web Services, Inc. | United States or Ireland | Managing hosting environment | United States | 410 Terry Avenue North, Seattle, WA 98109, United States | EU Adequacy Decision |
Hubspot | United States | Customer support | United States | 2 Canal Park Cambridge, MA 02141, United States | SCCs |
Box, Inc. | United States | File storage | United States | 900 Jefferson Ave Redwood City, CA 94063 United States | SCCs |
Security
Security Overview
CDS uses world-leading security solutions to secure our service so your data can be kept safe, along with hundreds of other customers around the world.
We understand that our customers expect us to protect their data with the highest standards and are committed to providing them with a highly secure and reliable environment. CDS has not undergone certification for any frameworks, but our security model and controls are based on international standards and industry best practices, such as ISO 27001, ISO 27018 and OWASP Top 10.
Please review this section and then navigate to trust.crucialdatasolutions.com for additional information or document requests.
How Do We Secure Your Data
Our systems are hosted on multiple Availability Zones at Amazon Web Services (AWS). This allows us to provide a reliable service and keeps your data available whenever you need it. We have also established a disaster recovery site in another AWS US region.
This data center employs leading physical and environmental security measures, resulting in highly resilient infrastructure. For more information about its security practices, see below:
Application Security
CDS implements a security oriented design in multiple layers, one of which is the application layer. The TrialKit application is developed according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production.
Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, unit testing which addresses authorization aspects and more. CDS developers go through periodic security training to keep them up-to-date with secure development best practices.
Infrastructure Security
Another layer of security is the infrastructure. As stated, CDS is hosted across multiple AWS Availability Zones. Furthermore, our infrastructure is protected using multiple layers of defense mechanisms, including:
- Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources
- A web application firewall (WAF) for content-based dynamic attack blocking
- DDoS mitigation and rate limiting
- NIDS sensors for early attack detection
- Advanced routing configuration
- Comprehensive logging of network traffic, both internal and edge
Data Encryption
CDS encrypts all data both in transit and at rest:
- Traffic is encrypted using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum
- User data is encrypted at rest across our infrastructure using AES-256 or better
- Credentials are hashed and salted using a modern hash function
External Security Audits and Penetration Testing
Independent third party assessments are crucial in order to get an accurate, unbiased understanding of your security posture. These are conducted routinely and frequently by many of CDS’ clients.
Additionally, CDS conducts penetration tests on an annual basis both in the application and in the infrastructure level using well-known, independent auditors.
Physical Security
CDS is a cloud-based solution, with no part of our infrastructure retained on-premise. Employees operate remotely with physical including personal identification and location based access control, multi-factor access mechanisms, and security keys. Workstations are remotely Administered.
CDS’s data centers are hosted on Amazon Web Services and Google Cloud Platform infrastructure, where leading physical security measures are employed.
Security Awareness Training
CDS understands that its security is dependent on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding. Further security training is provided on a quarterly basis. Additionally, all employees must sign our Acceptable Use Policy.
Access Control
We know the data you upload to CDS is private and confidential. We regularly conduct user access reviews to ensure appropriate permissions are in place, in accordance with the least privilege principle. Employees have their access rights promptly modified upon change in employment.
At the customer’s level, role based access allow for granular authorization rules. Customers are empowered to create and manage users of their portals, assign the privileges that are appropriate for their users’ roles, and limit access to specific features and data.
Audit Logging
Logs are maintained about access by both customer users and employees of CDS. Sign in sessions, changes in permissions, and membership to specific data is maintained indefinitely.
Backups and Data Retention
CDS is committed to providing continuous and uninterrupted service to all its customers. We consistently backup user data every 5 minutes. All backups are encrypted and distributed to various locations.
Our Disaster Recovery Plan is tested at least twice a year to assess its effectiveness and to keep the teams aligned with their responsibilities in case of a service interruption.
Risk Summary Assessment
Data Access Level
As a SaaS vendor selling to an enterprise customer, what type of data do you need access to?
Restricted (i.e. highly confidential information such as PII, personal identifiable information)
Impact Level
What is the potential impact to your enterprise customer if the data and/or functionality you, as the vendor, are supposed to manage, is compromised?
Moderate
Critical Dependence
Will your product be a system that your enterprise customer critically depends on? (i.e., a failure would cost them a ton of money)
No
Third Party Dependence
Are you also using other third-party services to manage or support your customers?
Yes
Hosting
Are you hosted only on one of the major cloud providers or do you have any on-premise systems?
Major Cloud Provider – AWS
Self Assessment
Please Check back soon for our CSA CAIG-Lite survey
Security Policy
Request Access via info@crucialdatasolutions.com
Disaster Recovery Plan
Request Access via info@crucialdatasolutions.com
Security Compliance Frameworks
CDS does not currently maintain 3rd party certifications for recognized compliance programs, but follows and aligns with the standards of the following:
- US Food and Drug Administration US 21 CFR:
- Part 11 – Electronic Records; Electronic Signatures
- Part 312 – Investigational New Drug Applications
- Part 820 – Quality System Regulations
- HIPAA – Health Insurance Portability and Accountability Act of 1996
European Medicine Agency:
- EudraLex, Volume 4, cGMP Medicinal Products for Human and Veterinary Use:
- Annex 7 – Outsourced Activities
- Annex 9 – Self Inspection
- Annex 11 – Computerized Systems
- Annex 15 – Qualification and Validation
International Standards:
- GAMP 5 – A Risk-Based Approach to Compliant GxP Computerized Systems
- GDPR – General Data Protection Regulations – EU Directive 95/46/EC
- ICH E6 R1 – Guideline for Good Clinical Practice – CPMP/ICH/135/95
- ICH E6 R2 – Guideline for Good Clinical Practice – Integrated Addendum
- ICH Q9 – Quality Risk Management
- ICH Q10 – Pharmaceutical Quality System
- ISO 9001:2015 – Quality Management Systems
- ISO/IEC 27001:2013 – Information Security Management
- SOC Type 2 – Service Organization Controls