Security and Compliance

Trust and assurance

Our Security and Compliance strategy is a joint cooperation of our Information Security, Privacy, and Quality Management teams, which enables us to provide a secure, compliant and inspection-ready SaaS product ready to fulfill all needs of clinical trials execution.

This is combined with third-party attestations and certifications that assess and validate our internal processes and governance supporting our product development, delivery and support.

Audits

Regulatory authorities and customers may conduct audits to ensure Viedoc follows Standard Operating Procedures (SOPs) and meets regulatory expectations.

Read our audit procedures

Validation

Viedoc is a Software as a Service (SaaS) application that allows your organization to outsource its development and validation. Viedoc Technologies ensures the software works for your clinical trials.

Read how Viedoc is fit for use

Information Security

We have a risk-based Information Security Management System (ISMS) certified to ISO 27001:2022, covering all Annex A controls company-wide.

Read about information security

Regulatory Compliance

We monitor international regulations and guidelines relevant to computerised systems to ensure that Viedoc always meets regulatory requirements.

Read how Viedoc stays compliant

Data Privacy

We follow laws that protect personal information. We keep track of data protection rules in Japan, the EU, the US, and China to ensure compliance.

Read how Viedoc keeps data private

General Compliance and additional information

We uphold integrity and ethical standards through its Code of Conduct. Its Whistleblowing portal supports anonymous reporting, and the SLA defines our service standards.

Read all other compliance information

Audits

In compliance with current legislation, the regulatory authorities and you as a customer can audit us to ensure that we follow our Standard Operating Procedures (SOPs) and that Viedoc is compliant with regulatory expectations.

Auditors can review the Quality and Information Security Management System documents stored in our online electronic SOP system (called PT). These consist of Policies, SOPs, guidelines, organization charts, templates, statements of compliance for Viedoc, plans, IT infrastructure diagrams, IT reports and logs as well as other relevant documents. Auditors also have access to the Job Descriptions, CVs and Training Records for all employees.

To review evidence that Viedoc Technologies follows the procedures outlined in PT and study specific documentation kept by us, auditors need to conduct an online or onsite audit as such evidence is often only available on the Viedoc Technologies intranet.

Auditors do not have access to all evidence that Viedoc Technologies follows the procedures outlined in PT, as such evidence is often only available on the Viedoc Technologies intranet. Neither do auditors have access to study-specific documentation, as that is only available on the Viedoc Technologies intranet (except for documentation that has been shared with the customer).

In summary, a document review audit can be used to check SOPs and other QS documents but cannot be used to check that Viedoc Technologies follow the SOPs or to check study specific documentation.

Please note that auditors need to watch a short tutorial video before being granted with a PT account. Please contact the QA department at audit@viedoc.com for the password of this tutorial video, Quality System Training. The access duration of a PT account is 1-week long by default.
During an online or onsite audit, everything is available for the auditor to view. Auditors are assigned access to PT and can read all quality system documents mentioned in the section above. In addition, it is possible for QA staff to show auditors documents and information that are only available on the Viedoc Technologies intranet and answer questions.

The types of documents and information available include:

- The release binder for any version of Viedoc. The release binder contains a summary of the contents and validation performed on Viedoc before it is released.

- The development environment for Viedoc, which includes feature descriptions, requirements, software programs, test cases and test results, and demonstrate traceability.

- Study specific information stored on the Viedoc Technologies intranet.

The auditor can interview personnel. The auditor should give notice of requested interviews so that the QA department can ensure that the requested personnel are available during the audit.

For an onsite audit, currently, Viedoc Technologies have the following sites and departments operating:

- Uppsala, Sweden, Headquarters, all departments

- Tokyo, Japan, Subsidiary, Sales and Professional Services departments

- Shanghai, China, Subsidiary, Sales and Professional Services departments

- Raleigh, America, Subsidiary, Sales and Professional Services departments

- Hanoi, Vietnam, Subsidiary, Development department

In a case where the subsidiary is chosen to conduct an onsite audit, the QA department will join the onsite audit online from the headquarters.
If you would like to perform an audit of Viedoc Technologies, then you can book one with our QA department. The QA department coordinates all requests for audits and helps choose a date for your audit. You can contact the QA department at the following address to book an audit: audit@viedoc.com
Viedoc Technical Descriptions

The Viedoc Technical Description is the document for people who need to know more about how Viedoc is developed, and how it operates. It gives an overall summary of the following aspects of Viedoc development and operations:

- Requirements to the system (e.g. Audit trail, Backwards Compatibility, Encryption, MFA)

- System Architecture

- Data Flow

- Development Methodology

- Release Procedure

- Operational Architecture

- IT Security

- Backup and Restore Testing

See Viedoc Technical Description.
A starting point can be to purchase an independent audit report produced by a third party. The advantage with this approach is that these audits are normally much more detailed (and the audit has taken longer time) than a company specific audit would be. Another advantage is that they are normally significantly cheaper than performing your own audit.

Once you have evaluated the third-party audit and reviewed it against your requirements you can then decide whether you need to perform your own audit or not. Even if you decide you still need to perform your own audit it can be both shorter and more efficient, as you can concentrate on those areas that you feel the third-party audit report did not cover well enough to meet your requirements.

Contact Viedoc Technologies if you are interested in contacting an independent auditor with a view to purchasing a third-party audit report.

Viedoc Technical Descriptions

The Viedoc Technical Description is the document for people who need to know more about how Viedoc is developed, and how it operates. It gives an overall summary of the following aspects of Viedoc development and operations:

- Requirements to the system (e.g. Audit trail, Backwards Compatibility, Encryption, MFA)

- System Architecture

- Data Flow

- Development Methodology

- Release Procedure

- Operational Architecture

- IT Security

- Backup and Restore Testing

See Viedoc Technical Description.
A starting point can be to purchase an independent audit report produced by a third party. The advantage with this approach is that these audits are normally much more detailed (and the audit has taken longer time) than a company specific audit would be. Another advantage is that they are normally significantly cheaper than performing your own audit.

Once you have evaluated the third-party audit and reviewed it against your requirements you can then decide whether you need to perform your own audit or not. Even if you decide you still need to perform your own audit it can be both shorter and more efficient, as you can concentrate on those areas that you feel the third-party audit report did not cover well enough to meet your requirements.

Contact Viedoc Technologies if you are interested in contacting an independent auditor with a view to purchasing a third-party audit report.

Validation

Viedoc is provided as a Software as a Service (SaaS) application. One of the advantages of Viedoc is that you as an organisation are outsourcing the development of Viedoc. This includes the validation of all standard functionality in Viedoc. The Validation Summary describes how Viedoc Technologies validates Viedoc and ensures that Viedoc is fit for use in your trial.

Download our Validation Summary

A Validation Summary Report describing the validation activities and their results is included in the Viedoc Inspection Readiness Packet (VIRP) for each release of Viedoc. VIRP is developed by Viedoc Technologies to assist you in preparing for inspections and your Organization Admin can download VIRP from Viedoc. Please see:

Downloading VIRP

In addition to the Validation Summary Report, VIRP provides you with other information to fulfil the regulatory expectations and requirements. This information includes:

User Requirement Specification (URS) describing the epics and features and listing the user stories included in the release
Traceability Matrix detailing the testing performed for every requirement in the URS
Release Notes describing the additions to Viedoc in the release
Release Certificate
EDC Management Sheet for submissions to the PMDA
Clinical Trial Cloud System Checklist
Viedoc Impact Assessment documenting at a feature level the risks and potential consequences arising from the release of new and updated features in the releases

For details, please see:

How to prepare for a regulatory inspection

Information Security

An important part of everything we do is the security aspect. Viedoc Technologies have implemented a risk-based Information Security Management System (ISMS) that facilitates a structured and continuous approach to information security. Our ISMS covers all activities and sites company-wide and is certified according to ISO 27001:2022 with all Annex A controls included in our scope of applicability.

Download our certificates and our SoA

The information security and maturity of Viedoc's eClinical data management system and the suitability of the design of its controls relevant to security and confidentiality is validated by the SOC 2 Type 2 report issued by an authorized third-party auditor. Viedoc's SOC 2 report can be shared with interested parties upon request. Please contact the Viedoc QA department at audit@viedoc.com to submit a request.

Viedoc Technologies have implemented industry best practices IT Security processes and tools. We have registered a standard self-assessment describing these with the CSA Security, Trust and Assurance Registry (STAR), the industry’s most powerful program for security assurance in the cloud. You can download the self-assessment directly from them, or access it via:

CSA STAR self-assessment for Viedoc

ISO 27001 Certification

AICPA SOC

STAR CSA Level One

Regulatory Compliance

Viedoc Technologies monitor international regulations and guidelines relevant to computerised systems to ensure that Viedoc is always compliant with regulatory requirements.

The eClinical Forum has published a list of requirements for the use of electronic data in clinical research that is derived from international regulations and guidelines from around the world, including international regulations (such as ICH GCP), American regulations (such as 21 CFR Part 11), European regulations such as the Computerised Systems Guideline), Japanese regulations (such as ERES) and Chinese Regulations. We have taken that list and produced a regulatory suite of test cases that is executed during Performance Qualification (PQ) for every new version of Viedoc, which must be passed before Viedoc is released. In this way we have evidence that every release of Viedoc conforms with international regulations for the handling of electronic data in clinical trials. A more detailed description of this process and a full list of the regulations and guidelines covered can be read in:

Viedoc Regulatory Compliance

International regulations and guidelines also require Viedoc Technologies to have implemented a Quality Management System and associated SOPs for our work. You can download our Quality Policy, which explains how we have implemented a Quality Management System in accordance with the model put forward by the TransCelerate project for standard Quality Management Systems in Clinical Research. You can also download a list of our Quality System documents.

Quality Policy List of Quality System documents

Data Privacy

Viedoc Technologies strictly adheres to the laws designed to protect and secure the privacy and confidentiality of information about individuals.

We monitor personal data protection regulations around the world, including Japan, EU, US and China, to ensure that Viedoc and Viedoc Technologies are compliant with these regulations. An example is the white paper we have written explaining the EU General Data Protection Regulation (GDPR) and how it affects our customers.

Download our GDPR white paper

All our customers sign our Master Service Agreement that includes a Data Processing Agreement. The Data Processing Agreement describes how personal data is processed when using Viedoc. It also includes the Technical and Organizational Measures we have implemented in order to protect the personal data in Viedoc.

Technical and Organizational Measures

General Compliance and additional information

Code of Conduct

Viedoc Technologies is committed to conducting its business with honesty and integrity and expects all employees and consultants to represent the organization in the best way. We believe that a culture of respect, transparency and accountability is a good basis for optimal collaboration and business value.

We have implemented our Viedoc Code of Conduct to protect human rights, promote fair and safe employment conditions, responsible management of environmental issues and high ethical business standards.

Whistleblow Portal

We uphold integrity and ethical standards through our Code of Conduct. Our Whistleblowing portal is open to anyone who wants to raise a concern. And the SLA defines our service standards.

SLA and Viedoc servers' status monitor

Our Service Level Agreement (SLA) is the contract between Viedoc Technologies and yourselves defining the level of service that we guarantee when you use Viedoc. The SLA is an appendix to the Master Services Agreement (MSA) between Viedoc Technologies and yourselves.

Read our Service Level Agreement (SLA)

You can also monitor the Viedoc servers in real time on https://status.viedoc.com. You can subscribe to email updates from this page, so that you are notified if there are any issues with the service provided to your study.

ORG and LOC numbers

For studies submitted through European Medicine Agency (EMA) Clinical Trial Information System (CTIS), Viedoc Technologies AB is registered in the Organisation Management Service (OMS) and have obtained the following ORG and LOC numbers:

ORG-100044413
LOC-100073409

Viedoc is very user friendly interface, easy to understand and navigate through. Becasue of this the time taken to train for the EDC is minimal to become proficient. It offers customizable study workflow and tailoring it according to trial specification is easy. Good query management feature which maintains data accuracy.

Sanchita V.

December 05, 2024

Security and Compliance

Trust and assurance

Audits

Validation

Information Security

Regulatory Compliance

Data Privacy

General Compliance and additional information

Audits

Document review audit

Online and onsite audit

Book an audit

Recommended reading materials before the audit

Third-party audit reports

Recommended reading materials before the audit

Third-party audit reports

Validation

Information Security

Regulatory Compliance

Data Privacy

General Compliance and additional information

Code of Conduct

Whistleblow Portal

SLA and Viedoc servers' status monitor

ORG and LOC numbers

Contact us