TrialStack - Trust Center

All TrialStack customer data at rest is stored in Neon PostgreSQL hosted on Microsoft Azure Germany West Central (Frankfurt, EU). This applies to all customers globally. Our API transits Vercel US East infrastructure — this is an international transfer covered by Vercel's DPA and Standard Contractual Clauses, disclosed in our Record of Processing Activities.

No. TrialStack processes protocol-level data only — study design, eligibility criteria, endpoint definitions, and operational configuration. We do not process patient identifiers, subject-level clinical data, or any personal health information belonging to trial participants. Trial participant data is out of scope for TrialStack by design.

TrialStack uses a multi-tenant architecture with logical data isolation enforced via Clerk organisations. Each organisation is a fully isolated namespace — users, studies, documents, and audit trails are scoped entirely within it. A user authenticated in one sponsor's workspace cannot access another's data under any circumstances. Penetration testing validates the integrity of this isolation.

Yes. TrialStack ApS is incorporated in Denmark and subject to the GDPR as both data controller and data processor. A Data Processing Agreement covering GDPR Article 28 requirements — including subprocessor list, SCCs for international transfers, breach notification (72 hours), and data deletion obligations — is executed with every customer prior to data processing. The DPA template is available for pre-contract review at trust.trialstack.com.

TrialStack does not process PHI as part of its core function. For customers with HIPAA programme requirements, we have a BAA in place with Microsoft Azure and are completing a BAA with Clerk. Sensitive AI processing routes through Azure OpenAI under HIPAA-eligible terms.