1. Purpose
The purpose of this policy is to provide a description of Dacima’s privacy and security policy and procedures.
2. Scope
This policy is applicable to every employee of Dacima, including officers, and to members of the Dacima Board of Directors.
3. Definition
Personal Information Definition: Personal Information is (1) any non-public data that (2) identifies or may identify an individual, as set forth under the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, or any successor laws or regulations.
4. Privacy Policy
Dacima Software, Inc. is committed to protecting the privacy of both (A) individuals who visit our websites, and (B) individuals who use our platform or applications (including individuals about whom our platform or applications capture information) (Customer Data, discussed below). We have created this Privacy Policy to explain the Personal Information we collect, how we protect it, with whom we share it, and your choices regarding your Personal Information. If you have any questions regarding this Privacy Policy, please contact Dacima. If you have questions about our websites, please see our marketing department contact information below.
4.1 Individuals who visit our website
4.1.1 What information we collect and how we use that information
Contact Information – Some areas of our websites request or require contact and other information.
Internet Protocol (IP) Address – We may collect an IP address from visitors to our sites. We may use IP address to help diagnose problems with our server(s), to administer our websites, and to monitor activities on and interactions with our websites, user preferences, and other computer and connection information relating to your use of our sites. We may also use log files, cookies and similar technologies to collect information about the pages you view, links you click on, and other actions you may take when accessing our sites.
Use and Sharing of Visitor Personal Information – Dacima uses the Personal Information we collect from visitors to our website:
- to contact you in connection with your registration or your use of the site or our products or services;
- to contact you in response to your inquiries, comments and suggestions;
- to contact you otherwise when necessary;
- for the specific purpose for which it was volunteered;
- to ask for your participation in brief surveys;
- to complete any purchases or other transactions you may perform;
- to notify you about updates, promotions, special offers, etc., regarding products and services provided by us or our affiliates or partners;
- to be provided to our affiliates or third parties (e.g., data processors or other service providers) in connection with our legitimate business purposes;
- to generate aggregate statistical studies;
- as further described to you when we collect the information;
- as required by law or regulation, or as requested by government authorities;
- in connection with an acquisition, merger, sale or other transfer of all or substantially all of our business or portion thereof; and
- for our other business purposes.
Dacima does not share, sell, rent, or trade your Personal Information collected through our sites with third parties for their sole promotional purposes without your express consent. As set forth above, Dacima may share your personal information with third-party service providers contracted by us to provide services on our behalf; these providers may only use information we provide to them as instructed by us.
4.2 Access, choice and opt out
Website visitors, at any time, “opt out” of receiving communications from us related to our products and services and/or to request the removal of their contact information from our database by writing to us. However, Dacima cannot withdraw any previous disclosures made with your authorization, and we reserve the right to retain and disclose your information as permitted or required by law or regulation.
4.3 Individuals who use our applications (customer data)
As part of Dacima’s electronic data capture platform, applications and services, our customer’s employees and authorized users may enter Personal Information, including Personal Information from or about their authorized users, employees, and subjects (together, “Customer Data”), into our servers.
Dacima processes customer data as instructed by our customers, and has no direct control or ownership of the Personal Information it processes. Our customers are responsible for complying with regulations or laws regarding notice, disclosure and/or obtaining consent prior to transferring the data to Dacima for processing purposes.
Dacima will not share or distribute customer data except as provided in the contractual agreements between Dacima and our customers. These agreements may provide Dacima with the rights to process or use Personal Information for Dacima’s business purposes including providing or developing the Dacima platform and applications, preventing or addressing service issues, support or technical problems, responding to our customer’s instructions, or as may be required by law.
5. Security
5.1 Physical Security of servers
Data for Internet version of Dacima Software’s data management platform are stored in a secure data facility. Various measures are in force to guarantee the security of stored data, including:
- Premises are located in a building whose access is protected and are under permanent surveillance (video surveillance cameras).
- Premises are themselves protected in an independent manner and under remote surveillance (cameras, motion detections).
- Local and remote alarms are in place for:
- Temperature increase,
- Smoke detection,
- Power outages,
- Break-ins.
Servers are located on the premises in an isolated room in locked cages with an independent protection system. This room’s temperature is closely monitored and air-conditioned with an independent system. There is a backup system in case of a system failure.
The servers are on a protected power supply with 72 hours of immediate backup battery power. In case of a power failure, a generator starts automatically and a remote alarm activates.
Technical support is continuously available to respond to alerts. The support team helps resume activities in case of an extended power supply failure and intervenes in case of a software failure. A diesel generator provides backup power.
Server management
The following server management processes are in place to protect the privacy of data stored on the secure servers:
- Dedicated Firewall
- Backup services
- Antivirus protection
- OS Patch Management
Network Security
Servers also protected by restricted access. Only authorized users can access the servers. Separate database and web servers
Data Security
The HITECH Act requires private accessibility whenever you or your patients request it. As your managed data centre operator, Online Tech never accesses your sensitive data; we only provide a secure infrastructure and high availability hosting with HIPAA-audited facilities.
Trained Staff
Employees are trained to understand and follow standards and the importance of protecting sensitive information.
5.1.1 Digital Security
Confidentiality of data
The DACIMA SOFTWARE uses multiple servers and firewalls to provide maximum security and confidentiality of clinical data. Redundant servers ensure that down time due to the failure of any one server is minimized.
Integrity of data
DACIMA SOFTWARE guarantees that the clinical data captured will be kept and transmitted without transformation or alteration:
- Encryption of data transmitted between the investigators’ computer system and that of DACIMA SOFTWARE
- Daily monitoring of transactions between users and the computer system.
- Monitoring of the system and corrections of software and hardware anomalies, where needed
- Installation and updating of antivirus software on the servers to prevent viruses from altering the data.
User Authentication
Authentication of users of the clinical data management application is used to check a user’s identity and to guarantee the origin and integrity of data entered into DACIMA SOFTWARE computer systems.
Access to the CRF data entry application is only authorized through a username and password. The password is created by the user and must conform to the software’s complexity requirements.
NOTE: The Client is responsible for ensuring a username and password policy is in place and that users are aware that usernames and passwords should not be shared.
Data is transmitted over a secure encrypted SSL web connection.
Data Protection Officer
You can reach Dacima Software’s data protection officer at:
krupna LEGAL
Dr. Karsten Krupna
Am Sandtorkai 77
20457 Hamburg
Phone: +49 (0) 40 31976927
E-mail: dpo@evidentiq.com
Privacy Officer
You can reach Dacima Software’s privacy officer at:
Dr. John Podoba
100 Alexis-Nihon Blvd, Suite 925
Montréal, Quebec H4M 2P5
Canada
Phone: +1 (514) 656-9199
E-mail: privacy@dacimasoftware.com
Your rights
Within the framework of the legal requirements, you have a fundamental claim against Dacima Software for
- confirmation as to whether personal data concerning you is processed by Dacima Software,
- information about these data and the circumstances of processing, correction, if this data is incorrect,
- deletion, unless the processing is not justified and there is no (longer an) obligation to keep the data,
- restriction of processing in special cases determined by law,
- objection in case of data processing on the basis of Art. 6 para 1 sentence 1 lit. f GDPR and
- transmission of your personal data – if you have provided it – to you or a third party in a structured, common and machine-readable format.
Insofar as the processing of your personal data is based on your consent, you have the right to revoke this consent at any time, with the consequence that the processing of your personal data will become inadmissible for the future. However, this does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of revocation.
Please address your specific request in writing or by e-mail to our data protection officer (see the Data Protection Officer section), clearly identifying yourself, and including “Privacy Rights” in the subject line.
Insofar as we process your data in joint controllership with third parties within the meaning of Art. 26 GDPR (see section 8.2), the third party is centrally responsible for the exercise of all rights of the persons concerned. However, you are free to assert your rights against us as well.
Finally, we would like to draw your attention to your right of appeal to the supervisory authority.