Home Security and Compliance Data Protection & Security

Data Protection & Security

Last updated on Sep 19, 2025

Seastorm Limited (providing Trialflare services) uses a range of security controls and processes to ensure the safety of both our own and customer data. In this article we briefly explain some of the key aspects.

Data Protection specifics

Under the terms of the GDPR, Seastorm is Data Processor for all data processed by Trialflare. Trialflare customers (e.g. trial sponsors or institutions managing a study) are Data Controllers. Controllers handle data collection via Trialflare, its management, and its deletion. Trialflare maintains a backup retention policy of 30 days for data it processes.

Trialflare relies on consent as the legal basis for processing Personal Data. Consent is sought and obtained during user registration and at key touchpoints of the participant journey. Trialflare's own Privacy Policy is presented to individuals (including information about data captured, where it's stored, and rights exercising, etc.) during the consent process. When participants provide consent to take part in a study, the Controller's own dedicated privacy notice for the study is also provided.

Seastorm conducts DPIAs (Data Protection Impact Assessments) ahead of changes that may risk changes to the way in which Personal Data is processed.

Seastorm has a Data Protection Officer, who can be contacted for information or responses related to Data Protection. Our current DPO can be reached by emailing dpo@seastorm.co.

For more information on Data Protection, please refer to our Privacy Policy.

Access to data

in order to provide Trialflare services, Seastorm systems must process, store, and backup Trialflare data (including customer data and data collected as part of research studies).

Senior Seastorm staff directly involved with providing Trialflare services to customers or managing the underlying infrastructure thus have access to Trialflare data. Such access is strictly managed via change-controlled role-based access control (assigned according to the principle of least privilege). Staff undergo regular robust security training and staff devices are independently audited for security purposes.

Compliance

Seastorm maintains certification for compliance against recognised schemes. For more information, please see our Compliance page.

Subprocessors

Trialflare currently uses the following subprocessors in providing its services:

  • Amazon Web Services (AWS)

  • Microsoft Azure

  • Google Cloud Platform

  • Sinch Mailgun

  • Twilio

Processing location

All primary Trialflare data, including backups, is processed and stored fully within the UK, with the following exceptions:

  • When sending emails (e.g. notifications and reminders), Mailgun's EU-based servers are used to transmit the mail. Participant-facing features depending on Mailgun are optional.

  • When sending SMS/WhatsApp messages (e.g. reminders and messages), Twilio's US-based servers are used to transmit the message. Features depending on SMS and WhatsApp are optional.

When interacting with such non-UK subprocessors, Trialflare provides only the minimum data required in order to allow the subprocessor to perform its specific function.

Encryption

Trialflare makes use of the following encryption schemes:

  • Encryption at-rest: AES-256 for all live data (e.g. in databases) and for backups.

  • Encryption in-transit: TLS1.3 (with TLS1.2 fallback) for transmission across public and private networks.

Audit & training

Trialflare undergoes a range of regular audit and check-up events, including:

  • Quarterly penetration testing on internal and external systems

  • Annual security audits by external CREST-approved assessors

  • Annual security checklists and audits for all staff

  • Security training centred around NCSC resources

Policies and controls

Seastorm maintains a number of policies and controls, including:

  • Information Security Policies (including Secure Working Policy and Secure Development Policy)

  • Confidential Waste Policy

  • Device Policy

  • Incident Response Policy

  • Business Continuity Plan

Service-level agreement

For paid-for Trialflare services, an SLA is provided to give guarantees over service availability and performance, including setting of RTO and RPO.

Such SLAs are generally not available for free license holders.