Veristat (collectively referred to as “us” or “we” or “Veristat”) is committed to respecting the rights of the individuals on the confidentiality and protection of their Personal Data and processes personal data according to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection (“FADP”), and other applicable laws governing the processing of personal data (the “Data Protection Laws”).
This Privacy Policy (Policy) explains how Veristat may gather, store, process and control data gathered about individuals and companies. Data may be routinely collected from current or prospective clients, other business contacts, employees, consultants and other contractors (current, prospective and past), Investigator and other site staff, clinical trial participants and sponsors of clinical trials where Veristat provides contracted clinical trial services to clients, visitors to the website, or any other individual that Veristat has a relationship with or may need to contact.
Unless otherwise specified in the document, this policy applies to all Processing operations carried out by Veristat in the capacity of Data Privacy Controller and describes how Personal Data must be collected, handled and stored to meet Veristat Data Protection standards and to comply with international regulations governing Data Privacy. When Veristat process Personal Data as Data Processor, it will also follow this policy to the extent applicable (for example, all the rules about legal basis for processing and consent will be implemented by the Sponsor on behalf of its service providers, such as Veristat). This policy applies to data collected and processed for any business purposes, including Talent & Culture (T&C); however, certain sections will apply only when the processing is performed in relation to Personal Data of Data Subjects that are resident or based in the European Union (EU), the United Kingdom (UK), or Switzerland.
Veristat and its U.S. operating subsidiary, Instat Clinical Research (collectively referred to as “Veristat”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Veristat has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Veristat has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Veristat collects and stores data from the following sources :
When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), the Personal Data may be collected and used only where one of the following legal grounds is present (i.e. legal basis):
The Data Privacy Controller has obtained the previous consent of the Data Subject, and such consent is:
Processing is otherwise necessary for:
When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK, or Swiss employees), before any Processing (e.g. collection, analysis, Processing, updating, modification or erasure) or, if the Personal Data are not provided by the Data Subject, within a reasonable period after obtaining the Personal Data, at the time of the first communication to that Data Subject or when the Personal Data are first disclosed, as the case may be, Veristat provides to the Data Subject the following information in the form of a privacy notice:
Veristat has also implemented a Website Privacy Policy and can provide its users with a copy of physical and digital formats upon request. The Website Privacy Policy is the customer facing policy that provides the legal information on how Veristat handles, processes and discloses Personal Data of website visitors.
When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK and Veristat European, UK, or Swiss employees), where Processing is based on “consent”, Veristat ensures that:
When processing Personal Data of Data Subjects that are resident or based in the EU, the UK or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), Veristat maintains updated records of Consent to demonstrate that, where applicable, the Data Subject has consented to Processing of their Personal Data.
When processing Personal Data of Data Subjects that are resident or based in the EU, the UK, or Switzerland (for example, patients of clinical sites based in the EU, the UK or Switzerland and Veristat European, UK or Swiss employees), Veristat also implemented the following consent control mechanisms:
Veristat may instruct Third Parties to perform certain Processing activities on its behalf.
When a Third-Party has to be selected for such purpose, Veristat: Performs a preliminary privacy audit to assess if such Third Party has implemented adequate organizational and security measures; and records all Personal Data that have to be transferred outside the organization.
The Third Party is then authorized to receive and process that Personal Data by virtue of a data processing agreement whereby the Third Party is entrusted with the duties and responsibility of a Data Processor.
Before transferring Personal Data to a Third Party, Authorized Personnel must verify, with the assistance of the Data Manager of their department, that the selected Third Party is authorized to process the Personal Data to be transferred.
Veristat also recognises that the continued protection of the security of Personal Data and Data Subjects’ rights is a top priority when choosing or maintaining a contractual arrangement with a Third Party. Therefore, audits of Data Processors may be also performed regularly during the contractual relationship with them, with or without cause.
If the Third Party acts in the capacity of independent Data Privacy Controller (or also of joint Data Privacy Controller), specific clauses governing the data protection responsibilities of each party are included in the written contractual arrangement with such Third Party.
If the Third Party (in the capacity of Data Privacy Controller and Data Processor) is intended to receive from Veristat Special Categories of Personal Data, particular care will be taken in the selection of the Third Party and in the assessment of the organizational and security measures implemented by such Third Party.
Veristat’s accountability for personal information that it receives under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and subsequently transfers to a third party is described in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles. In particular, Veristat remains responsible and liable under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles if third party agents that it engages to process the personal information on its behalf does so in a manner inconsistent with EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles, unless Veristat proves that it is not responsible for the event giving rise to the damage.
Veristat takes appropriate technical and organizational measures, consistent with applicable laws and current industry standards, to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction or damage to Personal Data, in light of the risks involved in the Processing and the nature of the Personal Data.
The handling of health/medical information obtained in clinical research is governed by national and international data protection regulations, laws and rules regarding the development of medicinal products and medical confidentiality. Any medical information collected is maintained under these regulations.
Veristat has put in place security measures to protect manual and electronic processing of Personal Data and prevent its misuse, subject to local legal requirements.
Veristat also ensures adequate security is observed by third parties and affiliates processing Personal Data on behalf of Veristat, subject to local legal requirements.
Veristat has defined retention periods according to the applicable data protection laws, Good Clinical Practice (GCP) and Pharmaceutical laws and regulations. Veristat will retain personal data for as long as it is necessary to fulfil the purposes we collected it for, as well as to provide our products and services, resolve disputes, establish legal defences, pursue legitimate business purposes, conduct audits, enforce our agreements and comply with applicable laws and regulations.
If you wish to know what safeguards we use to transfer your Personal Data, please contact us using the contact information set out below.
If you wish to know what safeguards we use to transfer your Personal Data, please contact us using the contact information set out below.
Veristat Group of Companies
We may share your Personal Data with Veristat affiliates, which adhere to our privacy and data-security requirements. In addition, during negotiations of corporate transactions, including any merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including as part of any bankruptcy or similar proceedings), we may transfer your Personal Data to third parties involved in these transactions. Under these circumstances, such third parties will enter into a confidentiality agreement with us and are obligated to protect any information and Personal Data provided as part of the transaction.
Third Parties Service Providers
We share certain information with selected service providers, vendors, hosting companies, consultants, and other providers that carry out functions or services on our behalf and that enable our business operations, including the protection and securing of our systems and services. Such service providers must abide by our privacy and data-security requirements and are not allowed to use Personal Data they receive from us for any other purpose.
Client Sponsor of Clinical Research Studies
If you apply to participate in a clinical research study as an investigator or a clinical site, we may share your Personal Data with our client sponsors, whose clinical research studies are within your stated area of interest, as part of the contracted services that we provide to them.
Disclosure to Protect Veristat and to Comply with Legal Requirements
Occasionally we may be required by law enforcement or judicial authorities to provide Personal Data to governmental authorities. We may disclose Personal Data upon receipt of a court order, subpoena, or to cooperate with a law enforcement investigation. We fully cooperate with law enforcement agencies in identifying those who use our services for illegal activities. We reserve the right to report to law enforcement agencies any activities that we in good faith believe to be unlawful.
Veristat may be obliged to disclose certain Personal Data to third parties such as Government Authorities. It may also be necessary to disclose Personal Data so as to protect the legal interests and exercise other rights of Veristat, subject to local legal requirements.
A complete list of third parties to whom the Personal Data are shared can be obtained by contacting Veristat’s DPO at data_privacy@veristat.com.
GDPR grants various rights to the Data Subjects whose Personal Data are processed:
Subject Access Requests (SARs) can be made to the DPO via data_privacy@veristat.com.
Any complaints or concerns regarding the use, disclosure or transfer of Personal Data by Veristat should in the first instance be directed to the Veristat DPO at data_privacy@veristat.com
Complaints that cannot be resolved internally by Veristat will be referred to the applicable independent dispute resolution body/Supervisory Authority designated to address complaints and provide appropriate recourse, which will be provided free of charge to the individual ((1) the panel established by the EU DPAs and, as applicable, the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and/or (2) the Swiss Federal Data Protection and Information Commissioner (FDPIC), an alternative dispute resolution provider based in the European Union and, as applicable, the United Kingdom, and/or Switzerland for HR, or (3) the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider based in the United States, for non-HR data disputes.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veristat commits to refer unresolved complaints concerning our handling of non-HR personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution-American Arbitration Associate (ICDR-AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR-AAA are provided at no cost to you.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Veristat commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. To learn more, please visit: ANNEX-I-introduction. The Federal Trade Commission has jurisdiction over Veristat’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
If you wish to contact Veristat to ask questions, discuss privacy matters, exercise your rights (to the extent applicable) or report your concerns, please contact us at: data_privacy@veristat.com or by writing to:
Veristat LLC
134 Turnpike Road, Suite 200
Southborough, MA 01772
Veristat International Limited
27 Old Gloucester Street
London, United Kingdom, WC1N 3AX
Please provide sufficient detail for Veristat to properly assess and respond to your request. Veristat may be unable to respond to incomplete or vague requests. Veristat will require you to provide a proof of identity and a proof of address before proceeding with your request. If more information is required, such as the provision of one or more forms of valid government identification, we will contact you and request additional verification.
You may authorize a third-party representative to make a request on your behalf. Any third-party representative making a request on your behalf must indicate that they are acting as your representative and provide the name, email address and description of the relationship with you, and a certification that they have permission to submit a request on your behalf. Veristat may require proof of the delegation of authority to the third-party representative, including your written permission to the third-party representative, and/or a valid power of attorney. Veristat reserves the right not to respond to requests that failed to show a valid proof of identity, address and/or delegation of authority.
individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. To learn more, please visit: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2
Veristat commits to resolve enquiries and complaints about its Processing of Personal Data in compliance with this Policy and applicable Data Protection Laws.
As detailed above, you may contact us by either sending an email to the Data Privacy Officer (“DPO”) at data_privacy@veristat.com or by writing to:
Veristat LLC
134 Turnpike Road, Suite 200
Southborough, MA 01772
Veristat International Limited
27 Old Gloucester Street
London, United Kingdom, WC1N 3AX
Effective: June 2025
Confidential and Proprietary