Security You Can Trust. Compliance You Can Count On.

All information in Datacapt is encrypted end-to-end. We enforce SSL/TLS encryption for all data in transit, ensuring that data transmitted to and from our platform is protected. Likewise, data at rest in our databases and storage is secured using strong encryption algorithms, so your records remain unreadable to unauthorized parties even if they were to gain access.

Encryption keys are managed following industry best practices, and firewalls and network security controls shield our systems from unauthorized access. These measures guarantee that your clinical trial data is protected both during transmission and while stored on our servers.

Datacapt guarantees unique, secure access to your trial environment for each user. We implement robust role-based access control (RBAC) to ensure each user only sees and does what their role permits. Role-Based Access Control is a security framework that restricts access to sensitive data based on job roles, ensuring only authorized personnel can access specific information, thereby reducing the risk of breaches.

By enforcing the principle of least privilege and unique user accounts, Datacapt prevents unauthorized data viewing or editing. We also maintain detailed audit logs of user activity, so every addition or modification of data is tracked and transparent. These access controls not only protect patient privacy but also simplify compliance audits (for example, RBAC supports HIPAA by assigning role-specific permissions and providing audit trailscensinet.com).

Security is woven into our product development process from day one. Datacapt follows a Secure Development Lifecycle (SDLC) approach, incorporating security best practices at every stage of software development. This means our engineering team conducts thorough risk assessments, code reviews, and threat modeling for new features. We follow industry standards (such as OWASP guidelines and relevant IEC/FDA software regulations) to preempt vulnerabilities.

Before each release, we perform rigorous testing, including automated vulnerability scans and penetration tests to validate that the application is secure. By adopting security by design, we ensure that data protection, privacy, and compliance requirements are built into the software from the ground up, not bolted on later. Our commitment to a secure SDLC means continuous improvement: we regularly update our tools and practices to address new threats and to stay aligned with evolving cybersecurity standards.

We don’t just say we’re secure – we verify it. Datacapt undergoes regular penetration testing and third-party security audits to challenge our defenses and validate the effectiveness of our controls. Independent security experts routinely test our platform for vulnerabilities, and we swiftly remediate any findings to exceed industry security benchmarks. In addition, our cloud hosting environments are audited to meet strict certifications like ISO/IEC 27001 (information security management) and SOC 2. Datacapt either holds or is pursuing relevant security certifications to give you extra peace of mind. We maintain an internal bug bounty or vulnerability disclosure program to encourage responsible reporting of any potential issues, ensuring that if a security gap is ever discovered, it can be addressed quickly before it impacts customers. Our audit and testing program is ongoing and reflective of our culture of continuous improvement in security.

We understand that clinical trials run 24/7 worldwide, so Datacapt is built for continuous availability. Our platform is deployed on a highly resilient cloud architecture with redundancy at multiple levels. We utilize a multi-availability zone setup, your data and application instances are replicated across at least three separate data centers, so even if one goes down, the system remains availabledatacapt.com. This resiliency design, combined with intelligent traffic routing, ensures a stable and responsive experience anywhere in the world. We guarantee at least 99.9% uptime for the Datacapt platform under normal operations.

In addition to high availability, we have a robust disaster recovery and backup strategy. Data backups are performed automatically up to 6 times per day, and backups are encrypted and stored off-site (including in a separate geographic region) for added safety. Our external backups in secure cloud storage ensure that even in a worst-case scenario, your trial data can be quickly restored. We regularly test our backup restore processes and disaster recovery plan to validate that we can meet aggressive recovery time objectives. With Datacapt, you benefit from a platform that is not only secure but also reliable and fault-tolerant, so you can access your trial data anytime, even in the face of unexpected incidents.

Datacapt offers flexible data residency options to meet regulatory and organizational requirements. We host our platform on Amazon Web Services (AWS) as well as 3DS Outscale, a French sovereign cloud, to give you a choice of where your data is stored. AWS provides global reach and robust security with numerous certifications (including ISO 27001 and HDS for health data hostingaws.amazon.com), while Outscale provides hosting in France with the highest level of security and sovereignty credentials (certified HDS for health data and qualified SecNumCloud by ANSSI). By leveraging these cloud providers, Datacapt ensures that your data can reside in your region of choice, for example, EU customer data can stay in France on a SecNumCloud-qualified infrastructure for immunity against non-European laws, while other customers may choose AWS regions closer to their operations.

We comply with all applicable data protection laws and maintain strict data processing agreements (DPAs) with our clients. In line with GDPR, we follow the principles of privacy by design and by default. We minimize personal data collection to only what is necessary for the trial, and we implement strong technical and organizational measures to protect that data. Our documentation ensure we can demonstrate GDPR compliance and help our clients fulfill their own obligations.

We understand that clinical trials run 24/7 worldwide, so Datacapt is built for continuous availability. Our platform is deployed on a highly resilient cloud architecture with redundancy at multiple levels. We utilize a multi-availability zone setup, your data and application instances are replicated across at least three separate data centers, so even if one goes down, the system remains availabledatacapt.com. This resiliency design, combined with intelligent traffic routing, ensures a stable and responsive experience anywhere in the world. We guarantee at least 99.9% uptime for the Datacapt platform under normal operations.

In addition to high availability, we have a robust disaster recovery and backup strategy. Data backups are performed automatically up to 6 times per day, and backups are encrypted and stored off-site (including in a separate geographic region) for added safety. Our external backups in secure cloud storage ensure that even in a worst-case scenario, your trial data can be quickly restored. We regularly test our backup restore processes and disaster recovery plan to validate that we can meet aggressive recovery time objectives. With Datacapt, you benefit from a platform that is not only secure but also reliable and fault-tolerant, so you can access your trial data anytime, even in the face of unexpected incidents.

Datacapt is built to meet or exceed the most stringent security certifications and regulatory standards in the industry. Our platform and hosting infrastructure incorporate controls that align with the following certifications and frameworks.

ISO/IEC 27001 – Information Security Management
We leverage ISO 27001 certified infrastructure to ensure a systematic, audited approach to information security management. ISO/IEC 27001 is an internationally recognized standard for managing information security. By adhering to ISO 27001 controls, Datacapt maintains an Information Security Management System (ISMS) that covers risk assessment, access control, business continuity, and security governance. Our cloud hosting partners are independently certified for ISO 27001 compliance, and we in turn implement those best practices in our operations. This certification attests that we follow rigorous processes to protect your data’s confidentiality, integrity, and availability.

HDS – Health Data Hosting Certification (France)
HDS (Hébergement de Données de Santé) is a French certification required for hosting personal health data. Datacapt’s solutions are hosted by a French partner cloud that is certified on all 6 HDS levels. This means our hosting environment meets France’s strict requirements for healthcare data security and confidentiality. HDS certification involves robust measures for physical security, access control, backup and recovery, and regulatory oversight by French health authorities. By using an HDS-certified host, Datacapt guarantees that sensitive health and patient data from clinical trials can be lawfully and safely stored in France in compliance with the French Public Health Code‍. For international sponsors, HDS accreditation is a mark of the high level of security applied to protect participant data.

SecNumCloud – ANSSI Qualified Cloud
SecNumCloud is the highest cybersecurity qualification for cloud providers in France and Europe, issued by ANSSI (the French National Cybersecurity Agency). Our sovereign cloud provider, 3DS Outscale, holds the SecNumCloud 3.2 qualification. This means Datacapt can offer hosting on an infrastructure that meets extremely rigorous security and sovereignty requirements – including immunity to extraterritorial jurisdiction and compliance with EU cybersecurity standards. SecNumCloud qualification attests to a very high level of technical, operational, and legal security controls, providing maximum protection for sensitive data. By deploying on a SecNumCloud-qualified cloud, Datacapt ensures that even the most security-conscious and regulated organizations (e.g. government or healthcare institutions in the EU) can use our platform with confidence in the cloud’s defenses and sovereignty.

ICH Good Clinical Practice (GCP)
Datacapt is designed in accordance with ICH E6 Good Clinical Practice guidelines, the gold standard for clinical trial conduct. GCP compliance by design means our system supports data integrity, traceability, and reliable results. We provide the features needed to meet GCP’s computer system expectations: a complete and time-stamped audit trail of user actions, secure user access with defined roles, and verification steps for data changes and electronic signatures. We also maintain thorough validation documentation for the platform, so you can satisfy GCP (and regulatory inspectors) that Datacapt reliably captures and preserves trial data. By adhering to GCP, we help ensure your trial data is attributable, legible, contemporaneous, original, accurate (ALCOA), and that using Datacapt will not compromise the scientific integrity or regulatory acceptability of your study. In practice, this means sponsors and CROs can use Datacapt knowing it meets the same GCP requirements that apply to paper records and more. (Our team can provide compliance statements or assist with system validation audits as needed to support your GCP compliance.)

FDA 21 CFR Part 11 – Electronic Records & Signatures
Datacapt is fully compliant with FDA 21 CFR Part 11, the U.S. FDA regulation governing electronic records and electronic signatures. Part 11 compliance is critical for any electronic data capture system used in FDA-regulated clinical trials. In Datacapt, every user action on regulated data is recorded with a secure, computer-generated, time-stamped audit trail. This audit trail independently logs the date, time, user, and nature of each entry or change, providing a complete history of the data as required by Part 11. We also implement robust electronic signature functionality: authorized users can electronically sign records and case report forms in compliance with Part 11’s signature requirements, with unique user credentials and signature manifestations that include the user’s name, timestamp, and meaning of the signature (e.g. approval or verification). Security measures – such as password policies and access controls – ensure that electronic signatures are used only by their true owner. By using Datacapt, you get an EDC platform that the FDA can accept as part of a compliant system, eliminating concerns about data validity for submissions. Our Part 11 compliance, combined with adherence to ICH GCP, means Datacapt supports regulatory needs in both the U.S. and internationally.

GDPR (RGPD) – General Data Protection Regulation
Datacapt is committed to full GDPR compliance and to helping our customers meet their data protection obligations. The GDPR (EU General Data Protection Regulation) is a cornerstone of data privacy law, and we’ve built privacy principles into our platform. We only process personal data under strict instructions of our clients (acting as a GDPR-compliant data processor) and we have a dedicated team focused on data protection. We implement appropriate technical and organizational measures – such as encryption, pseudonymization, access control, and regular security training – to safeguard personal data. We also ensure transparency and control: audit trails and activity logs support accountability, and our system allows sponsors to fulfill rights requests (like data export or deletion) as needed. Datacapt will sign a Data Processing Agreement reflecting GDPR Article 28 requirements with any customer, detailing how we protect data and assist with audits or incident notifications. Moreover, by offering EU-based hosting options (including France), we facilitate compliance with GDPR’s data residency preferences. In essence, Datacapt is a GDPR-compliant eClinical software solution built to protect trial participants’ personal data and uphold their privacy rights at all times.

HIPAA – Health Insurance Portability and Accountability Act
For our clients conducting trials in the United States or handling protected health information (PHI), Datacapt supports HIPAA compliance. HIPAA’s Security Rule mandates safeguards for electronic PHI, and we have implemented those safeguards in our platform. This includes strong access controls (unique user IDs and role-based permissions), audit logs to track access and changes to health data, and transmission security (encryption for data in transit). All data entered into Datacapt that could be considered PHI is stored encrypted on secure, HIPAA-ready servers. We can also enable additional measures like session timeouts or two-factor authentication to meet specific organizational policies. Datacapt is prepared to sign Business Associate Agreements (BAAs) with our customers, formalizing our responsibility to protect PHI in compliance with HIPAA regulations. By using Datacapt as your EDC, you get a platform built to handle sensitive health data in accordance with U.S. HIPAA requirements, ensuring patient information from your trials is kept confidential and secure. This commitment, alongside our GDPR compliance, demonstrates that Datacapt takes data privacy seriously in all jurisdictions we operate in.