In Scope Veeva Applications: Vault eTMF, CTMS, Vault QualityDocs, Vault QMS, Vault SiteConnect, Vault MedComms, Vault SafetyDocs, Vault Safety, Vault EDC, Vault CDB, MyVeeva for Patients, SiteVault elSF, eConsent, eCOA.

Hosting activities of Veeva and its sub-processors according to Requirement 31:

Veeva Application Business name of the actor Role in the hosting service (Host/processor of the Host) HDS certified (yes/no/exempted) SecNumCloud 3.2 qualified Hosting activities in which the player is involved Access to personal health data from countries outside the European Economic Area, by the Host or one of its processors (Requirement No 29 of the HDS framework) Host or processor subject to a risk of access to personal health data from countries outside the European Economic Area, imposed by the legislation of a third country in breach of EU law (Requirement no 30 of the HDS framework)
All in scope Veeva Applications Veeva Systems, Inc. Host Yes No
  1. The provision and maintenance in operational condition of the virtual infrastructure of the information system used to process the health data;
  2. The provision and maintenance in operational condition of the platform for hosting information system applications;
  3. The management and operation of the information system containing the health data;
  4. Backing up health data.

When Customers engage Veeva’s technical support, customers’ personal health data uploaded to an in scope Veeva Application, may be accessed by Veeva personnel in one of the following affiliate locations:

Countries covered by an adequacy decision within the meaning of Article 45 of the GDPR:

  • United States

Countries not covered by an adequacy decision within the meaning of Article 45 of the GDPR:

  • China (covered by SCCs)
  • India (covered by SCCs)
Yes, however Veeva offers technical and organizational security measures to mitigate the risks that could be reviewed here.
All in scope Veeva Applications Amazon Web Services (AWS) Sub-processor of the Host Yes No
  1. The provision and maintenance in operational condition of physical sites for hosting the hardware infrastructure of the information system used to process the health data;
  2. The provision and maintenance in operational condition of the hardware infrastructure of the information system used to process the health data.

Customers select the region where their personal health data will be hosted.

Additionally, Veeva encrypts the data prior to storage and the personal health data fields are also encrypted.

Yes, however Veeva offers technical and organizational security measures to mitigate the risks that could be reviewed here.

For more information on AWS’s HDS compliance, see here.