Legal

Data Processing Addendum

Clinical Trial OS, Inc. · Last updated 14 June 2026

This DPA forms part of the agreement between you (the controller) and Clinical Trial OS, Inc. (the processor) and reflects GDPR Article 28 requirements for the processing of customer personal data, including any protected health information processed under a separate HIPAA BAA.

Draft pending counsel review

This document is a good-faith draft published so the policy is accessible. It will be finalised by qualified counsel before general availability. Questions: [email protected].

01. Roles and scope

For personal data contained in protocols and tenant content, you are the controller and we are the processor. We process such data only on your documented instructions, which include this DPA and your use of the service.

02. Subject matter and duration

We process customer personal data for the purpose of providing the feasibility platform, for the duration of your subscription, plus any legally required audit-retention period.

03. Nature and purpose of processing

Ingestion, structuring, retrieval, scoring, and storage of submitted clinical-trial materials to generate cited feasibility verdicts and maintain a tamper-evident audit trail. We do not use customer personal data to train machine-learning models.

04. Categories of data and data subjects

Primarily trial-design and operational data, plus any personal data you choose to submit. Customers are instructed to de-identify protected health information; an inline PHI quarantine and DLP guard reduce the risk of inadvertent PHI entering the processing path.

05. Sub-processors

You authorise us to engage the sub-processors below. We will give notice of intended changes so you can object on reasonable grounds.

Amazon Web Services — cloud hosting and storage (US and/or EU region, per your deployment).
Microsoft Azure — cloud hosting for EU-region / dedicated deployments where elected.
Email delivery provider — transactional and notification email.

Inference runs on a self-hosted model fleet; protocols are not sent to any third-party model provider. The definitive, version-controlled sub-processor list is maintained by Clinical Trial OS, Inc. and available on request.

06. Security measures

Encryption in transit and at rest, per-tenant isolation with a runtime guard, least-privilege access, key management, signed/immutable images, and a hash-chained audit trail aligned to 21 CFR Part 11 and EMA Annex 11.

07. International transfers

Where processing involves transfers outside the EEA/UK, we rely on the EU Standard Contractual Clauses (and the UK Addendum) or another lawful transfer mechanism. EU customers may elect EU-region residency.

08. Assistance, breach notification, and audits

We assist you with data-subject requests and DPIAs, notify you without undue delay of a personal-data breach affecting your data, and make available information necessary to demonstrate compliance, including audit support consistent with the GAMP-5 evidence bundle and Part 11 controls.

09. Return and deletion

On termination, we make customer personal data available for export and then delete or anonymise it, except where retention is required by law.

10. Contact

Data-protection enquiries: [email protected]; security matters: [email protected].