Data Processing Addendum

Last updated: 2026

Overview

This Data Processing Addendum (“DPA”) describes how TrialWave (“Processor”, “we”) processes personal data on behalf of your organization (“Controller”, “you”) in connection with the Service. It supplements our Terms of Service and Privacy Policy.

This is a general template provided for convenience and is not legal advice. Have it reviewed and adapted by qualified legal counsel, and put an executed agreement in place where your customers or regulators require one.

1. Roles

You act as the Controller of the personal data you submit to the Service, and we act as your Processor, processing that data only on your documented instructions (including as set out in the Terms and this DPA), except where required by law.

2. Scope and nature of processing

Subject matter: provision of clinical-trial business-development software. Duration: for the term of your account. Nature and purpose: hosting, storing, and processing Customer Data to provide the Service. Types of data: account details, organization and site information, sponsor/CRO contact details, and aggregate, de-identified patient-population counts. The Service is not intended to process individual patient PHI.

Categories of data subjects: your personnel and business contacts (e.g., sponsor and CRO representatives). You must not submit special-category personal data or individual patient records.

3. Confidentiality

We ensure that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations.

4. Security

We implement appropriate technical and organizational measures, including encrypted transport, hashed credentials, role-based access control, tenant isolation, row-level database security, rate limiting, and audit logging, designed to protect Customer Data against unauthorized access, loss, or disclosure.

5. Subprocessors

You authorize us to engage subprocessors to provide the Service (for example, cloud database and hosting providers, and, when enabled, an email-delivery provider and a payment processor). We impose data-protection obligations on subprocessors substantially similar to those in this DPA and remain responsible for their performance. We will provide a means to learn of changes to our subprocessors.

6. Assistance and data subject rights

Taking into account the nature of the processing, we provide reasonable assistance to help you respond to data-subject requests and to meet your security, breach-notification, and impact-assessment obligations. Account owners can export and delete workspace data directly within the Service.

7. Personal data breaches

We will notify you without undue delay after becoming aware of a personal-data breach affecting your Customer Data, and provide information reasonably available to help you meet your notification obligations.

8. Return and deletion

Upon termination or your request, we will delete or return Customer Data in accordance with our Privacy Policy, except where retention is required by law.

9. Audits

We make available information reasonably necessary to demonstrate compliance with this DPA and will cooperate with reasonable audit requests, subject to appropriate confidentiality and scheduling.

10. International transfers

Where Customer Data is transferred across borders, we use appropriate safeguards required by applicable law.

Contact

Questions about this DPA can be sent to the contact listed on our Contact page.