Data Protection Considerations
April 24, 2026
version 03
Flex Databases provides software solutions supporting clinical trial conduct across all stages. One of our key priorities is ensuring the confidentiality and integrity of customer data. We are committed to maintaining high standards of data protection and privacy.
Flex Databases implements robust security controls to protect customer data, ensure compliance with applicable regulations, and mitigate potential risks. This approach is essential for building trust and delivering a high level of service.
Our security framework is designed in alignment with recognized standards and regulations, including:
- 21 CFR Part 11
- HIPAA
- GDPR
Under GDPR, Flex Databases acts as a data processor, while our customers act as data controllers. The data controller determines what data is collected and how it is processed and stored. Flex Databases processes personal data strictly in accordance with the controller’s documented instructions and contractual agreements.
To support our customers in fulfilling their data protection obligations, Flex Databases provides the following technical and organizational controls:
- robust access control mechanisms;
- encryption of all data in transit using TLS/SSL protocols with strong cryptographic algorithms (e.g., SHA-2, AES);
- secure access to user interfaces via HTTPS.
The Flex Databases platform is a modular, web-based system provided under contractual agreements. It is typically delivered as a Software as a Service (SaaS) solution, where applications are hosted and made available to customers via the cloud.
Cloud-based delivery means that data storage and processing take place on servers hosted by Flex Databases in subcontracted data centers. These data centers are subject to formal vendor assessment in accordance with SOP-QA-011 “Purchasing and Vendor Assessment” prior to engagement.
Personal data processing is designed in compliance with applicable data protection regulations. Data Protection Impact Assessments (DPIAs) are performed where required. Data processing details are agreed with customers, and Data Processing Agreements (DPAs) are executed using either the Flex Databases template or a customer-provided template.
For European customers, data is stored within qualified data centers located in the European Union.
The implemented technical and organizational measures (TOMs) include, but are not limited to:
Use of ISO 27001-certified data centers, verified through vendor assessment procedures;
- Multi-layered firewall protection with a default deny-all configuration;
- Strict network access controls, with only explicitly authorized ports and hosts permitted;
- Segregation of environments (TEST, QA, PROD) using separate VLANs and security groups;
- 24/7 monitoring of data center infrastructure;
- Physical security controls, including:
- electronic access control systems with logging;
- secured perimeter fencing;
- Continuous monitoring, including:
- access logging;
- video surveillance of entry and exit points.
A designated Data Protection Officer (DPO) provides GDPR training to staff and ongoing guidance on data protection matters.
For any data privacy-related inquiries, please contact: dl_privacy@flexdatabases.com
