Security

Enterprise-grade clinical data security

AES-256 encryption, TLS 1.2+, indefinite audit trail, 2FA, and continuous security reviews. Trialinx is designed to support HIPAA, 21 CFR Part 11, and GDPR — and we document it openly.

Encryption at rest

AES-256

Encryption in transit

TLS 1.2+

Audit trail

7 points · indefinite

Authentication

2FA + NIST-verified passwords

Access control

Granular RBAC per study

Database

Neon Postgres · ISO 27001 / SOC 2

Encryption at rest and in transit

All clinical data is stored with AES-256 encryption at rest, managed by our database provider (Neon Postgres). Automated backups inherit the same encryption and replicate across availability zones.

Client-server communication uses TLS 1.2 or higher with modern cipher suites and HSTS with a 1-year max-age. Unencrypted connections are not accepted.

  • AES-256 at rest (data + backups)
  • TLS 1.2+ with HSTS max-age=31536000
  • Automated certificate management
  • No clinical data in application logs

Authentication and access control

Authentication uses Better Auth with constant-time password compare, mandatory email verification, and optional TOTP-based 2FA. We support Google and LinkedIn login for lightweight SSO.

Access control is granular per study. Each study has 3 roles (viewer, collaborator, manager) with distinct permissions over forms, subjects, randomization, and exports. Sessions use SameSite=Lax cookies with rotation on privilege changes.

  • Better Auth with timing-safe compare
  • TOTP 2FA compatible with standard authenticators
  • SSO via Google and LinkedIn (SAML SSO on demand in Institutional)
  • Sessions with SameSite=Lax and token rotation

7-point audit trail

Every relevant action is logged with 7 datapoints: user ID, study ID, entity type, entity ID, action, IP, user agent, and timestamp. Old and new values are kept for editable changes.

We track 11 action types across 13 entity categories: login/logout, create, update, delete, randomize, export, invite, permission change, AI query, query resolution, and form publish.

Logs are retained indefinitely to comply with 21 CFR Part 11 and HIPAA. Export to CSV or JSON is available anytime.

  • 7 datapoints per event
  • 11 action types · 13 entity categories
  • Indefinite retention
  • CSV / JSON export for audits

Cross-study data isolation

Each study is an isolated logical unit. Collaborators are added explicitly and only see the data of the study they belong to. There are no cross-study queries for end users.

Internally, all Postgres queries go through Drizzle ORM with parameters — 100% parameterized queries. SQL is never assembled via string concatenation.

  • Logical isolation per study
  • Drizzle ORM · 100% parameterized queries
  • SQL injection protection by design

Application security

The app enforces strict security headers: Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, restrictive Referrer-Policy and Permissions-Policy.

All endpoint inputs are validated with Zod 4, including null-byte sanitization and rejection of HTML in renderable text fields.

  • Strict CSP (no external eval, frame-ancestors 'none')
  • Zod validation + anti-injection sanitization
  • Rate limiting on sensitive endpoints
  • Mandatory email verification

Infrastructure and disaster recovery

Infrastructure runs on Vercel serverless functions with a Neon-managed Postgres database (SOC 2 Type II, ISO 27001 certified).

Automated backups with point-in-time recovery up to 7 days. Data can be kept in EU regions only for Institutional customers.

  • Hosting: Vercel (SOC 2 Type II)
  • Database: Neon Postgres (SOC 2 Type II, ISO 27001)
  • Point-in-time backups (7 days)
  • EU data residency in Institutional

Vulnerability management

Automated dependency reviews (Dependabot) with security patches applied on a weekly cycle. Annual external pentest on the public surface and authenticated endpoints.

Responsible disclosure process at security@trialinx.com. Rewards available for serious findings (program in development).

  • Continuous dependency scanning
  • Annual external pentest
  • Responsible disclosure at security@trialinx.com

Security FAQ

Is my data shared with third parties or used to train AI?

No. Clinical study data is never shared with third parties or used to train models. AI features that process clinical data use zero-retention, no-retraining models.

Where is the data physically stored?

By default on multi-region AWS infrastructure (Neon Postgres). Institutional customers can get EU-only data residency.

Do you have SOC 2 or ISO 27001 certifications?

Our underlying infrastructure (Vercel, Neon) is SOC 2 Type II and ISO 27001 certified. Trialinx is in the process of obtaining direct SOC 2 Type II — timelines are published in the ethics committee documentation.

How do you communicate security incidents?

We have a documented incident response process. Affected users receive email notification within 72 hours of any data-impacting incident (per GDPR Art. 33).

How do I delete all my data if I cancel my account?

You can request full deletion via /settings. Data is immediately marked as deleted and purged from live systems within 30 days. Longer-retained backups rotate naturally under policy.

Need documentation for your ethics committee?

We publish a documentation package covering our HIPAA, 21 CFR Part 11, GDPR, and FISMA posture. Perfect to attach to an IRB submission.

Read ethics committee docs