CRO PlatformAI-Native CRO OS
Toggle navigationMenu
Overview
Operations
Commercial & Growth
Sponsor
Catalog
Reference
DarkSource

Reference

Privacy Policy

How the platform handles subject data — minimisation, retention, GDPR and HIPAA posture, the PHI lifecycle from ingest to inference, the rights every subject can exercise, where data physically lives, and who it is ever shared with. Companion to /security.

Subject rights

8

Regimes

HIPAA + GDPR

Primary region

us-east-1

Data Minimization

The platform stores the minimum subject data needed to deliver the trial. Source data lives in the sponsor EDC; the CRO platform retains only operational projections (visit windows, query status, deviation flags) and never the full case report form unless explicitly needed for an agent decision.

Retention

Regulated records retained 25 years after study close (ICH E6(R3) §4). Operational telemetry retained 13 months. Model-call traces retained 90 days. Backups follow the same schedule with cryptographic erasure on key rotation.

GDPR Approach

Article 6(1)(f) legitimate interest for operational data; Article 9(2)(i) for any special-category health data, always layered on top of sponsor-side informed consent. Data processing agreements signed with every sub-processor (Vercel, Supabase, Anthropic). EU subject data stays in the EU region when the sponsor selects it.

HIPAA Approach

Operates as a Business Associate under a BAA with every sponsor whose data touches the platform. Minimum-necessary rule applied at the projection layer. Sub-processors (Supabase, Anthropic, Vercel) covered by signed BAAs where they handle PHI; otherwise PHI never reaches them.

PHI Handling

PHI tokenised at ingest: subject identifiers replaced with platform-internal UUIDs, with the mapping table held in a separate schema with stricter RLS. Prompts sent to Anthropic carry tokens only — never raw MRNs, names, or contact details. Re-identification requires a signed admin action that is itself a Part 11 event.

Subject Rights

Every subject whose data flows through the platform retains the following rights. The sponsor is the data controller; the CRO platform is the processor and routes requests to the controller without delay.

  1. Right to be informed of the data the CRO platform holds about them
  2. Right of access to their records via the sponsor (the data controller)
  3. Right to rectification of inaccurate operational data
  4. Right to erasure subject to regulatory retention obligations (request routed to sponsor)
  5. Right to restriction of processing pending a dispute
  6. Right to data portability in a machine-readable export
  7. Right to object to automated decision-making — the platform never makes a regulated decision without a human signer
  8. Right to lodge a complaint with the supervisory authority

Data Residency

Primary region: AWS us-east-1 (Supabase project new-cro-dev). EU residency available on request via a sponsor-scoped Supabase project in eu-west-1. Anthropic inference routed through the provider region matching the data residency selection.

Deletion Policy

Subject deletion requests handled within 30 days, but only after the regulatory retention clock for that record has elapsed or the sponsor confirms the record is no longer required. Cryptographic erasure (KMS key destruction) used where physical deletion is impractical (immutable backups).

Sharing Policies

Data shared only with: the originating sponsor, the agent runtime (Anthropic, under BAA, tokens only), regulatory authorities upon valid request, and the hosting providers (Vercel, Supabase) strictly to operate the service. No marketing, no analytics ad-tech, no third-party trackers in any regulated route.