Data protection and security

Seastorm Limited (providing Trialflare services) uses a range of security controls and processes to ensure the safety of both our own and customer data. In this article we briefly explain some of the key aspects.

Data protection specifics

Under the terms of the GDPR, Seastorm is Data Processor for all data processed by Trialflare. Trialflare customers (e.g. trial sponsors or institutions managing a study) are Data Controllers. Controllers handle data collection via Trialflare, its management, and its deletion. Trialflare maintains a backup retention policy of 30 days for data it processes.

Trialflare relies on consent as the legal basis for processing Personal Data. Consent is sought and obtained during user registration and at key touchpoints of the participant journey. Trialflare's own Privacy Policy is presented to individuals (including information about data captured, where it's stored, and rights exercising, etc.) during the consent process. When participants provide consent to take part in a study, the Controller's own dedicated privacy notice for the study is also provided.

Seastorm conducts DPIAs (Data Protection Impact Assessments) ahead of changes that may risk changes to the way in which Personal Data is processed.

Seastorm has a Data Protection Officer, who can be contacted for information or responses related to Data Protection. Our current DPO can be reached by emailing dpo@seastorm.co.

For more information on Data Protection, please refer to our Privacy Policy.

Data protection complaints

Under the Data (Use and Access) Act 2025, Trialflare makes available a dedicated mechanism for receiving and managing complaints relating to its handling of user and participant data (including personal data) in its role as Data Processor, or for other matters relating to data protection more broadly.

If you wish to complain about Trialflare (provided by Seastorm Limited) with relation to data protection, in the first instance please email dataprotection@seastorm.co with details of your complaint. Please include enough information to enable us to understand your complaint and to respond to you effectively.

Our Privacy Policy sets out timeframes and further details on our approach to complaints management.

Access to data

in order to provide Trialflare services, Seastorm systems must process, store, and backup Trialflare data (including customer data and data collected as part of research studies).

Senior Seastorm staff directly involved with providing Trialflare services to customers or managing the underlying infrastructure thus have access to Trialflare data. Such access is strictly managed via change-controlled role-based access control (assigned according to the principle of least privilege). Staff undergo regular robust security training and staff devices are independently audited for security purposes. Compliance

Seastorm maintains certification for compliance against recognised schemes. For more information, please see our Compliance page.

Subprocessors

Trialflare currently uses the following subprocessors in providing its services:

  • Amazon Web Services (AWS)
  • Microsoft Azure
  • Mailgun
  • MessageBird (Bird.com)
  • Mistral AI
  • Whereby
  • KYCAID

Processing location

All primary Trialflare data, including backups, is processed and stored within European datacentres. Core Trialflare data is currently stored, processed, and backed-up within the UK, and some third-party subprocessors process data across Europe. For example:

  • When sending emails (e.g. notifications and reminders), Mailgun's EU-based servers are used to transmit the mail. Participant-facing features depending on Mailgun are optional.
  • When sending SMS/WhatsApp messages (e.g. reminders and messages), MessageBird's EU-based servers are used to transmit the message. Features depending on SMS and WhatsApp are optional.

Encryption

Trialflare makes use of the following encryption schemes:

  • Encryption at-rest: AES-256 for all live data (e.g. in databases) and for backups.
  • Encryption in-transit: TLS1.3 (with TLS1.2 fallback) for transmission across public and private networks.

Audit & training

Trialflare undergoes a range of regular audit and check-up events, including:

  • Quarterly penetration testing on internal and external systems
  • Annual security audits by external CREST-approved assessors
  • Annual security checklists and audits for all staff
  • Security training centred around NCSC resources

Policies and controls

Seastorm maintains a number of policies and controls, including:

  • Information Security Policies (including Secure Working Policy and Secure Development Policy)
  • Confidential Waste Policy
  • Device Policy
  • Incident Response Policy
  • Business Continuity Plan

Such policies are included in our certification for IASME Cyber Assurance.

Service-level agreement

For paid-for Trialflare services, an SLA is provided to give guarantees over service availability and performance, including setting of RTO and RPO.

Such SLAs are generally not available for free licence holders.