Validation, Audits, Documentation, Compliance, and Data Privacy

  • Updated
  • Published by Viedoc System 2024-05-15
  • Print

Introduction

The purpose of this overview is to provide clarity on Viedoc's audit aspects, validation policy, information security, and compliance with relevant regulations.

Audits

In compliance with current legislation, the regulatory authorities and you as a customer can audit us to ensure that we follow our Standard Operating Procedures (SOPs) and that Viedoc is compliant with regulatory expectations.

Document review audit

Auditors can review the Quality and Information Security Management System (QISMS) documents stored in our online electronic SOP system (called PT). These consist of policies, SOPs, guidelines, organization charts, templates, statements of compliance for Viedoc, plans, IT infrastructure diagrams, IT reports, and logs - as well as other documents. Auditors also have access to the job descriptions, CVs, and training records for all employees.

Auditors do not have access to all evidence that Viedoc Technologies follows the procedures outlined in PT, as such evidence is often only available on the Viedoc Technologies intranet. Neither do auditors have access to study-specific documentation, as that is only available on the Viedoc Technologies intranet (except for documentation that has been shared with the customer).

In summary, a document review audit can be used to check SOPs and other QS documents but cannot be used to check that Viedoc Technologies follow the SOPs or to check study-specific documentation.

Please note that auditors need to watch a short tutorial video before being granted with a PT account. Please contact the Viedoc QA department at audit@viedoc.com for the password to this tutorial video: Quality System Training. By default, the access duration of a PT account is 1 week long.

Online and onsite audit

During an online or onsite audit, everything is available for the auditor to view. Auditors are assigned access to PT and can read all quality system documents mentioned in the section above. In addition, it is possible for QA staff to show auditors documents and information that are only available on the Viedoc Technologies intranet and answer questions

The types of documents and information available include:

  • The release binder for any version of Viedoc. The release binder contains a summary of the contents and validation performed on Viedoc before it is released.
  • The development environment for Viedoc, which includes feature descriptions, requirements, software programs, test cases and test results, and demonstrate traceability.
  • Study-specific information stored on the Viedoc Technologies intranet.

The auditor can interview personnel. The auditor should give notice of requested interviews so that the QA department can ensure that the requested personnel are available during the audit.

For an onsite audit, currently, Viedoc Technologies have the following sites and departments operating:

  • Uppsala, Sweden, Headquarters, all departments
  • Tokyo, Japan, Subsidiary, Sales, and Professional Services departments
  • Shanghai, China, Subsidiary, Sales, and Professional Services departments
  • Philadelphia, America, Subsidiary, Sales, and Professional Services departments
  • Hanoi, Vietnam, Subsidiary, Development department

In a case where the subsidiary is chosen to conduct an onsite audit, the QA department will join the onsite audit online from the headquarters.

Book an audit

If you would like to perform an audit of Viedoc Technologies, then you can book one with our QA department. The QA department coordinates all requests for audits and helps choose a date for your audit. You can contact the QA department at the following address to book an audit:

audit@viedoc.com

Third-party audit reports

A starting point can be to purchase an independent audit report produced by a third party. The advantage with this approach is that these audits are normally much more detailed (and the audit has taken longer time) than a company-specific audit would be. Another advantage is that they are normally significantly cheaper than performing your own audit.

Once you have evaluated the third-party audit and reviewed it against your requirements, you can then decide whether you need to perform your own audit or not. Even if you decide you still need to perform your own audit, it can be both shorter and more efficient, as you can concentrate on those areas that you feel the third-party audit report did not cover well enough to meet your requirements.

Contact Viedoc Technologies if you are interested in contacting an independent auditor with a view to purchasing a third-party audit report.

Validation

Viedoc is provided as a Software as a Service (SaaS) application. One of the advantages of Viedoc is that you as an organization are outsourcing the development of Viedoc. This includes the validation of all standard functionality in Viedoc. The Validation Summary describes how Viedoc Technologies validates Viedoc and ensures that Viedoc is fit for use in your trial.

Download our Validation Summary

A validation summary report describing the validation activities and their result is included in the Viedoc Inspection Readiness Packet (VIRP) for each release of Viedoc. VIRP is developed by Viedoc Technologies to assist you in preparing for inspections and your Organization Administrator can download VIRP from Viedoc. In addition to the validation summary report, VIRP provides you with other information to fulfil the regulatory expectations and requirements. The information includes:

  • User Requirements Specification (URS) describing the epics and features and listing the user stories included in the release
  • Traceability Matrix detailing the testing performed for every requirement in the URS
  • Release Notes describing the additions to Viedoc in the release
  • EDC Management Sheet for submissions to the PMDA

For details, please see How to prepare for a regulatory inspection.

Viedoc Technical Description

The Viedoc Technical Description is the document for people who need to know more about how Viedoc is developed, and how it operates. It gives an overall summary of the following aspects of Viedoc development and operations:

  • Requirements to the system (for example, audit trail, backwards compatibility, encryption, MFA)
  • System Architecture
  • Data Flow
  • Development Methodology
  • Release Procedure
  • Operational Network Architecture
  • IT Security
  • Backup and Restore Testing

See Viedoc Technical Description

Information Security

An important part of any internet-based service is the security aspect. Viedoc Technologies have implemented a risk-based Information Security Management System (ISMS) that facilitates a structured and continuous approach to information security. Our ISMS covers all activities and sites company-wide and is certified according to ISO 27001 with all Annex A controls included in our scope of applicability.

The certificates are available for download here.

Viedoc Technologies have implemented state of the art IT Security procedures and tools. We have registered a standard self-assessment describing these with the CSA Security, Trust and Assurance Registry (STAR), the industry's most powerful program for security assurance in the cloud. You can download the self-assessment directly from them, or use the link below:

Download CSA STAR self-assessment for Viedoc.

The information security and maturity of Viedoc's eClinicnal data management system and the suitability of the design of its controls relevant to security and confidentiality is validated by the SOC 2 report issues by an authorized third party auditor. Viedoc's SOC 2 report can be shared with interested parties upon request. Please contact the Viedoc QA department at audit@viedoc.com to submit a request.

Regulatory Compliance

Viedoc Technologies monitor international regulations and guidelines relevant to computerized systems to ensure that Viedoc is always compliant with regulatory requirements.

The eClinical Forum has published a list of requirements for the use of electronic data in clinical research that is derived from international regulations and guidelines from around the world, including international regulations (such as ICH GCP), American regulations (such as 21 CFR Part 11), European regulations (such as the EMA Reflection Paper on eSource), Japanese regulations (such as ERES), and Chinese Regulations. We have taken that list and produced a regulatory suite of test cases that is executed during Performance Qualification (PQ) for every new version of Viedoc, which must be passed before Viedoc is released. In this way we have evidence that every release of Viedoc conforms with international regulations for the handling of electronic data in clinical trials. A more detailed description of this process and a full list of the regulations and guidelines covered can be read in:

Download our Viedoc Regulatory Compliance

International regulations and guidelines also require Viedoc Technologies to have implemented a Quality Management System and associated SOPs for our work. You can download our Quality Policy which explains how we have implemented a Quality Management System in accordance with the model put forward by the TransCelerate project for standard Quality Management Systems in Clinical Research. You can also download a list of our Quality System documents.

Download our Quality Policy and List of QS Documents

Please note that we are continually revising and improving our Quality Management System so that the above list of documents may not be entirely up to date. Contact our Quality Assurance department when you need the latest list of documents.

Data Privacy

Between May 2017 and October 2020, new personal data protection regulations have come into effect in Japan, the EU, and China. We monitor personal data protection regulations to ensure that Viedoc and Viedoc Technologies are compliant with these regulations. An example is the white paper we have written explaining the new EU General Data Protection Regulation (GDPR) and how it affects our customers.

Download our GDPR white paper.

Read our Data Protection Impact Assessment and download our HIPAA Security Standards Compliance Assessment.

More on our Technical and Organizational measures can be found here.

Additional Information

ORG and LOC numbers

For studies submitted through European Medicine Agency (EMA) Clinical Trial Information System (CTIS), Viedoc Technologies AB is registered in the Organisation Management Service (OMS) and have obtained the following ORG and LOC numbers:
ORG-100044413
LOC-100073409

SLA and Viedoc servers' status monitor

Our Service Level Agreement (SLA) is the contract between Viedoc Technologies and yourselves defining the level of service that we guarantee when you use Viedoc. The SLA is an appendix to the Master Services Agreement (MSA) between Viedoc Technologies and yourselves.

The SLA is available for download here.

You can also monitor the Viedoc servers in real time on https://status.viedoc.com/. You can subscribe to email updates from this page, so that you are notified if there are any issues with the service provided to your study.