Validated Cloud Inc. Privacy Shield Policy


Note: Privacy Shield was terminated in European courts. Validated Cloud does sign data protection agreements, EU Standard Contractual Clauses, follows GDPR rules and regulations. Validated Cloud does also offer European jurisdiction for contractual agreements for our European customers. We are committed to our European business and partners.




Validated Cloud Inc. (“Validated Cloud”) is a leading technology company specializing in HIPAA, 21 CFR Part 11 & Part 820 (FDA) and EudraLex Annex 11-compliant hosting. Protecting consumer privacy is important to Validated Cloud. This Privacy Shield Policy outlines our general policy and practices for implementing the Privacy Shield Principles, including the types of information we gather, how we use it and the notice and choice affected individuals have regarding our use of Personal Information and their ability to correct that Personal Information. This Privacy Shield Policy applies to all Personal Information received by Validated Cloud and recorded in any form. Validated Cloud is subject to the regulatory and enforcement jurisdiction of the U.S. Federal Trade Commission (FTC).

Validated Cloud complies with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from, respectively, the European Union and Switzerland to the United States. Validated Cloud has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification page, please visit


“Personal Information” or “Information” means information that (1) is transferred from the EU and Switzerland to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.

“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.

Personal Information that is transferred by clients to Validated Cloud in the United States from the European Union or Switzerland falls under one of the following two situations:

  • “Data Processor”: When acting as a Data Processor on behalf of its clients, Validated Cloud acts only on the instructions of its “data controller” clients and does not control or share such data without direction from the client. For such processing, Validated Cloud enters into appropriate written agreements with each client evidencing and confirming that the client is the data controller for the purpose of the EU Data Directive and is in compliance with the applicable data protection laws. Validated Cloud does not determine what types of data its clients store on Validated Cloud’s servers or how that data is acquired, categorized, classified, accessed, exchanged or otherwise processed. Types of data include intellectual property, identifiable and de-identifiable patient records, emails, names, clinical trial data, validated data and non-validated data. Validated Cloud’s clients have control over such data at all times, and Validated Cloud’s clients are responsible for compliance with all applicable data protection principles for their own customers. Validated Cloud processes that data at the direction of its clients and in accordance with the terms of its written contracts with its clients.

“Data Controller”:  Validated Cloud provides the platform for its clients to store and process data. Types of data include intellectual property, identifiable and de-identifiable patient records, emails, names, clinical trial data, validated data and non-validated data. Data can be transferred by clients to Validated Cloud over secure and encrypted channels or via transportable media. Validated Cloud simply accepts client data, but does not create, modify or delete client data of record.



Notice is hereby provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Validated Cloud, or as soon as practicable thereafter, and in any event before Validated Cloud uses or discloses the Personal Information for a purpose other than for which it was originally collected. Where Validated Cloud receives transfers of Personal Information from the EU or Switzerland to the United States, Validated Cloud requires contractual provisions from the EU or Swiss Data Controller that the Personal Information has been provided by clients to Validated Cloud in accordance with the applicable EU Member State or Swiss data protection laws to ensure that the individuals have been provided with appropriate notice regarding how their Personal Information will be used.


Where Validated Cloud collects non-public Personal Information directly from EU or Swiss data subjects, Validated Cloud will offer individuals the opportunity to choose (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, Validated Cloud will give individuals the opportunity to affirmatively or explicitly (opt out) consent to the disclosure of the Sensitive Personal Information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. All individual and company data is confidential under the terms of the Validated Cloud hosting agreement signed by each Validated Cloud client, posted privacy policy, web site terms of service, and will not be shared with any third party without the written consent of the company or individual. Validated Cloud shall treat Sensitive Personal Information received from an individual the same as the individual would treat and identify it as Sensitive Personal Information.

Onward Transfers

Validated Cloud does not share data with any non-agent third parties. If in the future Validated Cloud practices change, this privacy policy will allow individuals choice.  Validated Cloud may be liable for the onward transfer or personal data to third parties.

Data Security

Validated Cloud shall take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Validated Cloud has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Validated Cloud cannot guarantee the security of Information on or transmitted via the Internet. Note that Validated Cloud may be required to reveal an individual’s Personal Information in response to a legal request from public authorities including, but not limited to, the need to meet national security and/or law enforcement requirements.

Data Integrity

Validated Cloud shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Validated Cloud shall take reasonable steps to ensure that Personal Information which it processes is accurate, complete, current and reliable for its intended use.


Validated Cloud acknowledges the individual’s right to access his or her own Personal Information and shall allow an individual access to his or her own Personal Information and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing such access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Individuals may write to Validated Cloud to receive access to their Personal Information.



Validated Cloud uses a self-assessment approach to assure compliance with this Privacy Shield Policy and periodically verifies that the Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to reasonably resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Principles.


Pursuant to the Privacy Shield, Validated Cloud remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.

Dispute Resolution

In compliance with the EU-U.S. Privacy Shield Principles and the U.S.-Privacy Shield Principles, Validated Cloud commits to resolve complaints about our collection or use of your Personal Information. European Union or Swiss individuals with inquiries or complaints regarding this Privacy Shield Policy should first contact Validated Cloud in writing at:

Validated Cloud Inc.
Attn: Legal Department
330 Bear Hill Road, Suite 205
Waltham, MA 02451
Phone: 800-401-9123
Fax: 617-500-8340

Validated Cloud has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss- U.S. Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed by Validated Cloud, please visit the BBB EU PRIVACY SHIELD website at  for more information and to file a complaint.

Note that as a last resort and under limited circumstances EU and Swiss individuals with unresolved complaints may invoke a binding arbitration option before the Privacy Shield Panel



This Privacy Shield Policy may be amended from time to time consistent with the requirements of the Privacy Shield. Validated Cloud will post any revised Policy on this website.


Contact Information

Questions, comments or complaints regarding Validated Cloud’s Privacy Shield Policy or data collection and processing practices must be mailed to:

Validated Cloud Inc.
Attn: Legal Department
330 Bear Hill Road, Suite 205
Waltham, MA 02451

Or emailed to:

Effective date: 03JUN2019