ClinTrialMatch

Data Protection Architecture

How we protect your data at every level

Storage Architecture

Encrypted Primary Database

Identifiable data stored in encrypted database with AES-256

Separate Health Data Container

Medical information stored in isolated encrypted container

Daily Encrypted Backups

Backups stored securely in Switzerland/EU data centers

HSM Key Management

Hardware Security Modules (HSM) manage encryption keys

AI Architecture

Our AI system is designed with privacy at its core:

  • AI receives pseudonymized data only - no direct identifiers
  • No identifiable information enters the AI pipeline
  • Human oversight in all match recommendations
  • Continuous bias monitoring and documented model lifecycle

Access Control

Zero-Trust Model

Every access request is verified regardless of source

Mandatory MFA

Multi-factor authentication required for all users

Role-Based Access Control (RBAC)

AdminSystem configuration, user management
Medical ReviewerMatch review, eligibility verification
AI SystemPseudonymized data only, no identifiers
SupportLimited access, audit logged

Logging & Monitoring

Full Access Logs

Every data access is logged and auditable

Consent Change Logs

All consent modifications are tracked

Export/Download Logs

Data export activities are monitored

Anomaly Alerts

Automatic alerts for suspicious activity

Data Flow

1

Registration

Account created and stored in encrypted authentication database

2

Consent Collection

Explicit consent stored in Consent Ledger with timestamp and version

3

Medical Data Submission

Data stored in secure encrypted stores; pseudonymized copy created for AI

4

AI Matching

Pseudonymized data processed by AI model for eligibility scoring

5

Results Delivery

Personalized trial suggestions displayed securely in platform

6

Optional Data Sharing

Only after explicit patient approval; encrypted transfer to approved sites

7

Retention & Deletion

Data deleted or anonymized upon request according to policy

Organizational Requirements

DPIA Completed

Data Protection Impact Assessment performed before launch

Annual Training

Privacy and cybersecurity training for all staff

Vendor DPAs

Data Processing Agreements with all vendors

Breach Response Plan

72-hour notification rule for GDPR compliance

Appointed DPO

Dedicated Data Protection Officer

Regular Audits

Annual security and compliance assessments

Questions About Data Protection?

Contact our Data Protection Officer for any inquiries about how we protect your data.

dpo@clintrialmatch.ai