About Veeva

Veeva HDS Website Notice

In Scope Veeva Applications: Vault eTMF, CTMS, Vault QualityDocs, Vault QMS, Vault SiteConnect, Vault MedComms, Vault SafetyDocs, Vault Safety, Vault EDC, Vault CDB, MyVeeva for Patients, SiteVault elSF, eConsent, eCOA.

Hosting activities of Veeva and its sub-processors according to Requirement 31:

Veeva Application	Business name of the actor	Role in the hosting service (Host/processor of the Host)	HDS certified (yes/no/exempted)	SecNumCloud 3.2 qualified	Hosting activities in which the player is involved	Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No 29 of the HDS framework)	Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement no 30 of the HDS framework)
All in scope Veeva Applications	Veeva Systems, Inc.	Host	Yes	No	The provision and maintenance in operational condition of the virtual infrastructure of the information system used to process the health data; The provision and maintenance in operational condition of the platform for hosting information system applications; The management and operation of the information system containing the health data; Backing up health data.	When Customers engage Veeva’s technical support, customers’ personal health data uploaded to an in scope Veeva Application, may be accessed by Veeva personnel in one of the following affiliate locations: Countries covered by an adequacy decision within the meaning of Article 45 of the GDPR: United States Countries not covered by an adequacy decision within the meaning of Article 45 of the GDPR: China (covered by SCCs) India (covered by SCCs)	Yes, however Veeva offers technical and organizational security measures to mitigate the risks that could be reviewed here.
All in scope Veeva Applications	Amazon Web Services (AWS)	Sub-processor of the Host	Yes	No	The provision and maintenance in operational condition of physical sites for hosting the hardware infrastructure of the information system used to process the health data; The provision and maintenance in operational condition of the hardware infrastructure of the information system used to process the health data.	Customers select the region where their personal health data will be hosted. Additionally, Veeva encrypts the data prior to storage and the personal health data fields are also encrypted.	Yes, however Veeva offers technical and organizational security measures to mitigate the risks that could be reviewed here. For more information on AWS’s HDS compliance, see here.

Veeva Application

Business name of the actor

Role in the hosting service (Host/processor of the Host)

HDS certified (yes/no/exempted)

SecNumCloud 3.2 qualified

Hosting activities in which the player is involved

Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No 29 of the HDS framework)

Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement no 30 of the HDS framework)

All in scope Veeva Applications

Veeva Systems, Inc.

Host

Yes

The provision and maintenance in operational condition of the virtual infrastructure of the information system used to process the health data;
The provision and maintenance in operational condition of the platform for hosting information system applications;
The management and operation of the information system containing the health data;
Backing up health data.

When Customers engage Veeva’s technical support, customers’ personal health data uploaded to an in scope Veeva Application, may be accessed by Veeva personnel in one of the following affiliate locations:

Countries covered by an adequacy decision within the meaning of Article 45 of the GDPR:

United States

Countries not covered by an adequacy decision within the meaning of Article 45 of the GDPR:

China (covered by SCCs)
India (covered by SCCs)

Yes, however Veeva offers technical and organizational security measures to mitigate the risks that could be reviewed here.

All in scope Veeva Applications

Amazon Web Services (AWS)

Sub-processor of the Host

Yes

The provision and maintenance in operational condition of physical sites for hosting the hardware infrastructure of the information system used to process the health data;
The provision and maintenance in operational condition of the hardware infrastructure of the information system used to process the health data.

Customers select the region where their personal health data will be hosted.

Additionally, Veeva encrypts the data prior to storage and the personal health data fields are also encrypted.

Yes, however Veeva offers technical and organizational security measures to mitigate the risks that could be reviewed here.

For more information on AWS’s HDS compliance, see here.

About Veeva

Veeva HDS Website Notice

Interested in learning more?

Join the Conversation in Veeva Connect