Security and compliance

Data security and compliance are the foundations of the system




FDA Compliant Clinical Trials

CRFweb is an FDA compliant clinical trial software application. It complies with FDA 21 CFR Part 11 regulations and is independently audited. It also meets GCP (Good Clinical Practice) standards and helps you comply with GDPR regulations. We have utilised the CDISC ODM (Operational Data Model) as our default coding standard for all aspects of a clinical trial; both Transactional and Snapshot data extracts are available for all datasets. Snapshot and Transactional ODM files can be exported as either XML or .xls files or exported as a SAS Xport file. Our new CRFweb offline data collection app, allows data to be collected safely offline and automatically synced when a secure connection is available.

Subject data is anonymised through the use of subject ID numbers. We are also able to match server locations to local markets to meet local compliance standards. For example, for EU studies, our servers are located within the EU to meet GDPR requirements.

Please note. The FDA does not issue any compliance certification for clinical trial applications. It is down to the sponsor to demonstrate appropriate study guidelines have been followed. Naturally that necessitates using an FDA compliant database. By this we mean a system built to accepted standards with compliance in mind – so if your study protocols and procedures are compliant, CRFweb will help ensure your study is compliant.

How to demonstrate your EDC application is FDA Compliant

How to prove you have FDA compliant EDC? Best practice for this is to use an independent compliance specialist to perform an audit. CRFweb was last independently audited in March 2019. Details available on request.



CRFweb Security

We take security very seriously. The system was designed from the ground-up with security and compliance in mind. We utilize the CDISC ODM (Operational Data Model) as our default coding standard. We comply with FDA 21CFA part 11 regulations and have been independently audited. We also meet the US Health Insurance Portability and Accountability Act (HIPAA), Cloud Security Alliance (CSA) and GCP (Good Clinical Practice) Standards. To give confidential client data maximum security, we use the latest SSL 256-bit encryption technology.
We use servers based in Europe and the US for reliability, data transmissions use HTTPS and servers are managed with security best practices/standards including the following:
  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • SOC 2
  • SOC 3
  • DOD CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 27001
  • ITAR
  • FIPS 140-2
  • MTCS Level 3


CRFweb Articles