Davesa Health, LLC, Privacy Policy

(Last updated: March 12, 2025)

1. Introduction
Davesa Health, LLC ("Company," "we," "us," or "our") is committed to protecting the privacy and security of personal and protected health information (PHI) stored and processed through our cloud-based clinical trial management software ("Software"). This Privacy Policy describes how we collect, use, disclose, and protect PHI and other personal data in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the U.S. Food and Drug Administration (FDA) regulations under 21 CFR Part 11.

2. Scope
This Privacy Policy applies to all users, including clinical trial sponsors, clinical research organizations (CROs), investigators, healthcare providers, and research participants, including pediatric participants, who interact with our Software. It covers all PHI and electronic records managed within the Software.

3. Compliance with HIPAA
Our Software is designed to comply with HIPAA regulations, including:

·       Implementing administrative, physical, and technical safeguards to protect PHI.

·       Ensuring PHI is accessed only by authorized individuals with the minimum necessary privilege.

·       Providing audit controls and activity logs to track access and modifications to PHI.

·       Encrypting PHI in transit and at rest to prevent unauthorized access.

·       Entering into Business Associate Agreements (BAAs) with covered entities and other business associates handling PHI.

4. Compliance with 21 CFR Part 11
Our Software meets FDA regulations under 21 CFR Part 11, including:

·       Secure, role-based electronic signatures to ensure the integrity of records.

·       Audit trails to capture and maintain a complete history of changes to electronic records.

·       System validation to ensure reliable performance in managing clinical trial data.

·       Controlled access mechanisms to prevent unauthorized data modification or deletion.

5. Collection of Personal and Health Information
We may collect the following categories of information:

·       Directly from Users: Account details, login credentials, and professional information (e.g., name, email, role).

·       From Clinical Trial Participants: PHI, including demographic data, medical history, treatment information, and clinical outcomes.

·       Automatically Collected Data: IP addresses, device information, and usage analytics.

6. Use of Information
We use PHI and personal data to:

·       Facilitate the management and administration of clinical trials.

·       Provide support, maintenance, and security for the Software.

·       Comply with legal, regulatory, and contractual obligations.

·       Improve system functionality and user experience (without compromising privacy or PHI confidentiality).

7. Disclosure of Information
We do not sell or share PHI with third parties for marketing purposes. We may disclose PHI in the following circumstances:

·       To authorized clinical trial personnel for trial-related activities.

·       To regulatory authorities as required for compliance with clinical research regulations.

·       To service providers under strict contractual obligations, ensuring compliance with HIPAA and 21 CFR Part 11.

8. Security Measures
We employ industry-standard security measures, including:

We prioritize the security and integrity of our systems and customer data including by

employing industry-standard security measures, such as:

  • Users are required to use multi-factor authentication to access our system(s).

  • End-to-end communication encryption is leveraged to protect data interception and unauthorized access.

  • At-rest data encryption is used to securely store all sensitive and critical data. This is leveraged to safeguard sensitive information from breaches and unauthorized access.

  • Periodic security risk and intrusion detection assessments are conducted to identify, log and mitigate potential threats or suspicious activities.

  • Data replication and automated secure backups are leveraged to ensure data integrity, availability and loss prevention.

9. Pediatric Participant Data Protection
We implement enhanced safeguards for the PHI of pediatric participants, ensuring compliance with parental consent requirements and additional privacy protections under applicable laws.

10. Data Retention and Deletion
We retain PHI as required by law, regulatory obligations, and sponsor agreements. Upon request and subject to compliance requirements, PHI may be de-identified or securely deleted.

11. User Rights and Responsibilities
Users with the appropriate access privileges have the right to:

·       Access their data and request corrections.

·       Request an audit log of their PHI access history.

·       Report security concerns or suspected unauthorized access.
Users are responsible for maintaining the confidentiality of their login credentials and complying with their organization's security policies.

12. Updates to This Policy
We may update this Privacy Policy periodically to reflect regulatory changes or improvements to our security practices. Users will be notified of significant changes.

13. Contact Information
For questions or concerns about this Privacy Policy, please contact:
Davesa Health, LLC
1730 Northeast Expressway NE, Atlanta, GA 30329
[email protected]