Compliance and Security Frequently Asked Questions

In the FAQs below, we address common questions about the compliance and security controls we have in place. Topics include regulatory requirements, certifications, privacy legislation, data centers, and more. Read on to learn how Florence ensures adherence to the highest standards of compliance.

Florence’s Site Enablement Platform is compliant with many different regulations globally, and has had a third party audit completed to confirm compliance with the following key regulations:

  • FDA 21 CFR Part 11
  • ICH GCP E6(R2)
  • EU Annex 11
  • MHRA Data Integrity Guidance

With each major release, Florence completes regression testing and confirms that all applicable steps of regulated test cases pass before deployment into the Production environment to ensure we remain in compliance with applicable regulations.  Customers are responsible for their own User Acceptance Testing (UAT) to document that systems are working as expected for their intended use. As outlined in regulatory guidance, your Sponsor or CRO may have already completed this on your behalf as the responsible party for the system.

Florence utilizes AWS cloud based Data Centers located in the US, EU, and Australia. 

Florence is compliant with the California Consumer Privacy Act (CCPA) and any other U.S. state regulations that are in scope for Florence,  the General Data Protection Regulation (GDPR), the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

For additional information on how Florence protects Personal Information, refer to our Privacy Policy here.

Yes, our Site Enablement Platform relies on HIPAA compliant servers to house all documents, ensuring the protection of any PHI added into our system.

Florence has completed a SOC 2 attestation and received third-party confirmation that Florence security controls were suitably designed and operated effectively throughout the coverage period. 

Florence has numerous Policies and Procedures describing the security controls in place. These include  Access Control, Incident Response (including Data Breaches), Data Backup and Disaster Recovery, Business Continuity and more! These policies were reviewed as part of our SOC 2 and confirmed via the SOC 2 attestation to meet industry requirements. 

Access more information about Florence’s security controls here.

Yes, Florence data is encrypted at rest and in transit per industry standards. 

Florence can be used on any device with an internet connection and a web browser, including PCs, tablets, or mobile phones; no downloads are required. In line with requirements under 21 CFR part 11, all users must have a unique username and password to log into Florence. Florence employs minimum standard password requirements including length and complexity conditions that must be met to ensure passwords are in line with industry standards. Florence also offers Single Sign-On (SSO), inactivity timeout and multi-factor authentication as well.

Records are retained in Florence as outlined in Customer contracts. At contract termination (or anytime prior), records and their associated audit trail can be downloaded from the system as needed, subject to the contractually required retention period. We recommend you reach  out to the sponsor/CRO providing you with Florence access if you have any questions around this! 

As a site, you maintain ownership of any documents you upload to Florence and can download them at any time while the contract is in effect. At  study closeout, you can download all documents from Florence and store them according to your preference (we suggest you download the respective binder or folder audit trail to keep a full picture).

Sites can manage roles and permissions within their eISF to ensure they retain control of their eISF documents as outlined in regulatory requirements.

Please click here for additional compliance, security, and data protection resources and insights.