Compliance, Data Security, and Model Governance
Clinical trial technology must meet the compliance requirements of sponsors, CROs, ethics committees, and regulatory authorities. This page summarises the compliance posture of the Legit.Health clinical trials platform.
Certifications and compliance at a glance
Software lifecycle per IEC 62304, usability per IEC 62366-1, risk management per ISO 14971, clinical evaluation per MEDDEV 2.7/1 Rev 4 and MDR Annex XIV.
Regulatory certifications (detail)
| Certification | Scope |
|---|---|
| CE mark, Class IIa | Medical device under MDD 93/42/EEC |
| 21 CFR Part 11 | Electronic records and signatures compliance |
| ISO 13485 | Quality Management System for medical devices (certified) |
| ISO 27001 | Information security management (compliant) |
Clinical data compliance (detail)
| Requirement | Status |
|---|---|
| GDPR | Compliant. Data processing agreements available. Patients identified by pseudonymised study identifiers only; no personal data (name, date of birth) stored in the platform. |
| HIPAA | Compliant. Technical and organisational safeguards in place for protected health information. |
| 21 CFR Part 11 | Compliant. Electronic records and electronic signatures meet FDA requirements for authenticity, integrity, and confidentiality. |
| ICH E6(R2) GCP | The platform meets ICH E6(R2) requirements for computerised systems used in clinical trials, including data integrity, access controls, and change management. |
Audit trail
Every action in the platform is recorded in an immutable, timestamped audit trail:
- User attribution: Every data entry, image upload, score generation, and configuration change is linked to a specific authenticated user
- Timestamps: UTC timestamps on all events
- Immutability: Audit records cannot be modified or deleted
- Traceability: Full chain from image capture → quality validation → AI scoring → data export, with every step logged
- Export: Audit trail data is exportable for sponsor review, regulatory inspection, or GCP audits
Data residency and infrastructure
| Parameter | Detail |
|---|---|
| Cloud provider | Amazon Web Services (AWS) |
| Default region | EU (eu-west-1) |
| Data residency | Configurable per study; data can be restricted to EU-only or other regions as required by the protocol |
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.2+ |
| Access control | Role-based access control (RBAC) with per-study permissions |
Model version locking
For clinical trials, the AI model version is locked at study initiation. This ensures that every patient in the study is scored by the same model throughout the trial:
- No mid-trial model updates: the model version is frozen when the study is configured
- Version tracking: the model version number is recorded in every scored report and in the audit trail
- Change control: any model changes follow the formal change control process under IEC 62304, including risk assessment per ISO 14971
- Reproducibility: any image can be re-scored at any time and will produce the identical result
This approach ensures that endpoint data is internally consistent across all sites and all visits throughout the study duration.
Fit-for-purpose validation
Each clinical trial deployment follows a structured validation pathway aligned with FDA guidance for Digital Health Technologies for Remote Data Acquisition (FDA-2021-D-1128):
| Validation element | Description |
|---|---|
| Technology description | Documented design, architecture, and software lifecycle per IEC 62304 |
| Performance attributes | Clinically validated performance claims with acceptance criteria, tested against expert inter-rater variability |
| Risk analysis | Systematic risk analysis per ISO 14971, including failure modes (missed lesions, false positives, image quality) |
| Usability validation | Formative and summative usability testing per IEC 62366-1, validated for both in-clinic and decentralised patient capture |
| Clinical evaluation | Clinical evidence compiled per MEDDEV 2.7/1 Rev 4 and MDR Annex XIV |
A study-specific validation summary is generated for each trial, documenting how the technology is fit-for-purpose for the specific protocol.
Integration validation support
For EDC and data system integrations, Legit.Health provides documentation to support the sponsor's validation activities:
- Installation Qualification (IQ) documentation
- Operational Qualification (OQ) test scripts and evidence
- Data mapping specifications for CRF field integration
- API documentation with authentication, endpoint specifications, and data schemas
Jetzt starten
KI-gestützte Dermatologie, validiert durch peer-reviewed Forschung. Vertraut von führenden Krankenhäusern in Europa. Füllen Sie das Formular aus, um zu sehen, wie unsere CE-gekennzeichnete Plattform Ihre Praxis transformieren kann.