CRO Privacy Assurance Statement

1. Commitment to Global Privacy Law Compliance
Our TMF services are fully aligned with the requirements of the following major data protection regimes:

• European Union General Data Protection Regulation (EU GDPR)
• United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
• United States federal and state privacy laws (including HIPAA, CCPA, and others where applicable)
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy statutes
• Swiss Federal Act on Data Protection (FADP)
• Australian Privacy Act 1988 and Australian Privacy Principles (APPs)
• Japan’s Act on the Protection of Personal Information (APPI) and related Cabinet Orders and Guidelines
• Asia-Pacific Economic Cooperation (APEC) Privacy Framework and country-specific legislation across Asia
• Other local regulations as applicable based on trial location and jurisdictional relevance

Where cross-border transfers of personal data occur, we rely on approved international data transfer mechanisms such as Standard Contractual Clauses (SCCs), adequacy decisions, and Data Transfer Impact Assessments (DTIAs), in accordance with the requirements of the originating jurisdiction.

2. Purpose Limitation and Lawful Processing
We collect, process, and retain personal data within TMFs strictly for specified, explicit, and legitimate purposes related to the conduct, oversight, and documentation of clinical trials. All processing activities are based on lawful grounds such as contractual necessity, legal obligations, or the legitimate interests of sponsors and CROs, and where required, explicit consent is obtained.

3. Data Minimization and Storage Limitation
We ensure that only personal data necessary for regulatory, quality, and operational purposes are included in the TMF. Data are retained no longer than necessary, in accordance with applicable regulatory retention periods (e.g., 25 years post-trial completion, or as otherwise required), and subsequently deleted or anonymized in a secure and documented manner.

4. Data Integrity and Security Measures
We employ robust administrative, technical, and organizational safeguards to protect TMF data from unauthorized access, alteration, loss, or disclosure. These measures include:

• Role-based access controls and audit trails
• Encryption at rest and in transit
• Secure hosting environments compliant with ISO 27001, SOC 2 Type II, and/or GxP standards
• Data loss prevention (DLP) and intrusion detection/prevention systems (IDS/IPS)
• Regular vulnerability assessments and penetration testing

Additionally, our TMF systems are validated under GxP guidelines to ensure the authenticity, integrity, and traceability of electronic records and signatures.

5. Third-Party Risk Management
When subcontractors, technology vendors, or other third parties are engaged in the provision of TMF services, we ensure that appropriate contractual safeguards are in place. This includes Data Processing Agreements (DPAs), due diligence procedures, privacy impact assessments, and ongoing monitoring of their compliance with applicable privacy obligations.

Conclusion
We understand the critical importance of privacy and data protection in the context of clinical research. Our TMF CRO services are designed not only to meet regulatory documentation and archiving obligations but to uphold the privacy rights of all individuals whose data we manage. Our clients can be assured that we operate with the highest degree of integrity, transparency, and accountability in protecting sensitive clinical and personal data.