| Sub-processor name | Veramed Inc |
| Website | www.veramed.com |
| Location of processing | USA |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | Client project delivery |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Intra-Group Data Transfer Agreement |
| Sub-processor name | Veramed Ukraine LLC |
| Website | www.veramed.com |
| Location of processing | Ukraine |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | Client project delivery |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Intra-Group Data Transfer Agreement |
| Sub-processor name | Veramed Germany GmbH |
| Website | www.veramed.com |
| Location of processing | Germany |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | Client project delivery |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Intra-Group Data Transfer Agreement |
| Sub-processor name | Veramed Data Services Private Limited |
| Website | www.veramed.com |
| Location of processing | India |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | Client project delivery |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Intra-Group Data Transfer Agreement |
| Sub-processor name | Clinical Trial Data Services (CTDS) LLC |
| Website | www.veramedinc.com |
| Location of processing | USA |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | Client project delivery |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Intra-Group Data Transfer Agreement |
| Sub-processor name | BioPier LLC |
| Website | www.biopier.com |
| Location of processing | USA |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | Client project delivery |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Intra-Group Data Transfer Agreement |
| Sub-processor name | Instem plc / d-Wise Technologies, Inc |
| Website | www.instem.com/solutions/clinical-trial-analytics/ |
| Location of processing | UK |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | IT Support |
| Compliance Mechanism for transfer outside EEA | Signed DPA in place containing EC Standard Contractual Clauses Adequacy decision for UK. |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Salesforce |
| Website | www.salesforce.com |
| Location of processing | Global in Salesforce Data Centres |
| Type of data processed | Prospective & Existing Customer Contact details and correspondence |
| Purpose of processing | CRM |
| Compliance Mechanism for transfer outside EEA | Signed DPA in place containing EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | |
| Website | workspace.google.com |
| Location of processing | Global in Google Data Centres |
| Type of data processed | Employee and third party contact information |
| Purpose of processing | Emails; Drive; etc. |
| Compliance Mechanism for transfer outside EEA | Signed DPA in place containing EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | SmartSheet |
| Website | www.smartsheet.com |
| Location of processing | Global in Amazon Web Services (AWS) Data Centres |
| Type of data processed | Client project information |
| Purpose of processing | Project plans |
| Compliance Mechanism for transfer outside EEA | Signed DPA in place containing EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | DocuSign |
| Website | www.docusign.com |
| Location of processing | US, Canada, EU, Australia |
| Type of data processed | Employee and third party contact details; digital signatures |
| Purpose of processing | Digital Signatures |
| Compliance Mechanism for transfer outside EEA | Signed DPA in place containing EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Recruit So Simple |
| Website | www.recruitsosimple.com |
| Location of processing | EU |
| Type of data processed | Candidate data |
| Purpose of processing | Candidate information stored for purpose of recruitment. |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses or Privacy Shield Principles |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Xero |
| Website | www.xero.com |
| Location of processing | United States |
| Type of data processed | Employee details; expense details |
| Purpose of processing | Accounting system |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Citrix Sharefile |
| Website | www.sharefile.com |
| Location of processing | Global in Citrix Data Centres |
| Type of data processed | Employee and third party contact information |
| Purpose of processing | Secure document sharing platform |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | CezanneHR |
| Website | www.cezannehr.com |
| Location of processing | EU in Amazon Web Services (AWS) Data Centres |
| Type of data processed | Personal data of Veramed employees, consultants and contractors |
| Purpose of processing | HR Management System (HRMS) |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Signed DPA in place complying with Article 28 GDPR |
| Sub-processor name | Firstbase, Inc. |
| Website | https://www.firstbase.com/ |
| Location of processing | USA |
| Type of data processed | Personal data of Veramed employees, consultants and contractors in the USA. |
| Purpose of processing | For the provision, management and maintenance of physical office equipment required for remote working need to do great work at home and other purposes related or incidental thereto. |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Signed DPA complying with Data Protection Legislation |
| Sub-processor name | LogMeIn Inc. |
| Website | www.lastpass.com |
| Location of processing | Europe, Australia, United States, Singapore, India |
| Type of data processed | Contact data for Veramed employees; passwords |
| Purpose of processing | Password management system |
| Compliance Mechanism for transfer outside EEA | Signed DPA in place containing EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | Signed DPA in place complying with Article 28 GDPR |
| Sub-processor name | Microsoft |
| Website | www.microsoft.com |
| Location of processing | Global in Microsoft Data Centres |
| Type of data processed | Contact data for Veramed employees |
| Purpose of processing | User directory and Microsoft 365 subscriptions |
| Compliance Mechanism for transfer outside EEA | DPA in place containing EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Phishing Tackle |
| Website | www.phishingtackle.com |
| Location of processing | UK in Amazon Web Services (AWS) Data Centres |
| Type of data processed | Contact data for Veramed employees |
| Purpose of processing | Phishing simulation |
| Compliance Mechanism for transfer outside EEA | DPA in place stating data will only be transferred to a country, a territory or sector to the extent that the European Commission has decided that the country, territory or sector ensures an adequate level of protection for Personal Data |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | TeamViewer |
| Website | www.teamviewer.com |
| Location of processing | Global through third party data centres |
| Type of data processed | Contact details for Veramed TeamViewer users |
| Purpose of processing | Remote support and monitoring for Veramed endpoints |
| Compliance Mechanism for transfer outside EEA | DPA in place stating data will only be transferred to a country, a territory or sector to the extent that the European Commission has decided that the country, territory or sector ensures an adequate level of protection for Personal Data unless specifically instructed by Veramed |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | MasterControl |
| Website | www.mastercontrol.com |
| Location of processing | Global through third party data centres |
| Type of data processed | Contact details for Veramed employees |
| Purpose of processing | Quality Management System |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Quorum Cyber Security Limited |
| Website | https://www.quorumcyber.com/ |
| Location of processing | EEA |
| Type of data processed | Contact details for Veramed employees |
| Purpose of processing | Provide Veramed with cyber security ongoing support |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Algorics | |
| Website | https://algorics.com/ | |
| Location of processing | India | UK |
| Type of data processed | Pseudonymised data | |
| Purpose of processing | Resource partner for Veramed clients | |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses | Adequacy decision made by EU Commission |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR | |
| Sub-processor name | BioForum | ||
| Website | https://bioforumgroup.com/ | ||
| Location of processing | Israel | Australia | South Africa |
| Type of data processed | Pseudonymised data | ||
| Purpose of processing | Resource partner for Veramed clients | ||
| Compliance Mechanism for transfer outside EEA | Adequacy decision made by EU Commission | EC Standard Contractual Clauses | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR | ||
| Sub-processor name | Exploristics | ||
| Website | https://exploristics.com/ | ||
| Location of processing | UK | Ireland | India |
| Type of data processed | Pseudonymised data | ||
| Purpose of processing | Resource partner for Veramed clients | ||
| Compliance Mechanism for transfer outside EEA | Adequacy decision made by EU Commission | Ireland – UK Adequacy Regulations | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR | ||
| Sub-processor name | Niche Science & Technology Ltd |
| Website | https://www.niche.org.uk/ |
| Location of processing | UK |
| Type of data processed | Pseudonymised data |
| Purpose of processing | Analysis of clinical trial data for fulfilment of client contracts |
| Compliance Mechanism for transfer outside EEA | Adequacy decision made by EU Commission |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Oryxion Solutions Private Limited |
| Website | https://www.oryxion.com/ |
| Location of processing | India |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | Analysis of clinical trial data for fulfilment of client contracts |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Data Magik Limited |
| Website | http://datamagik.co.uk/ |
| Location of processing | UK |
| Type of data processed | Pseudonymised data |
| Purpose of processing | Analysis of clinical trial data for fulfilment of client contracts |
| Compliance Mechanism for transfer outside EEA | Adequacy decision made by EU Commission |
| Article 28 Data Processing Agreement | Article 28 Data Processing terms in place within the Master Services Agreement. |
| Sub-processor name | ProClinical |
| Website | https://www.proclinical.com/ |
| Location of processing | UK |
| Type of data processed | Pseudonymised data |
| Purpose of processing | Analysis of clinical trial data for fulfilment of client contracts |
| Compliance Mechanism for transfer outside EEA | Adequacy decision made by EU Commission |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |
| Sub-processor name | Akkodis Belgium SA/NV |
| Website | https://www.akkodis.com/ |
| Location of processing | Belgium |
| Type of data processed | Pseudonymised data |
| Purpose of processing | Analysis of clinical trial data for fulfilment of client contracts |
| Compliance Mechanism for transfer outside EEA | N/A |
| Article 28 Data Processing Agreement | Article 28 Data Processing terms in place within the Master Services Agreement. |
| Sub-processor name | VAICS Consulting Private Limited |
| Website | N/A |
| Location of processing | India |
| Type of data processed | Pseudonymised clinical trial data |
| Purpose of processing | Analysis of clinical trial data for fulfilment of client contracts |
| Compliance Mechanism for transfer outside EEA | EC Standard Contractual Clauses |
| Article 28 Data Processing Agreement | DPA in place complying with Article 28 GDPR |