THREAD is a software-as-a-service (SaaS) technology company providing a globally regulated and validated clinical research platform. The Platform is currently utilized in more than 60 countries (including the United States) that require numerous data integrity, security, and privacy requirements.
THREAD satisfies additional requirements of international regulations for security and data management, such as the General Data Protection Regulation (GDPR) within the United Kingdom and the European Union and the similar laws (“look-alikes") being added globally and by individual States in the United States. As our Platform supports a variety of randomized-controlled clinical trials (Phase Ib – III), post approval studies (Phase IIIb – IV), and registries, our focus on Computer System Validation regulations, security, data integrity, and privacy are central and critical components of our technology. The platform was developed with, and continues to utilize, a mature and stringent Software Development Life Cycle (SDLC) with multiple layers of segmentation to protect data integrity and security.
Regulatory Compliance and Quality Assurance
Audits
THREAD hosts audits from clients and third parties routinely and supports our clients during their own audits, whether those are from regulatory agencies and/or their own clients. We audit our own vendors to the rigor required for the service and/or tool provided. Additionally, we maintain an internal audit schedule to verify our internal controls and adherence to global regulatory requirements.
THREAD engages in continuous learning initiatives for quality assurance by providing ongoing training for global regulatory requirements, industry-expected and agencyrequired policies, procedures, and work instructions as well as utilizing a Quality Management System maintained by employees with deep industry experience.
Certifications and Standard ControlsTHREAD maintains industry standard certifications as determined by qualified third-party auditors which are each available by request in a controlled virtual reading room and during scheduled audits.
While not all controls have an associated certification, where one is available it is noted below. The following list describes the most common controls reviewed during audits, but is not meant to be all-inclusive.
GAMP 5:
THREAD follows the industry standard Good Automated Manufacturing Practice (GAMP 5) and is a GAMP 5, Category 4: Configured Product. While we utilize Agile development for our Platform, we also engage in hybrid aspects that include waterfall methodologies where required for Computer System Validation (CSV).
CFR Part 11: (Certification Available)
The United States Food and Drug Administration (FDA) enforces Part 11 of Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (21 CFR Part 11). Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any records requirements set forth in Agency regulations.
Part 11 is comparable to Annex 11 of The Rules Governing Medicinal Products in the European Union, EudraLex, Volume 4, Good Manufacturing Practice, Annex 11: Computerised Systems. (Certification is not available for Annex 11 compliance.)
ICH GCP:
THREAD’s Quality Assurance and Risk Management processes are compliant with the appropriate International Conference on Harmonization Good Clinical Practice (ICH GCP) standards and guidance including ICH E6 (R2).
SOC 2, Type II: (Certification Available)
A SOC 2, Type II (“Type 2”) Report is a Service Organization Control (SOC) audit and internal controls report capturing how a company safeguards customer data and how well those controls are operating, specifically on how a cloud-based service provider handles sensitive information. It covers both the suitability of a company's controls and its operating effectiveness.
HITRUST: (Certification Available)
The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is a comprehensive and certifiable security framework used by healthcare organizations and their business associates to efficiently approach regulatory compliance and risk management. HITRUST unifies recognized standards and regulatory requirements from NIST, HIPAA/HITECH, ISO 27001, PCI DSS, FTC, COBIT, and can be completed according to SOC 2 criteria, making it the most widely-adopted security framework in the U.S. healthcare industry and requires a certified assessor and licensed CPA firm to complete the certification process.
HITECH: (Certification Available)
The Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009. While it was created to stimulate the adoption of electronic health records (EHR) and the supporting technology in the United States, it has become a standard for the expansion of privacy and security provisions that were included under HIPAA, holding not only healthcare organizations responsible for disclosing breaches, but holding their business associates and service providers responsible, as well.
HIPAA: (Certification Available)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed. The privacy regulations governing individually identifiable health information specify any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of the United States Department of Health and Human Services (HHS) has adopted standards under HIPAA (the “covered entities”).
Privacy
THREAD has a robust privacy program that meets all global requirements for every country in which we conduct business utilizing Privacy by Design to protect our clients and participants.
The General Data Protection Regulation (GDPR)
THREAD is fully compliant with The General Data Protection Regulation (GDPR) and has appointed an outsourced Data Protection Officer (DPO) with global reach and representatives in the EU and UK to fulfill GDPR Article 27 obligations. With offices in the US, UK, NL and Ireland, they maintain an active roster of local counsel in about 50 countries and act as DPO wherever THREAD conducts business.
THREAD has also appointed a representative in the EU/UK called an “Article 27” rep. This is separate from a DPO (although often confused). The Article 27 rep serves as an agent for data access requests from individuals and as a point of contact for EU/UK regulators. This is a mandatory r equirement for all companies not established in the EU/UK. The Article 27 reps are in Ireland and the UK. They maintain local counsel and translation services in all 27 member countries.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.
The CCPA and GDPR requirements share some common principles and THREAD defaults to the more conservative approach when available for studies that might have participants both in the US and UK/EU.
Standard Contractual Clauses (SCCs)
We have adopted a Data Processing Addendum with Standard Contractual Clauses (SCCs) that is current with the 4 Jun 2021 European Commission Annex on SCCs. We have conducted a Data Protection Impact Assessment (DPIA) and will assist in a DPIA conducted by our customer in alignment with the SCCs.
Privacy Shield
Even though the United States Privacy Shield was deprecated, THREAD has chosen to maintain our certification to demonstrate our commitment to those principles.
Privacy by Design
Privacy Policy
Learn more about privacy at THREAD.
Data Privacy Office (DPO)
Learn more about THREAD's Data Privacy Office.
Security
THREAD aggressively protects our client data from threats using a variety of tools and procedures.
Security Information and Event Management (SIEM) tools
Our Security Information and Event Management (SIEM) includes the use of Crowdstrike, providing endpoint monitoring alerts if specific actions cause a trigger, and behavioral alerts provided through Azure triggered by abnormal behavior. These alerts notify the Security team based on relevant events for investigation and response. Our Chief Information Security Officer, Regulatory Compliance, and Corporate IT departments have utilized the same tools for more than four years with rigorously maintained standard operating procedures (SOPs). Our SIEM practices have been extensively audited by third parties and directly by Clients as part of our on-going security and compliance practices and controls.
Penetration Testing and Enterprise Vulnerability Management
THREAD utilizes Synack, a software tool utilized by the United States Department of Defense for penetration testing and vulnerability management along with several other tools.
The combination of crowdsourced ethical hacking combined with our internal Enterprise Vulnerability Management SOPs defines our vulnerability assessment and management process to protect Information Systems / Information Technology assets. This combination also helps protect the privacy of individual employees, clients, and other entities with which THREAD has contractual obligations.
THREAD complies with applicable laws and regulations regarding protection of systems and data and demonstrates compliance in both client and third-party audits. The timely and consistent application of security patches or mitigations of a reported vulnerability are critical components in protecting the THREAD Platform, systems, and data from damage or loss due to threats such as viruses or other types of external or internal attacks.
Data Center and Network Security
The THREAD Platform is not hosted on premises at any THREAD location.
The THREAD Platform is hosted in Amazon Web Services (AWS) data centers that have been certified as ISO 27001 and SOC 2 compliant. AWS is audited and certified by independent third parties and is a leader in cloud security with security and architectural documentation available through AWS portals.
THREAD ensures the confidentiality and integrity of study data utilizing industry best practices and by adhering to global regulatory requirements with a robust and easily auditable Quality Management System. Our SOPs, Certifications, and all relevant documents are available to our Clients through a secure file share for easy accessibility.
Network Security
Encryption
Availability & Continuity
Application Security
THREAD conducts a variety of actions to secur ely develop and test against security threats to ensure the safety of our client data. THREAD employs third-party security experts to perform detailed penetration tests across our platform.
Secure Development within the Software Development Life Cycle (SDLC)
Application Vulnerabilities
Product Security Features
Authentication Security
