CRIO’s Security and Compliance Statement: Effective as of September 2022
CRIO employs best practices to keep your data secure, private, redundant, and accessible. We enable you to stay compliant with regulatory requirements, including 21 CFR Part 11, Annex 11, HIPAA, and GDPR. Besides documentation on our own practices, we will provide you with helpful tools such as draft SOP’s and validation exercises to help you achieve full compliance on your end.
Secure and Private
CRIO hosts its infrastructure within secure private networks via public cloud providers. Both physical and digital measures are in place to protect CRIO’s infrastructure. Data centers are SOC 2 and ISO 27001 certified and utilize biometric authentication. Firewalls, access control policies, and security monitoring systems are enabled on each machine to protect against malicious activity. All data is encrypted, both at rest and in transit. CRIO has undergone penetration tests from 3rd parties to validate its security policies and measures.
Accessible Backups of your Data
Continuous backups for the trailing week, and hourly, off-site data backups before then, ensure that your data is always safe, and can be restored in the event of an emergency. Standard operating procedures related to CRIO’s security and business continuity can be provided upon request.
Clients can host their data on a server located within their region, ensuring that data does not move across national or regional jurisdictions – through this, CRIO complies with international data protection laws that restrict data from being stored in other countries. CRIO currently has servers in the United States, Canada, Germany, and Australia.
General Data Protection Regulation (GDPR)
This regulation is directly applicable to each member state of the European Union and affects data controllers and processors inside and outside of the EU which collect data on EU data subjects.
CRIO assessed its technical and procedural safeguards to ensure compliance with the GDPR which are outlined below.
For purposes of this regulation, the following definitions apply:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘third party’ means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Data Subject Rights
Individuals located in the European Economic Area only, whose Personal Data CRIO processes (“Data Subjects”), have the following rights with regard to their Personal Data:
Right of access
Data Subjects may request details of their Personal Information that the organization holds. CRIO will confirm whether it is processing the individual’s Personal Information and will disclose supplementary information including the categories of Personal Information, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding Personal Information transfers to non- EEA countries, subject to the limitations set out in applicable statutes, regulations and other laws.
Right of correction
CRIO will comply with a Data Subject’s request to edit and update incorrect Personal Information promptly. In the event that correction is not possible or cannot occur in a timely manner, CRIO will document its reasons, specify the time frame in which correction will occur (to the extent knowable), and respond to the requestor with this information within 30 days from the receipt of request for correction.
Right to be forgotten
At a Data Subject’s request, CRIO will delete their Personal Information promptly if:
- It is no longer necessary to retain the Personal Information;
- The Data Subject withdraws the consent which formed the basis of the Personal Information processing;
- The Data Subject objects to the processing of their Personal Information and there are no overriding legitimate grounds for such processing;
- the Personal Information was processed illegally; or,
- the Personal Information must be deleted for CRIO to comply with its legal obligations. CRIO will inform any third parties with whom it might have shared the Data Subject’s Personal Information of the deletion request.
CRIO may decline a Data Subject’s request for deletion if processing of their Personal Information is necessary:
- To comply with a legal obligation;
- In pursuit of a legal action;
- To detect and monitor fraud; or,
- For the performance of a task in the public interest.
Right to restrict processing of Personal Information
At a Data Subject’s request, CRIO will limit the processing of their Personal Information if:
- The Data Subject disputes the accuracy of their Personal Information;
- The Data Subject’s Personal Information was processed unlawfully and they request a limitation on processing, rather than the deletion of their Personal Information;
- CRIO no longer needs to process the Data Subject’s Personal Information, but the individual requires their Personal Information in connection with a legal claim; or,
- The Data Subject objects to the processing pending verification as to whether an overriding legitimate ground for such processing exists.
Right to notice related to correction, deletion, and limitation on processing
- In so far as it is practicable, CRIO will notify a Data Subject of any correction, deletion, and/or limitation on processing of their Personal Information.
Right to data portability
At a Data Subject’s request, CRIO will provide them a copy of their Personal Information in a structured, commonly used and machine-readable format, if:
(i) the Data Subject provided CRIO with Personal Information;
(ii) the processing of the Data Subject’s Personal Information is based on consent or required for the performance of a contract; or,
(iii) the processing is carried out by automated means.
Right to object
Where CRIO processes a Data Subject’s Personal Information based upon the lawful basis of legitimate interest, then the individual has the right to object to this processing.
Right not to be subject to decisions based solely on automated processing
Data Subjects will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of their Personal Information, unless CRIO has received explicit consent or where the automatic processing is necessary for a contract with CRIO.
Right to withdraw consent
A Data Subject who has provided CRIO with consent to process their Personal Information has the right to withdraw any consent previously provided to CRIO at any time. If a Data Subject withdraws their consent, this will not affect the lawfulness of CRIO’s collecting, using and sharing of their Personal Information up to the point in time that consent was withdrawn. Even if a Data Subject withdraws their consent, CRIO may still use the information that has been anonymized and does not personally identify the Data Subject.
Right to complain to a supervisory authority
If a Data Subject is not satisfied with CRIO’s response, they have the right to complain to or seek advice from a supervisory authority and/or bring a claim against CRIO in any court of competent jurisdiction. Any person at CRIO that receives a request from a Data Subject seeking to exercise their rights under GDPR should contact the Privacy Office to assist in the review of and response to the Data Subject’s request. Requests will be responded to within 30 days of receipt. Under certain circumstances, CRIO may inform the requesting Data Subject that additional time is needed to fully comply with the request. Such notification shall occur within 30 days of receipt of the request.
Inquiries can be made by contacting email@example.com or the mailing address below:
-Data Protection Officer
177 Huntington Ave., Suite 1703
Boston, MA 02115-3153
Our EU representative is Data Protection Representative Limited (trading as ‘DPR Group’), a company registered in the Republic of Ireland with registered number 616588, whose registered address is at 1-2 Marino Mart, Fairview, Dublin 3, Ireland.
We have agreed to be bound by the authority of JAMS in addressing and resolving any dispute relating to your privacy or this policy. This dispute resolution
mechanism is available to you at no cost. To learn more about this service, go to: https://www.jamsadr.com/eu-us-privacy-shield
Data Protection Impact Assessment
To enhance compliance with the GDPR, CRIO carried out a data protection impact assessment to help determine the level of protection that is required.
The impact assessment includes the measures, safeguards and mechanisms that mitigate the risk to the data collected and ensures the protection of personal data.
Data Processor Subcontractors
Subcontractors of CRIO are also subject to the same requirements under the GDPR and they are also bound by any contracts with the controller.
CRIO’s mechanisms for transfer of data from EU to the U.S.
Depending on the study configuration, CRIO may transfer the data collected to study databases outside of the EU. In this case, CRIO will enter into the Standard Contractual Clauses, which are EU Commission-approved contracts between data exporters within the EU and data importers in so-called “third countries,” to transfer personal data from within the EU to recipients in those third countries in accordance with GDPR.
How does CRIO maintain compliance with GDPR?
CRIO’s standard Data Processing Addendum incorporates the Standard Contractual Clauses (SCCs) for any transfers of personal data from within the EU to the U.S. that occur in connection with CRIO’s performance of its services. Thus, CRIO will ensure all new contracts (renewals and new customers) include the SCCs.
- For any existing customers, whose current agreements do not already include the DPA and SCCs, CRIO can agree to amend the agreement to incorporate both. By executing its DPA and the SCCs, CRIO becomes legally obligated to comply with the relevant requirements of GDPR that apply to CRIO’s performance of its services. To that end, CRIO maintains robust internal policies and procedures to ensure data security, integrity, and data privacy.
- All data collected by CRIO on behalf of its customers is collected in accordance with an approved clinical research protocol and a study-specific informed consent obtained from the patient.
- All data is encrypted (256-bit AES) in transit from collection devices to CRIO’s databases and is maintained in pseudonymized form within CRIO’s systems.
California Consumer Privacy Act (CCPA)
We are providing this supplemental privacy notice to California users pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). This Policy describes how CRIO (“We”, “Us” or “Our”) may use and disclose California residents’ (“Consumers”, “You” or “Your”) Personal Information.
Under the CCPA, personal information is any information that identifies or is capable of being associated with You or Your household (“Personal Information”).
Collecting Your Personal Information
We collect, and have collected, data types from the one or more of the following categories within the last twelve (12) months:
- Identifiers Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Personal Information Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
- Commercial Information Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric Information Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
- Internet or other electronic network activity Browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation Data IP address, device data
- Audio, Visual, and similar information Voice and Audio information.
How We Will Use Your Personal Information
We may use or disclose Your Personal Information for one or more of the following business purposes:
- To fulfill or meet the reason for which the Personal Information is provided.
- To provide You with information, products or services that You request from Us.
- To provide You with email alerts, event registrations and other notices concerning Our products or services, or events or news, that may be of interest to You.
- To carry out Our obligations and enforce Our rights arising from any contracts entered into between You and Us.
- To improve Our website(s) and present its contents to You.
- For testing, research, analysis and product development.
- As necessary or appropriate to protect the rights, property or safety of Us or others.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to You when collecting your Personal Information directly or as otherwise set forth in the CCPA.
We will not use the Personal Information We collect for materially different, unrelated, or incompatible purposes other than those listed above without providing You notice.
We may share Your Personal Information with affiliates, service providers and authorized agents for a business purpose. These third parties are restricted from using Your Personal Information in any way other than for a business purpose.
The CCPA grants California residents the following rights:
You can request information about how CRIO has collected, used and shared your personal information during the past 12 months.
You can request a copy of the personal information that CRIO maintains about you.
You can ask to delete the personal information that CRIO maintains about you. Opt-out of sale of your personal information
Note that CRIO does not engage in any Sale of personal data in the context of our processing of Customer Data.
Please note that the CCPA limits these rights by, for example, prohibiting businesses from providing certain sensitive information in response to an access request and limiting the circumstances in which they must comply with a deletion request.
You are entitled to exercise the rights described above free from discrimination.
Here is how you can submit requests
To request access to or deletion of personal information, please contact firstname.lastname@example.org.
We can only respond to your request if it is verifiable. This means we are obligated to take reasonable steps to verify your identity and your right to access the information you request. We may ask you to provide additional information that will help us do so. We will only use that additional information in the verification process, and not for any other purpose.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.