Security
Security by design, not certification theater.
TrialVyx processes only de-identified FAERS/EudraVigilance data. PHI never enters our system.
Security Architecture
Four security pillars
We describe what we have built and designed, not compliance claims we haven't earned.
No PHI — de-identified at source
FDA FAERS, EudraVigilance, and VigiBase are all de-identified adverse event databases. The regulatory agencies remove personally identifiable information before making these databases publicly available. TrialVyx ingests only these de-identified public datasets — we do not handle, receive, or store any patient-level identifiable information at any point in our data pipeline.
The only customer data we store: your compound portfolio list (the INNs you want us to monitor) and your user accounts. Both are access-controlled and encrypted.
Encryption in transit and at rest
All data in transit between your browser/API client and TrialVyx systems uses TLS 1.3. Data at rest — including signal data, audit logs, and customer configuration — is encrypted with AES-256. Encryption keys are managed through a hardware security module (HSM) with key rotation on a 90-day schedule.
Role-based access control with MFA enforced
Access to TrialVyx is controlled by role — each user account has defined permissions for which compounds, which signal tiers, and which data export functions they can access. Multi-factor authentication is required for all user accounts. API access uses API key authentication with per-key rate limiting and scope constraints.
Immutable log of all signal access and actions
Every signal access, triage decision, suppression, and data export is logged with timestamp, user ID, action type, and signal identifier. The audit log is append-only — records cannot be modified or deleted. Exportable in FDA/EMA inspection-compatible format. Designed with SOC 2 Type II logging criteria in mind — certification process ongoing.
Regulatory Alignment
Designed to support regulatory submission requirements
We use "designed to support" language deliberately — we don't claim compliance we haven't formally established.
Electronic records and electronic signatures
TrialVyx's audit trail and signal documentation output are designed to support 21 CFR Part 11 requirements for electronic records in FDA-regulated contexts. Audit trail records include unique user identification, time-stamped entries, and audit trail protection against modification. Customers using TrialVyx signal data in FDA submissions are responsible for their own 21 CFR Part 11 validation documentation — we provide the data architecture that supports it.
Designed to support — not validated for customer use without their own qualification process
Signal management under EU pharmacovigilance guidelines
TrialVyx's signal output format and triage workflow align with EMA Good Pharmacovigilance Practice Module IX (Signal Management). Signal briefs include the documentation elements recommended by GVP IX: drug combination, adverse event term, data sources, analysis methodology, and recommended action. Output is structured for direct use in your GVP-compliant signal management process.
Designed to support EMA GVP Module IX signal management requirements
GDPR and US data privacy alignment
Since TrialVyx does not process personal data (all source data is de-identified at source by regulatory agencies), standard GDPR and US privacy law data subject rights obligations do not apply to the adverse event data we process. Customer account data (names, email addresses, company information) is handled in accordance with our Privacy Policy and standard data protection practices. See our Privacy Policy for full details.
No personal data in signal processing pipeline
Security questions from your IT, QA, or regulatory compliance team?
We'll walk through our security architecture directly with your information security or regulatory compliance team — including our 21 CFR Part 11 and GVP Module IX alignment documentation. No standard pharma IT security questionnaire goes unanswered.