Ethics Committee Documentation

Comprehensive information about Trialinx's security, compliance, and data management practices

HIPAA21 CFR Part 11GDPRFISMA

Version 1.0.0 | Last Updated: 4/23/2026

Executive Summary

Trialinx is a clinical research data collection platform built with security, compliance, and ethical data management at its core. The platform implements role-based access control with four distinct permission levels, industry-standard authentication with two-factor authentication support, and comprehensive audit logging that produces immutable records retained indefinitely for regulatory compliance. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+), with parameterized database queries preventing injection attacks. The platform is designed to align with HIPAA, 21 CFR Part 11, GDPR, and FISMA requirements, providing infrastructure for electronic signatures, data export and portability, and account deletion with audit trail retention. AI-assisted features include form generation and statistical analysis, with privacy controls designed to minimize exposure of Protected Health Information (PHI). This document details each of these measures for ethics committee evaluation.

Platform Overview

Trialinx is a comprehensive clinical research data collection platform designed to support researchers in conducting ethical, compliant, and secure clinical studies. The platform provides tools for study management, data collection, collaboration, and analysis while maintaining the highest standards of data security and regulatory compliance.

Purpose

Trialinx enables researchers to collect, manage, and analyze clinical research data in a secure, compliant environment that meets regulatory requirements including HIPAA, 21 CFR Part 11, GDPR, and FISMA.

Key Features

  • Multi-user study collaboration with role-based access control
  • Flexible form builder with versioned schemas
  • Validated data entry with real-time validation
  • Customizable dashboards with KPI cards, tables, and charts
  • AI-assisted form generation and statistical analysis
  • Real-time collaboration and updates
  • Comprehensive audit logging for all actions
  • Electronic signature infrastructure aligned with 21 CFR Part 11
  • Data export and portability features

Target Users

Trialinx is designed for clinical researchers, study coordinators, principal investigators, and research institutions conducting clinical trials and observational studies.

Security Infrastructure

Encryption at Rest

All data stored in our database is encrypted at rest using industry-standard AES-256 encryption provided by our database provider (Neon Postgres).

  • Database Encryption: All data stored in Neon Postgres databases is encrypted at rest using AES-256 encryption
  • Backup Encryption: Automated backups are encrypted using the same encryption standards
  • Key Management: Encryption keys are managed by Neon and follow industry best practices

Encryption in Transit

All data transmitted between clients and servers is encrypted using TLS (Transport Layer Security):

  • HTTPS/TLS: All API endpoints and web interfaces use HTTPS with TLS 1.2 or higher
  • Database Connections: All connections to the database use encrypted connections (SSL/TLS)
  • Secure Protocols: We enforce the use of secure protocols and cipher suites

Role-Based Access Control (RBAC)

Trialinx implements fine-grained role-based access control with four distinct roles:

  • Viewer: Read-only access, can only view dashboards
  • Collaborator: Can view and fill forms, view own records, edit own records, view collaborators, view study details, and view subjects
  • Manager: Full study permissions including editing any record, managing collaborators, editing/deleting studies, and all collaborator permissions
  • Owner: Full control over the study including all manager permissions plus study deletion and ownership transfer

Authentication

Industry-standard authentication using Better Auth with server-side session management:

  • Password Requirements: Minimum 8 characters with uppercase, lowercase, number, and special character
  • Email Verification: All accounts require verified email addresses for enhanced security
  • Two-Factor Authentication (2FA): Optional two-factor authentication available for additional account security
  • OAuth Support: Sign in with Google or LinkedIn (optional)
  • Session Management: Sessions expire after 24 hours of inactivity, refreshed when actively used

SQL Injection Protection

All database queries use parameterized queries through Drizzle ORM, which prevents SQL injection attacks:

  • Parameterized Queries: All queries use parameterized statements that separate SQL code from data
  • Input Sanitization: User input is validated and sanitized before being used in queries
  • ORM Protection: The use of an ORM (Object-Relational Mapping) layer provides additional protection against SQL injection
Compliance Standards

HIPAA (Health Insurance Portability and Accountability Act)

Trialinx implements comprehensive HIPAA compliance measures:

  • Access Controls: Role-based access control implemented with fine-grained permissions
  • Audit Logging: Comprehensive audit trails for all actions with immutable records
  • Data Encryption: Encryption at rest and in transit using industry-standard methods
  • Business Associate Agreements (BAAs): BAAs should be established with service providers handling PHI

21 CFR Part 11 (FDA Electronic Records and Signatures)

Trialinx provides electronic signature infrastructure aligned with 21 CFR Part 11 requirements:

  • Electronic Signatures: Signature schema and audit trail infrastructure is in place to support cryptographic signatures
  • Signature Verification: Signature records store user ID, timestamp, IP address, user agent, and signature hash fields
  • Immutable Records: Signed records cannot be modified after signing
  • Audit Logging: Immutable audit logs for all system actions
  • Access Controls: User authentication and authorization
  • System Validation: System validation procedures should be documented (process outside of code)

GDPR (General Data Protection Regulation)

Trialinx complies with GDPR requirements for data protection:

  • Data Minimization: Only necessary data is collected and stored
  • Right to Access: Users can export their data in machine-readable format
  • Right to Erasure: Users can delete their accounts and data
  • Data Portability: Users can export their data in JSON format
  • Privacy Policy: Comprehensive privacy policy addressing data collection, usage, and user rights

FISMA (Federal Information Security Management Act)

Trialinx implements security controls aligned with FISMA requirements:

  • Risk Management: Security measures are implemented and documented
  • Security Controls: Access controls, encryption, audit logging
  • Incident Response: Incident response procedures should be established (process outside of code)
  • Continuous Monitoring: Security monitoring should be ongoing (process outside of code)
Data Management

Database Architecture

Trialinx uses PostgreSQL as the primary database, hosted on Neon (a serverless Postgres platform):

  • Database Provider: Neon Postgres (serverless PostgreSQL)
  • ORM: Drizzle ORM for type-safe database queries
  • Data Types: Support for structured data, JSON, timestamps, and relationships
  • Scalability: Serverless architecture allows automatic scaling based on demand

Audit Logging

Every significant action in the system is logged with detailed information:

  • Action Types: Create, update, delete, publish, archive, invite, remove member, change role, sign, export, import
  • Entity Types: Studies, forms, subjects, records, dashboards, members, AI requests, subscriptions
  • Log Information: User ID, Study ID, entity type and ID, action performed, IP address, user agent, timestamp, old values (for updates), new values (for updates/creates)
  • Retention Period: Audit logs are retained indefinitely for compliance purposes (HIPAA, 21 CFR Part 11)
  • Immutable Records: Audit logs cannot be modified or deleted by users
  • Access Control: Audit logs are accessible only to authorized personnel with appropriate permissions

Data Backup and Recovery

Automated backup and recovery procedures ensure data availability:

  • Frequency: Automated backups are performed regularly by our database provider (Neon)
  • Retention: Backup retention policies are configured according to compliance requirements
  • Encryption: All backups are encrypted at rest
  • Recovery Testing: Backup restoration procedures are tested regularly to ensure data can be recovered
  • RTO/RPO: Recovery procedures are designed to meet Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) requirements

Data Retention Policies

Trialinx follows data minimization principles and provides data management capabilities:

  • Data Minimization: Only data necessary for the research purpose is collected and stored
  • Account Deletion: Users can request account deletion, which will delete their user account, studies they own, form records they created, dashboards they created, and remove their study memberships
  • Audit Log Retention: Audit logs are retained for compliance purposes and may not be deleted immediately
  • Data Export: Users can export all their personal data in JSON format
AI Integration & Privacy

AI Capabilities

Trialinx includes AI-assisted features to enhance research workflows:

  • Form Generation: AI generates multiple forms from study descriptions with validation
  • Statistical Analysis: Automated statistical analysis with Python runner, generating analysis plans, tables, charts, and interpretations
  • Validation: AI responses are validated with Zod schemas with automatic repair attempts

PHI Handling and De-identification

Privacy and safety measures for AI processing:

  • The platform is designed to exclude free-text PHI fields from AI prompts, with opt-in controls for users who wish to include them
  • Users can opt-in to include PHI fields (with warning)
  • De-identification mechanisms are in place to minimize PHI exposure during analysis
  • All interpretations include limitations and caveats

User Consent and Opt-in Mechanisms

Users have full control over AI processing of their data:

  • Opt-in Required: Users must explicitly opt-in to include PHI fields in AI processing
  • Clear Warnings: Users are warned about PHI inclusion before processing
  • Transparency: All AI-generated content includes limitations and caveats
Legal & Governance

Privacy Policy

A comprehensive privacy policy addresses:

  • Data collection practices
  • Data usage and processing
  • Data sharing policies
  • User rights (GDPR rights)
  • Cookie usage
  • Data retention policies
  • Security measures
  • Contact information for privacy inquiries

Terms of Service

Terms of service outline:

  • Acceptable use policies
  • User responsibilities
  • Service limitations
  • Liability disclaimers
  • Dispute resolution procedures

Business Associate Agreements (BAAs)

Trialinx may use service providers that handle Protected Health Information (PHI). Note: BAAs should be established and maintained by legal/compliance teams. This is a legal requirement and should be handled outside of technical implementation.

  • Neon Postgres: Database provider - BAAs should be established as needed
  • Email Services: Email service providers - BAAs should be established as needed
  • Other Providers: Additional service providers handling PHI should have BAAs in place

Contact Information

For questions about security, compliance, or privacy, please contact your compliance team or system administrator. Contact information is available in the platform's privacy policy and terms of service.

Glossary of Terms
AES-256
Advanced Encryption Standard with 256-bit key length, a symmetric encryption algorithm widely adopted for securing data at rest.
BAA
Business Associate Agreement — a contract required under HIPAA between a covered entity and a business associate that handles PHI.
FISMA
Federal Information Security Management Act — U.S. federal law requiring agencies and contractors to implement information security programs.
GDPR
General Data Protection Regulation — European Union regulation governing the collection, processing, and storage of personal data.
HIPAA
Health Insurance Portability and Accountability Act — U.S. law establishing standards for protecting sensitive patient health information.
OAuth
Open Authorization — an open standard for access delegation, enabling users to sign in with third-party providers such as Google or LinkedIn.
ORM
Object-Relational Mapping — a programming technique that maps database tables to application objects, providing type safety and preventing SQL injection.
PHI
Protected Health Information — individually identifiable health information that is subject to HIPAA privacy and security rules.
RBAC
Role-Based Access Control — a method of restricting system access based on the roles assigned to individual users within an organization.
RTO/RPO
Recovery Time Objective / Recovery Point Objective — metrics defining the maximum acceptable downtime and data loss after a disaster.
TLS
Transport Layer Security — a cryptographic protocol designed to provide communications security over a computer network.
2FA
Two-Factor Authentication — a security method requiring two distinct forms of identification to access an account.
21 CFR Part 11
Title 21, Code of Federal Regulations, Part 11 — FDA regulation establishing criteria for electronic records and electronic signatures.

This documentation is provided for ethics committee review purposes. For specific questions about security, compliance, or privacy, please contact your compliance team or system administrator. Contact information is available in the platform's privacy policy and terms of service.