Legal and Compliance

If I upload data to DNAnexus, will DNAnexus share the data with other people?

DNAnexus is committed to protecting the confidentiality of your data and the privacy of your tissue donors. If you upload data to your account, the only people who have access to the data will be you and those with whom you share it. For further information, please see the DNAnexus Privacy Policy.

Can I use the apps that DNAnexus makes available to users? What are my rights?

DNAnexus has made apps available for use by its registered users. When you run an app, you agree to the terms of the End User License Agreement provided by the developer of the app. In the case of apps that DNAnexus itself has made available, the End User License Agreement will typically be an open source license agreement, as required by the original developer of the app.

I have licensed an application from a software vendor that I want to run in my DNAnexus account. Do I have the right to do that?

Your right to use an application licensed from a software vendor in your DNAnexus account will depend on the terms of your agreement with the vendor. In most cases an internal use license will allow you to choose to use the software either on a computer at your own facility or in the cloud.

How secure is my data when I upload it to DNAnexus?

We have put in measures to ensure the highest level of data security for both research and clinical use. These measures include high-end physical data center security; reliable, replicated data storage; all data encrypted at rest and in transfer; and enterprise and user controlled permissions for data, analysis tool, and workflow sharing. For compliance support, we enable data logging and auditability for 6 years, versioned and reproducible analysis tools and results, and compliance with HIPAA, CLIA, GCP, 21 CFR Parts 11, 58, and 493, and European Data Privacy laws and regulations. For more details, please refer to the compliance white papers posted at the Resources Page.

What if something happens to the data that I upload to DNAnexus?

If something happens to the data you upload to DNAnexus, please contact DNAnexus customer support.

Can I load personal health information into DNAnexus and comply with HIPAA?

We have designed and developed the DNAnexus platform so that it supports HIPAA compliance. All customer data uploaded to DNAnexus user account is encrypted while in transit and at rest, as required by the HIPAA privacy rule. We have implemented logging procedures that allow you to track access to data, as contemplated by the HIPAA security rule. Of course, HIPAA compliance also requires that you implement procedures, including security procedures and informed consents. For more information regarding HIPAA compliance, please see our Resources page.

I am based in Europe and have samples taken from European tissue donors. Can I upload my data to DNAnexus without violating European privacy laws?

DNAnexus certifies that it complies with the US/EC and US/Swiss safe harbor rules. This means that you can upload samples taken from tissue donors in the EC and Switzerland and comply with the European Commission's Directive on Data Protection of 1998 and Switzerland's Federal Act on Data Protection of 1993. For more information regarding compliance, please see our Resources page.

I work at a CLIA lab. Can we use DNAnexus to manage our genomic information and still comply with CLIA requirements?

The logging and version control features of the DNAnexus platform will allow you to track exactly how your samples were processed, so as to enable the reproducibility of your clinical experiments, as required by CLIA. Of course, CLIA compliance requires that you observe standard operating procedures necessary to ensure compliance, such as sample tracking and prohibitions on sharing user IDs and passwords. For further information, please see our compliance white papers at our Resources page.

I want to upload sequence information from a preclinical or clinical study, and may eventually need to submit the data to the FDA. Does the DNAnexus platform comply with GCP and 21 CFR Part 11?

The security and logging features of the DNAnexus platform are designed to enable the data integrity of your preclinical and clinical data and facilitate audits of those data. Using the platform, it will be possible to identify who uploaded or had access to data, when they did so, and what they did to the data. Prior versions of data can be retained, rather than overwritten. Of course, compliance with clinical requirements requires that you observe standard operating procedures necessary to ensure compliance, such as prohibitions on sharing of user IDs and passwords. For further information, please see our compliance white papers at our Resources page.

Does the consent I received from my study subjects allow me to upload data derived from their samples to DNAnexus?

That depends on the terms of the consent and the information provided to the sample donor before s/he gave the consent. In evaluating whether the consent includes uploading data to DNAnexus, please keep in mind that data uploaded to DNAnexus are encrypted in transit and at rest. In this way, uploading data to DNAnexus is akin to storing them in encrypted form on your own servers, where the servers are managed by independent contractors. Ultimately the scope of consent should be determined by the IRB that is overseeing your research or clinical trial.

If I load my new app into DNAnexus, is it automatically going to run in a CLIA-compliant way?

The DNAnexus platform enables versioning, as required for the reproducibility of experiments required by CLIA, but you are responsible for version control in the ongoing development of your app and the naming of various versions.

If I use data shared with the public on DNAnexus, am I safe from any legal actions if there are problems with any of the samples at a later date?

Your rights and obligations with regard to datasets available through the DNAnexus platform are the same as they would be if you obtain them directly from the organization that makes them available. If you have a detailed question about a potential problem with a sample from a dataset, check with the organization that provides the dataset for answers to frequently asked questions or for an email address to which you might address your question.