Security & Compliance

Designed for Regulated Clinical Environments

Trialhelix is built with controls designed to support 21 CFR Part 11 electronic records requirements, ICH-GCP E6(R3) data governance obligations, and HIPAA Privacy and Security Rule principles where applicable to clinical trial data handling. Trialhelix does not claim certification against any of these frameworks — the platform is designed to make your compliance posture defensible, not to substitute for your organization's validation and legal review.

Request Security Documentation Privacy Policy
Control Architecture

Security Controls Overview

These controls are designed into the platform architecture — they are not add-ons or configuration options that can be disabled by individual users.

Electronic Records & Signatures

Electronic signatures are implemented with controls aligned to 21 CFR Part 11 Subpart C — requiring unique user credentials, meaning attribution (the person's full name and date/time of signing), and a record that the signer cannot repudiate.

Audit Trail Integrity

The audit trail captures every create, modify, and delete action with user ID, timestamp, original value, new value, and reason for change. The audit trail is append-only — it cannot be modified or deleted by any user, including administrators.

Role-Based Access Control

Access to study data is controlled by role assignments per study. Roles (CDM, Data Entry, Site Monitor, Biostatistician, Sponsor Observer) carry defined permissions that map to GCP role responsibilities. No cross-study data access without explicit role grant.

Data Encryption

Data at rest is encrypted using AES-256. Data in transit uses TLS 1.3. Keys are managed using a dedicated key management service — not stored with the encrypted data. Encryption applies to clinical data, PII, and system audit logs.

Infrastructure Isolation

Each CRO's study data is logically isolated at the database tenant level. Production infrastructure runs on cloud infrastructure with dedicated VPC per tenant. No shared database instances across customers.

Backup & Recovery

Automated daily backups with point-in-time recovery capability. Backup integrity is verified with automated restore tests. Recovery time objective (RTO) and recovery point objective (RPO) are documented in the system's Business Continuity Plan.

Audit Trail

What the Audit Trail Captures

The 21 CFR Part 11 audit trail requirement means the system must record who did what, when, and why — for every data action during the study lifecycle. Trialhelix's audit trail is designed to satisfy this requirement without manual maintenance by study staff.

The audit trail is automatically generated for every user action: eCRF data entry, query creation and resolution, randomization events, SDTM mapping decisions, and database lock actions. No configuration is required to activate it.

  • User identity and session attributes on every action
  • Timestamp in UTC with millisecond precision
  • Previous value and new value for every field change
  • Reason for change (required for post-entry modifications)
  • System-generated events (automated edit checks, IWRS assignments)
  • Administrative actions (user access grants, role changes, study lock)
AUDIT LOG — Study THL-2025-003
2026-03-14T09:12:44Z j.harris MODIFY
AE.AETERM "Headache" → "Migraine-like headache"
REASON: Site clarification call 2026-03-14
FORM: AE-006 / Visit 4 / Site 003
2026-03-14T09:14:02Z j.harris QUERY_CLOSE
QRY-2025-0312 resolved
RESOLUTION: Data corrected per site response
2026-03-14T10:03:55Z p.menon REVIEW_SIGN
SDTM AE domain v1.3 — review approved
E-SIGN: Priya Menon / CDM Lead
Access Controls

Data Access Architecture

Multi-Factor Authentication

All user accounts require MFA. TOTP-based authentication is required for CDM, biostatistician, and sponsor user roles. SSO integration via SAML 2.0 is available for CROs with existing identity providers.

Study-Level Isolation

Users assigned to Study A cannot access Study B data — even within the same CRO account. Access grants are study-specific, time-bounded, and require approval from the study's designated lead CDM.

Privileged Access Controls

Administrative access to production infrastructure is separated from application access. No Trialhelix employee can access customer study data through the application interface. Production database access requires a time-limited break-glass procedure with full audit logging.

Session Management

Sessions expire after configurable inactivity periods (default 30 minutes, adjustable per CRO SOP requirement). Concurrent session limits prevent shared credential use. All session events — login, logout, timeout — are audit-logged.

Data Integrity

Controls Aligned to ALCOA+ Principles

The FDA's data integrity guidance references ALCOA+ as the framework for assessing clinical data quality. Trialhelix's data controls are designed with ALCOA+ principles as explicit requirements.

ALCOA+ Principle Trialhelix Control Design Status
Attributable Every data entry and change linked to unique user credentials; e-signatures capture identity with timestamp Designed
Legible All data stored in structured fields; controlled terminology enforces consistency; no free-text where coded terms apply Designed
Contemporaneous System timestamp recorded at the moment of data entry; date/time of observation captured separately from entry timestamp Designed
Original First-recorded values preserved in audit trail; no overwrite without explicit reason; original eCRF source data retained Designed
Accurate Edit checks enforce range, consistency, and cross-form logic; discrepancy management workflow tracks query lifecycle Designed
Complete Mandatory field enforcement, visit completion tracking, and missing data reports ensure completeness monitoring throughout Designed
Consistent CDISC controlled terminology applied uniformly; MedDRA and CTCAE coding enforced through integrated coding modules Designed
Enduring Data retained for period aligned to ICH-GCP E6 records retention guidance; export formats are standard CDISC and industry formats Designed
Available 99.9% uptime SLA; point-in-time data export available at any study stage; audit trail accessible for the full study lifetime Designed

Request the Security Documentation Package

We provide a security overview document, data processing agreement template, and system architecture summary for CROs and sponsors evaluating Trialhelix for regulated clinical studies.

Request Documentation Privacy Policy