Legal Center

Overview

This page provides a summary of all things legal, privacy, and security related. It’s a great starting point for customers performing assessments or due diligence on the products and services of Crucial Data Solutions.

For more information regarding security, please visit our Trust Center at trust.crucialdatasolutions.com

Table of Contents

Back to top

General

Standard Terms of Service

The agreement between Crucial Data Solutions and its users that govern the services we provide.

CDS Terms of Service 2023

Acceptable Use/Code of Conduct

Acceptable Use Policy

Apple Distributor Requirements and Usage Rules

Apple Distributor Requirements and Usage Rules

Modern Slavery and Human Trafficking Policy

Modern Slavery and Human Trafficking Policy

Privacy

Privacy Overview

Our global privacy program is generally based on the most comprehensive and advanced data protection regulations in the world, with the EU GDPR serving as the guideline for providing optimal protections.

In the event that any particular and special requirements would directly apply to us under a local law or regulation, in our capacity as our customer’s data processor, we would address those requirements in accordance with our obligations under law and our Data Processing Addendum with such customer.

Controllers and Processors

The GDPR defines and distinguishes between two primary roles when it comes to collecting and processing personal data: data controllers and data processors.

A data controller determines the means and purposes for processing personal data, while a data processor is a party that processes data on behalf of the controller.

CDS is the data controller of personal data relating to its customers, users, and website visitors. This is further explained in our Privacy Policy.

CDS is the data processor of personal data that its customers and users submit to the platform (into their boards and items within their CDS account), and processes this data on its customer’s behalf. We do so in accordance with the Data Processing Addendum entered into with our customer. The third party service providers we use to help us process this data are our “sub-processors”.

Does CDS offer a Data Processing Addendum (DPA)?

Yes. We provide all our customers with the opportunity to enter a Data Processing Addendum, for ensuring the protection and proper processing of personal data that we process on their behalf. You can view and execute our Data Processing Addendum (DPA) online (see here).

Does CDS engage with any sub-processors?

Yes – we engage selected third party service providers to help us process our customers’ data on their behalf. A list of our sub-processors can be found here.

We hold our sub-processors to high industry standards with respect to data security and privacy, and consider both areas as critical in our vendor selection process. Among others, we have ensured that Data Processing Addendums and other relevant documentation are in place with all of our sub-processors, and perform privacy and security assessments and questionnaire-based audits, all in accordance with regulatory requirements.

Does CDS engage in cross-border transfers of personal data?

Yes. Crucial Data Solutions, Inc. (“CDS”) is headquartered in the U.S., with offices and teams located around the globe. Our sub-processors are also situated in various countries, as detailed on our sub-processors page.

When we transfer personal data from the EU to other countries. We rely on the lawful transfer mechanisms in the GDPR, such as the “adequacy decisions” made by the European Commission (e.g. the decisions deeming the UK and Israel as providing an adequate level of protection to personal data originating from the EU), and the EU Standard Contractual Clauses. (see here our Legal Portal).

As of January 2019, CDS offers multi-region capabilities, allowing our customers the choice of having their data hosted either in the USA or Ireland. 

Does CDS Have Designated EU and UK Representatives?

Yes. CDS has designated Maetzler Rechtsanwalts GmbH & Co KG as its EU Representation and Prighter Ltd as its UK Representation under Article 27 of the EU GDPR. For matters related to the processing of personal data, use this contact form.

Does CDS create and maintain Records of Processing Activities on behalf of its customers?

Our customers, as the controllers of such data, should maintain a comprehensive and detailed record for their own purposes and compliance posture, including with respect to the personal data they have processed via CDS, and the data subjects to whom such data relates. CDS, as a data processor, maintains a general record of its processing activities. However, we do not monitor the specific data that is being processed on behalf of our customers, and therefore the records we maintain will not address those.

Does CDS permit governmental authorities access to its customers’ data?

CDS does not permit governmental authorities free access to any customers’ data held with us. To date, CDS has not received requests from authorities (in the US or otherwise) to disclose customer data. In the event it does happen, the request must be limited in scope, and it must address very legitimate grounds for requesting such data (e.g. suspected illegal activity related to that particular account).

In any event, disclosure would be limited only to such data which is strictly necessary under law, after the request has been reviewed by our Legal and Privacy teams to ensure it is valid and warranted. We use our best efforts to notify our customers before we make such disclosure, unless we are prohibited from doing so or are unable to due to a potential risk. More information can be found in our Privacy Policy.

Privacy Policy

Privacy Policy

Cookie Policy

DPA

DPA

Customer Standard Contractual Clauses (SCC) (Controller to Processors)

SCCs Controller to Processor

Customer Standard Contractual Clauses (SCC) (Processor to Processor)

SCCs Processor to Processor

HIPAA

HIPAA Business Associate Agreement

Processors

Crucial Data Solutions uses third party services to help manage some of the services that are provided to its direct customers. This relates only to data about our customers and users. It does not include data that is stored or processed in connection with CDS’s core product offering (TrialKit).

EntityHosting RegionHosting ProviderActivityCountry Where Processing is PerformedRegistered Address and CountryEU and UK Data Transfer Mechanism
HubspotUnited StatesAWSBusiness and Account Administrator Contact information and trackingUnited States2 Canal Park
Cambridge, MA 02141
United States
SCCs
HubspotUnited StatesAWSCustomer support to users who log support ticketsUnited States2 Canal Park
Cambridge, MA 02141
United States
SCCs
Monday.comUnited StatesAWSCollecting forms from customers and managing customer projectsUnited StatesTel Aviv-Yafo, 6 Yitzhak Sadeh Street, IsraelEU Adequacy Decision
PandaDoc, Inc.United StatesAWSContract execution and Electronic signaturesUnited States3739 Balbao Street Suite 1083 San Francisco, CA 94121SCCs

Subprocessors

Crucial Data Solutions engages the third-party entities in the table below to perform limited activities in connection with the TrialKit platform. The table shows what activity each entity performs and indicates if an entity is only relevant to a specific Service or Region. More information about each activity is provided directly below. This explains the limited processing of Customer Data the entity is authorized to perform.

Technical Support (Customer-Initiated Customer support):

The Subprocessor does not have access to Customer Data stored or processed by the Services. The Subprocessor only has access to Customer Data if Customer explicitly elects to share Customer Data in the course of a support case (e.g. screenshots).

Managing Hosting Environment:

Monitoring, troubleshooting and ongoing management of the hosting environment that stores Customer Data. Subprocessor personnel do not require access to Customer Data to perform this activity. 

EntityHosting RegionActivityCountry Where Processing is PerformedRegistered Address and CountryEU and UK Data Transfer Mechanism
Amazon Web Services, Inc.United States or IrelandManaging hosting environmentUnited States410 Terry Avenue North, Seattle, WA 98109, United StatesEU Adequacy Decision
HubspotUnited StatesCustomer supportUnited States2 Canal Park
Cambridge, MA 02141,
United States
SCCs
Box, Inc.United StatesFile storageUnited States900 Jefferson Ave Redwood City, CA 94063
United States
SCCs

Security

Security Overview

CDS uses world-leading security solutions to secure our service so your data can be kept safe, along with hundreds of other customers around the world.

We understand that our customers expect us to protect their data with the highest standards and are committed to providing them with a highly secure and reliable environment. CDS has not undergone certification for any frameworks, but our security model and controls are based on international standards and industry best practices, such as ISO 27001, ISO 27018 and OWASP Top 10.

Please review this section and then navigate to trust.crucialdatasolutions.com for additional information or document requests.

How Do We Secure Your Data

Our systems are hosted on multiple Availability Zones at Amazon Web Services (AWS). This allows us to provide a reliable service and keeps your data available whenever you need it. We have also established a disaster recovery site in another AWS US region.

This data center employs leading physical and environmental security measures, resulting in highly resilient infrastructure. For more information about its security practices, see below:

AWS security page

Application Security

CDS implements a security oriented design in multiple layers, one of which is the application layer. The TrialKit application is developed according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production.

Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, unit testing which addresses authorization aspects and more. CDS developers go through periodic security training to keep them up-to-date with secure development best practices.

Infrastructure Security

Another layer of security is the infrastructure. As stated, CDS is hosted across multiple AWS Availability Zones. Furthermore, our infrastructure is protected using multiple layers of defense mechanisms, including:

  • Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources
  • A web application firewall (WAF) for content-based dynamic attack blocking
  • DDoS mitigation and rate limiting
  • NIDS sensors for early attack detection
  • Advanced routing configuration
  • Comprehensive logging of network traffic, both internal and edge

Data Encryption

CDS encrypts all data both in transit and at rest:

  • Traffic is encrypted using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum
  • User data is encrypted at rest across our infrastructure using AES-256 or better
  • Credentials are hashed and salted using a modern hash function

External Security Audits and Penetration Testing

Independent third party assessments are crucial in order to get an accurate, unbiased understanding of your security posture. These are conducted routinely and frequently by many of CDS’ clients. 

Additionally, CDS conducts penetration tests on an annual basis both in the application and in the infrastructure level using well-known, independent auditors.

Physical Security

CDS is a cloud-based solution, with no part of our infrastructure retained on-premise. Employees operate remotely with physical including  personal identification and location based access control, multi-factor access mechanisms, and security keys. Workstations are remotely Administered.

CDS’s data centers are hosted on Amazon Web Services and Google Cloud Platform infrastructure, where leading physical security measures are employed.

Security Awareness Training

CDS understands that its security is dependent on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding. Further security training is provided on a quarterly basis. Additionally, all employees must sign our Acceptable Use Policy.

Access Control

We know the data you upload to CDS is private and confidential. We regularly conduct user access reviews to ensure appropriate permissions are in place, in accordance with the least privilege principle. Employees have their access rights promptly modified upon change in employment.

At the customer’s level, role based access allow for granular authorization rules. Customers are empowered to create and manage users of their portals, assign the privileges that are appropriate for their users’ roles, and limit access to specific features and data. 

Audit Logging

Logs are maintained about access by both customer users and employees of CDS. Sign in sessions, changes in permissions, and membership to specific data is maintained indefinitely.

Backups and Data Retention

CDS is committed to providing continuous and uninterrupted service to all its customers. We consistently backup user data every 5 minutes. All backups are encrypted and distributed to various locations.

Our Disaster Recovery Plan is tested at least twice a year to assess its effectiveness and to keep the teams aligned with their responsibilities in case of a service interruption.

Risk Summary Assessment

Data Access Level

As a SaaS vendor selling to an enterprise customer, what type of data do you need access to?

Restricted (i.e. highly confidential information such as PII, personal identifiable information)

Impact Level

What is the potential impact to your enterprise customer if the data and/or functionality you, as the vendor, are supposed to manage, is compromised?

Moderate

Critical Dependence

Will your product be a system that your enterprise customer critically depends on? (i.e., a failure would cost them a ton of money)

No

Third Party Dependence

Are you also using other third-party services to manage or support your customers?

Yes

Hosting

Are you hosted only on one of the major cloud providers or do you have any on-premise systems?

Major Cloud Provider – AWS

Self Assessment

Please Check back soon for our CSA CAIG-Lite survey

Security Policy

Request Access via info@crucialdatasolutions.com

Disaster Recovery Plan

Request Access via info@crucialdatasolutions.com

Security Compliance Frameworks

CDS does not currently maintain 3rd party certifications for recognized compliance programs, but follows and aligns with the standards of the following:

  • US Food and Drug Administration US 21 CFR:
  • Part 11 – Electronic Records; Electronic Signatures
  • Part 312 – Investigational New Drug Applications
  • Part 820 – Quality System Regulations
  • HIPAA – Health Insurance Portability and Accountability Act of 1996

European Medicine Agency:

  • EudraLex, Volume 4, cGMP Medicinal Products for Human and Veterinary Use:
  • Annex 7 – Outsourced Activities
  • Annex 9 – Self Inspection
  • Annex 11 – Computerized Systems
  • Annex 15 – Qualification and Validation

International Standards:

  • GAMP 5 – A Risk-Based Approach to Compliant GxP Computerized Systems
  • GDPR – General Data Protection Regulations – EU Directive 95/46/EC
  • ICH E6 R1 – Guideline for Good Clinical Practice – CPMP/ICH/135/95
  • ICH E6 R2 – Guideline for Good Clinical Practice – Integrated Addendum
  • ICH Q9 – Quality Risk Management
  • ICH Q10 – Pharmaceutical Quality System
  • ISO 9001:2015 – Quality Management Systems
  • ISO/IEC 27001:2013 – Information Security Management
  • SOC Type 2 – Service Organization Controls