Legal and Compliance
DNAnexus is committed to protecting the confidentiality of your data and the privacy of your tissue donors. If you upload data to your account, the only people who have access to the data will be you and those with whom you share it. For further information, please see the DNAnexus Privacy Policy.
DNAnexus has made apps available for use by its registered users. When you run an app, you agree to the terms of the End User License Agreement provided by the developer of the app. In the case of apps that DNAnexus itself has made available, the End User License Agreement will typically be an open source license agreement, as required by the original developer of the app.
Your right to use an application licensed from a software vendor in your DNAnexus account will depend on the terms of your agreement with the vendor. In most cases an internal use license will allow you to choose to use the software either on a computer at your own facility or in the cloud.
We have put in measures to ensure the highest level of data security for both research and clinical use. These measures include high-end physical data center security; reliable, replicated data storage; all data encrypted at rest and in transfer; and enterprise and user controlled permissions for data, analysis tool, and workflow sharing. For compliance support, we enable data logging and auditability for 6 years, versioned and reproducible analysis tools and results, and compliance with HIPAA, CLIA, 21 CFR Parts 11, 58, and 493, and European Data Privacy laws and regulations. For more details, please refer to the compliance white papers posted at the Resources Page.
We have designed and developed the DNAnexus platform so that it supports HIPAA compliance. All customer data uploaded to DNAnexus user account is encrypted while in transit and at rest, as required by the HIPAA privacy rule. We have implemented logging procedures that allow you to track access to data, as contemplated by the HIPAA security rule. Of course, HIPAA compliance also requires that you implement procedures, including security procedures and informed consents. If you plan to place PHI on the DNAnexus platform, we recommend contacting [email protected] to obtain a Business Associates Agreement (BAA) with DNAnexus. For more information regarding HIPAA compliance, please see our Resources page.
DNAnexus is compliant with GDPR and the 2022 Privacy Shield as a data processor as described in Section 13 of the DNAnexus Privacy Policy. You should review your commercial contract to make sure you are uploading and executing in a DNAnexus location within the European Economic Area (EEA), such as Frankfurt Germany or Amsterdam, the Netherlands. Please contact [email protected] to understand how to manage your metadata to be GDPR and GDPR-UK compliant.
The logging and version control features of the DNAnexus platform will allow you to track exactly how your samples were processed, so as to enable the reproducibility of your clinical experiments, as required by CLIA. Of course, CLIA compliance requires that you observe standard operating procedures necessary to ensure compliance, such as sample tracking and prohibitions on sharing user IDs and passwords. For further information, please see our compliance white papers at our Resources page.
Both the Titan and Apollo products are compliant with 21 CFR Part 11 (Annex 11 for the EU) with respect to electronic records. Electronic signatures are out of scope for these products. DNAnexus employs the conventional Quality Management System (QMS) processes and technology to comply with these regulations. Click here for more information on DNAnexus' GxP offering.
The security and logging features of the DNAnexus platform are designed to enable the data integrity of your preclinical and clinical data and facilitate audits of those data. Using the platform, it will be possible to identify who uploaded or had access to data, when they did so, and what they did to the data. Prior versions of data can be retained, rather than overwritten. Of course, compliance with clinical requirements requires that you observe standard operating procedures necessary to ensure compliance, such as prohibitions on sharing of user IDs and passwords. For further information, please see our compliance white papers at our Resources page.
That depends on the terms of the consent and the information provided to the sample donor before s/he gave the consent. In evaluating whether the consent includes uploading data to DNAnexus, please keep in mind that data uploaded to DNAnexus are encrypted in transit and at rest. In this way, uploading data to DNAnexus is akin to storing them in encrypted form on your own servers, where the servers are managed by independent contractors. Ultimately the scope of consent should be determined by the IRB that is overseeing your research or clinical trial.
The DNAnexus platform enables versioning, as required for the reproducibility of experiments required by CLIA, but you are responsible for version control in the ongoing development of your app and the naming of various versions.
Your rights and obligations with regard to datasets available through the DNAnexus platform are the same as they would be if you obtain them directly from the organization that makes them available. If you have a detailed question about a potential problem with a sample from a dataset, check with the organization that provides the dataset for answers to frequently asked questions or for an email address to which you might address your question.
Last modified 3mo ago