Security Statement

Catchtrial EDC system is secured in adherence to the most recent software security standards and privacy regulations. With full respect to the fact that our clients use Catchtrial for handling their clinical trial data, we consider the security of our client’s data as one of our top priorities.
At Meditrial, we have always honored our Customers’ right to data security. This statement describes the security measures adopted by Catchtrial EDC system in order to transparently inform all the Users about our continuous commitment to data protection.

Catchtrial Software Security

  • Connection to the System is available only through SSL/TLS1.2.
  • Access is possible only using an individual account protected by password. We never issue shared accounts.
  • Passwords strength is enforced at account creation and at password change.
  • Passwords are encrypted on the system. Lost passwords are unrecoverable and can only be reset.
  • Repeated failed login attempts generate an automated access suspension. Reactivation is possible after a thorough verification procedure.
  • Access control rules and procedures ensure that data access is restricted based on the user’s privileges and authorizations.
  • Data access authorizations are issued per single person by the Study Administrator, based on Meditrial SOPs designed and maintained according to ISO9001:2015 certification for clinical software design, deployment and support.
  • We continuously conduct Penetration Tests against the application and the infrastructure to identify and promptly resolve any potential security vulnerabilities.

Catchtrial Infrastructure Security

  • Our servers are hosted on Google Cloud Platform. Google Cloud undergoes several independent third-party audits on a regular basis to provide the following assurance:
    • ISO 27001 (Information Security Management)
      ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the
      systems, applications, people, technology, processes, and data centers that make up our shared Common Infrastructure as well as for Google Cloud Platform
      products.
    • ISO 27017 (Cloud Security)
      ISO 27017 is an international standard of practice for information security controls based on ISO/IEC 27002, specifically for Cloud Services. Google has been
      certified compliant with ISO 27017 for Google Cloud Platform.
    • ISO 27018 (Cloud Privacy)
      ISO 27018 is an international standard of practice for protection of personally identifiable information (PII) in Public Cloud Services. Google has been certified
      compliant with ISO 27018 for and Google Cloud Platform.
    • SSAE16 / ISAE 3402 (SOC 2/3)
      The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and
      criteria for security, availability, processing integrity, and confidentiality. Google has both SOC 2 and SOC 3 reports for Google Cloud Platform.
  • Security of Google Cloud Platform services is based on a model built with over 15 years of experience by a dedicated team of top experts in the field.
  • Physical security of Google’s servers is ensured by state-of-the-art fencing and access control systems. Data centers are monitored 24/7 by cameras with intrusion detection systems and patrolled by security guards.
  • All customers contents on Google Cloud Platform, with a few minor exceptions, are encrypted by default on Google’s servers.
  • In case of retiring from their systems, Google ensures complete data destruction.
  • More on Google Security is available at: https://cloud.google.com/security/overview/

Catchtrial Availability

  • Catchtrial EDC system runs on multiple geographically distributed Data Centers, all active at the same time with real-time full data sync. Data collected by the EDC are immediately propagated to all the Data Centers.
  • Our System is kept under continuous monitoring by automated health checks solutions and personnel regular verifications. Any event that can potentially generate
    issues or rick of data loss is proactively addressed by our personnel with top priority.
  • Data backups are made four times a day and stored on separate Google Buckets.

Network security

  • Google Cloud Platform employs sophisticated Intrusion Detection systems that continuously monitor the attack surface of the Google network and can automatically
    remedy certain dangerous situations.
  • By default, all incoming traffic to Virtual Servers hosted on Google Cloud Platform is blocked by a firewall. Explicit rules are set up to allow traffic only on
    strictly necessary services.
  • The database server is not accessible from the Internet.

Software

  • Server software is maintained up to date with all patches needed to fix newly discovered vulnerabilities.
  • Application software is developed with the adoption of best measures to keep the risk of SQL Injection and similar attacks as low as possible.
  • All DICOM images uploaded to the System are automatically anonymized removing DICOM Tags related to patient’s identity. An advanced anonymization feature has been
    developed to weep out also personal information eventually included in the images pixels.
  • An advanced electronic SDV feature forces the monitors to verify and confirm anonymization of any source documents uploaded in Catchtrial, preventing the presence
    of documents containing Personal Identifiable Information (PII).

Other

Handling incidents

We strive at our best and we continuously improve our solutions to ensure data security. However, we cannot guarantee that our System will be never hacked or disaster will never occur.
In case these remote events happen, our Customers will be immediately informed and we will implement all the required measures to minimize damages or risk of data loss, in agreement with Meditrial disaster recovery and incident handling procedures.

User operations

Users can improve the overall security of the system following simple operation rules:

  • Catchtrial EDC System is not intended to collect Personal Identifiable Information. The majority of fields is usually configured to accept restricted inputs. For free text fields, Users are trained to not enter any kind of data that can be traced back to a patient’s identity.
  • In the same way, despite the automated features in use to ensure DICOM images and Source Documents anonymizations, the Users are informed about the need to verify in details the absence of any PII within the uploaded files.
  • Users are also recommended to ensure own passwords safety and make their personal computers secure by updated antivirus and anti-malware software. We advise to routinely check the identity of the Web Application’s Sites in order to avoid fake site phishing attacks.

Last update: 02-January-2023