Regulatory and External Client Audit Policies for Medidata Services

Regulatory and External Client Audit Policies for Medidata Services

These regulatory and audit policies (“Regulatory Policies”) are applicable to Customers and Partners (“Clients”) that have been given access to those Medidata Application Services which are subject to regulatory health authority review pursuant to the terms and conditions contained within the applicable agreement (the “Agreement”) between Medidata Solutions, Inc. (“Medidata”) and each Client.  Unless otherwise noted, these Regulatory Policies are subject to the terms of the Agreement and capitalized terms contained herein shall have the meanings set forth in the Agreement.

QUALITY MANAGEMENT

Medidata’s products are designed and its services are conducted in accordance with Medidata’s Quality Management System (QMS) which specifies the parties’ roles and responsibilities and is designed to assist Clients in satisfying their compliance obligations under generally accepted standards of good clinical practice (GCP) and/or good post-marketing study practice (GPSP).  Medidata’s QMS is captured through a set of controlled documents, maintained within Medidata’s regulatory compliant electronic Document Management System (eDMS). These Quality System Documents (QSDs) are developed and maintained in accordance with applicable national and international regulatory requirements and industry standards and best practices. The QSDs include Policies, Standard Operating Procedures, Work Instructions, and Templates, Forms, and OTHER documents.

As a vendor for software services related to clinical trials, Medidata takes a proactive approach in providing its customers with transparency and visibility into its robust QMS. To help manage numerous inquiries including extensive vendor assessments, prequalification reviews, and periodic audits, Medidata maintains a Third Party Assurance report that covers the following critical compliance areas:

  • Quality Management System
  • Information Security
  • Data Privacy
  • Software Development Life Cycle
  • Utilization of Electronic Records and Electronic Signatures

The Third Party Assurance report is available to Medidata’s customers through this link.

CLIENT AUDIT RIGHTS

Medidata’s control environment is subject to routine third party inspections and attestations (e.g., Service Organization Control ‘SOC’ 1 and 2, and International Standard on Assurance Engagement ‘ISAE’ 3402) (together, “Controlled Reports”). Following completion of implementation of any applicable Services, Medidata will make available to Clients the Controlled Reports that directly relate to the Services. To the extent that the scope of the Controlled Reports does not cover Services provided to Clients or any quality system requirements for Services provided under the client agreement, Client representatives may examine or audit the documentation and records regarding those Services. The audit duration is limited to two business days, and the parties shall agree to the scope of the audit in advance. The scope must be reasonable and suitable for the intended purpose of the audit, for example, it will exclude examination of Medidata’s internal controls that are the subject of the Controlled Reports. Unless otherwise agreed to in your customer agreement, the scope of any audit with respect to data protection, including the General Data Protection Regulation, is limited to Medidata’s provision of the Controlled Reports.

Audits are conducted during regular business hours and upon at least forty-five (45) days advance notice.  In each twelve (12) month period, Client shall be entitled to conduct one (1) such audit without charge by Medidata.  Any information of Medidata or its subcontractors obtained or observed during such examination or audit shall be deemed Medidata’s Confidential Information.

CDS SPECIFIC CLIENT AUDIT TERMS

Medidata’s Commercial Data Solutions (“CDS”) environment is subject to a Service Organization Control ‘SOC’ 2 Type II certification, inclusive of an addendum specific to HIPAA requirements (the “SOC 2 Report”). Medidata will make available to Clients the SOC 2 Report that directly relates to the applicable CDS Services. Quality system and other ICH/GCP requirements do not apply to CDS Services.

REGULATORY INSPECTIONS AND INQUIRIES.

In the event either party is notified of an inspection or inquiry by a regulator that relates directly to the Client’s clinical trial for which Medidata is providing Application Services, the party so named is encouraged to promptly notify the other party of any such regulatory inspection or inquiry.  This notification can be made by either party via email or mail service.  When notifying Medidata, this information shall be sent to the attention of the head of Medidata’s Global Compliance and Strategy function at regulatory@mdsol.com.  Medidata agrees that during any such regulatory inspection or inquiry of the Client and its contracted sites that relate to the Application Services provided to Client, Medidata shall make available to the regulatory authority via the Client all records lawfully required.

Furthermore, Medidata has a written agreement with its infrastructure-as-a-service (IaaS) third-party hosting provider that documents the provider’s commitment to support regulatory investigations (e.g., inspections) of Medidata, as well as regulatory investigations of Medidata Clients using our Application Services, including provision of relevant documents, information and records to Medidata.  In the event Medidata requires further input to satisfy a regulatory investigation, the provider will use commercially reasonable efforts (taking into account potential risks to their systems, services, or intellectual property) to assist Medidata in responding to the regulatory authority’s questions.

REGULATORY COMPLIANCE

Medidata has analyzed the applicability of globally recognized regulation and guidance applicable to a technology provider serving the clinical trial industry.  The analysis is available to Medidata’s customers through the enclosed link.

DEBARRED PERSONS

Medidata is not using and will not knowingly use the services of any person debarred under any country-specific debarment lists (in particular 21 U.S.C. § 335a of the FDA regulations) in any capacity in connection with the performance of Medidata Services.  In addition, Medidata is not using and will not knowingly use the services of any person or affiliate person/firm for whom convictions subject to debarment have occurred in the past five (5) years in any capacity in connection with the performance of Medidata Services.  If, at any time during the Term of the Agreement, Medidata becomes aware that it or any person employed or engaged by it or an affiliated person/firm in any capacity in connection with the performance of Medidata Services for Client has been or is in the process of being debarred or is convicted of any offense subjecting it or any person to debarment, subject to applicable law, Medidata will notify Client promptly in writing and such person will cease providing Medidata Services.

POL-CORP-007 Quality Policy. Effective April 2018.