Legal and Compliance

If I upload data to DNAnexus, does DNAnexus share the data with other people?

DNAnexus is committed to protecting the confidentiality of your data and the privacy of your tissue donors. If you upload data to your account, the only people who have access to the data are you and those with whom you share it. For further information, see the DNAnexus Privacy Policy.

Can I use the apps that DNAnexus makes available to users? What are my rights?

DNAnexus has made apps available for use by its registered users. When you run an app, you agree to the terms of the End User License Agreement provided by the developer of the app. In the case of apps that DNAnexus itself has made available, the End User License Agreement is typically an open source license agreement, as required by the original developer of the app.

I have licensed an application from a software vendor that I want to run in my DNAnexus account. Do I have the right to do that?

Your right to use an application licensed from a software vendor in your DNAnexus account depends on the terms of your agreement with the vendor. Typically, an internal use license allows you to choose to use the software either on a computer at your own facility or in the cloud.

How secure is my data when I upload it to DNAnexus?

DNAnexus implements measures to ensure the highest level of data security for both research and clinical use. These measures include high-end physical data center security, reliable, replicated data storage, all data encrypted at rest and in transfer, and enterprise and user controlled permissions for data, analysis tool, and workflow sharing. For compliance support, the platform provides data logging and auditability for 6 years, versioned and reproducible analysis tools and results, and compliance with HIPAA, CLIA, 21 CFR Parts 11, 58, and 493, and European Data Privacy laws and regulations. For more details, refer to the DNAnexus compliance white papers at the DNAnexus Resource Center.

What if something happens to the data that I upload to DNAnexus?

If something happens to the data you upload to DNAnexus, contact DNAnexus Support.

Can I load personal health information into DNAnexus and comply with HIPAA?

The DNAnexus Platform supports HIPAA compliance. All customer data uploaded to a DNAnexus user account is encrypted while in transit and at rest, as required by the HIPAA privacy rule. The platform logs access so you can track who accessed data and when, in line with HIPAA security requirements. However, HIPAA compliance also requires that you implement procedures, including security procedures and informed consents. If you plan to place PHI on the DNAnexus Platform, contact DNAnexus Support to get a Business Associates Agreement (BAA) with DNAnexus. For more information regarding HIPAA compliance, see the DNAnexus Resource Center.

I am based in Europe and have samples taken from European tissue donors. Can I upload my data to DNAnexus without violating European privacy laws?

DNAnexus is compliant with GDPR and the 2022 Privacy Shield as a data processor as described in Section 13 of the DNAnexus Privacy Policy. You should review your commercial contract to make sure you are uploading and executing in a DNAnexus location within the European Economic Area (EEA), such as Frankfurt Germany or Amsterdam, the Netherlands. Contact DNAnexus Support to understand how to manage your metadata to be GDPR and GDPR-UK compliant.

I work at a CLIA lab. Can I use DNAnexus to manage genomic information and still comply with CLIA requirements?

The logging and version control features of the DNAnexus Platform allow you to track exactly how your samples were processed, which helps enable reproducibility of clinical experiments as required by CLIA. However, CLIA compliance requires that you observe standard operating procedures necessary to ensure compliance, such as sample tracking and prohibitions on sharing user IDs and passwords. For further information, see the DNAnexus compliance white papers at the DNAnexus Resource Center.

I want to upload sequence information from a preclinical or clinical study, and may eventually need to submit the data to the FDA. Does the DNAnexus Platform comply with GCP and 21 CFR Part 11?

Both the Titan and Apollo products are compliant with 21 CFR Part 11 (Annex 11 for the EU) regarding electronic records. Electronic signatures are out of scope for these products. DNAnexus employs the conventional Quality Management System (QMS) processes and technology to comply with these regulations. Learn more about DNAnexus GxP compliance.

The security and logging features of the DNAnexus Platform are designed to enable the data integrity of your preclinical and clinical data and help audits of those data. Using the platform, you can identify who uploaded or had access to data, when they did so, and what they did to the data. Prior versions of data can be kept, rather than overwritten. However, compliance with clinical requirements requires that you observe standard operating procedures necessary to ensure compliance, such as prohibitions on sharing of user IDs and passwords. For further information, see the DNAnexus compliance white papers at DNAnexus Resource Center.

Does the consent I received from my study subjects allow me to upload data derived from their samples to DNAnexus?

That depends on the terms of the consent and the information provided to the sample donor before they gave the consent. In evaluating whether the consent includes uploading data to DNAnexus, remember that data uploaded to DNAnexus are encrypted in transit and at rest. In this way, uploading data to DNAnexus is akin to storing them in encrypted form on your own servers, where the servers are managed by independent contractors. Ultimately the scope of consent should be determined by the IRB that is overseeing your research or clinical trial.

If I load my new app into DNAnexus, is it automatically going to run in a CLIA-compliant way?

The DNAnexus Platform enables versioning, as required for the reproducibility of experiments required by CLIA, but you handle version control in the ongoing development of your app and the naming of different versions.

If I use data shared with the public on DNAnexus, am I safe from any legal actions if there are problems with any of the samples later?

Your rights and obligations regarding datasets available through the DNAnexus Platform are the same as they would be if you get them directly from the organization that makes them available. If you have a detailed question about a potential problem with a sample from a dataset, check with the organization that provides the dataset for answers to frequently asked questions or for an email address to which you might address your question.