Trialion processes personal data on behalf of its customers (the “controllers”) in the course of providing the Trialion eClinical platform. Our Data Processing Agreement (“DPA”) governs how we do so, including the GDPR Article 28 requirements, the European Commission’s Standard Contractual Clauses for international transfers, and the current subprocessor list.
1.Who needs to sign the DPA
Any customer that processes personal data of EEA, UK, Swiss, or California residents through the Service should have an executed DPA with Trialion. The DPA is incorporated into the master services agreement (or order form) between Trialion and the customer.
2.How to request a signed DPA
Existing customers and prospects in active procurement can request the current DPA template, request execution of an already-negotiated DPA, or submit redlines by emailing privacy@trialion.com. Include the customer entity name and the procurement contact so we can route the request to the right team.
3.HIPAA Business Associate Agreement
For customers processing protected health information (PHI) within the scope of HIPAA, we sign a Business Associate Agreement (“BAA”). Request a BAA by emailing the address above and identifying the relevant covered entity.
4.Data residency & international transfers
Customer personal data is hosted in India by default — AWS Mumbai (ap-south-1), with optional regional failover in AWS Hyderabad (ap-south-2). Processing complies with the Digital Personal Data Protection Act, 2023 and any forthcoming Rules thereunder.
Where the customer (controller) directs cross-border transfer of de-identified or submission-grade datasets — for example to a US sponsor for ANDA filing or to an EEA sponsor — the DPA incorporates the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and Swiss FDPIC guidance as applicable to the destination.
5.Current subprocessors
The following subprocessors process customer personal data on our behalf, under written agreements requiring equivalent data-protection commitments. Customers will be notified of material changes to this list in line with the DPA.
| Subprocessor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, compute — primary production environment | ap-south-1 (Mumbai) |
| Amazon Web Services (AWS) | Optional regional failover and disaster recovery | ap-south-2 (Hyderabad) |
| EmailJS | Email delivery for marketing-form submissions | United States |
6.Security measures
Our technical and organizational security measures are described in the DPA Annex (encryption in transit and at rest, role-based access control, vulnerability and penetration testing, incident response, logging and monitoring). Customers may request the current security summary at any time.
7.Data Protection Officer
Our Data Protection Officer can be reached at [Data Protection Officer name — to be appointed].
8.Contact
Email privacy@trialion.com for any DPA-related request — execution, redlines, BAA, subprocessor questions, or data-subject requests forwarded by a controller.