Regulatory and Audit Policies for Medidata Services

These Regulatory and Audit Policies (“Regulatory Policies”) are applicable to Customers and Partners (“Clients”) that have been given access to those Medidata Application Services which are subject to regulatory health authority review pursuant to the terms and conditions contained within the applicable agreement (the “Agreement”) between Medidata Solutions, Inc. (“Medidata”) and each Client.  Unless otherwise noted, these Regulatory Policies are subject to the terms of the Agreement and capitalized terms contained herein shall have the meanings set forth in the Agreement. 

Client Audit Rights and Regulatory Inspections.

During the Term, Medidata agrees to permit Client representatives to examine or audit the Application Services performed hereunder at Medidata’s worldwide corporate headquarters upon at least forty-five (45) days advance notice during regular business hours, to determine whether the Application Services are being conducted in accordance with the Agreement and all applicable laws, rules and regulations.  In each twelve (12) month period, Client shall be entitled to conduct one (1) audit without charge by Medidata.  If such audit would require subsequent audit(s) as may be necessary to verify corrective action(s), such audit(s) shall be at no charge to Client.  Any information of Medidata or its subcontractors obtained or observed during such examination or audit shall be deemed Medidata’s Confidential Information.

Regulatory Inspections and Inquiries.

In the event either party is notified of an inspection or inquiry by a regulator that relates directly to the Client’s clinical trial for which Medidata is providing Application Services, the party so named is encouraged to promptly notify the other party of any such regulatory inspection or inquiry.  This notification can be made by either party via email or mail service.  When notifying Medidata, this information shall be sent to the attention of the head of Medidata’s quality and regulatory affairs function at  For purposes of these Regulatory Policies, “regulator” means a government or regulatory body with binding authority to regulate Medidata's or Clients' healthcare and life sciences-related activities.  Medidata agrees that during any such regulatory inspection or inquiry of the Client and its contracted sites that relates to the Application Services provided to Client, Medidata shall make available to the regulatory authority via the Client all records lawfully required.  In the event of a regulatory inspection or inquiry of Medidata, Medidata shall make available for inspection all records lawfully required in accordance with the Agreement.

Furthermore, Medidata has a formal, contractual agreement with its infrastructure-as-a-service (IaaS) third-party hosting provider that documents the provider's commitment to support regulatory investigations (e.g., inspections) of Medidata, as well as regulatory investigations of Medidata Clients employing Application Services, including provision of relevant documents, information and records to Medidata.  In the event Medidata requires further input to satisfy a regulatory investigation, the provider will use commercially reasonable efforts (taking into account potential risks to their systems, services, or intellectual property) to assist Medidata in responding to the regulatory authority's questions.

Regulatory Matters

Medidata will use commercially reasonable efforts to provide Medidata Services in conformance with generally accepted standards of good clinical practice (GCP) and/or good post-marketing study practice (GPSP) and all applicable laws, rules, and regulations relating to the conduct of any clinical trial and/or post-marketing study.  In particular, Medidata complies with GCP and GPSP regulatory requirements related to internal or self-inspection by way of the Develop and Release Software Product standard operating procedure (SOP) (specifically for known product issues) and the Quality Incident Management SOP (for data, security, software, hosting, and other operational incidents), which SOPs describe how issues and incidents (discovered by internal or self-inspection, as well as reported by Clients) are identified, tracked, and managed internally.  These known product issues and quality incidents are communicated with Clients and regulatory authorities as required.

Medidata has established and agrees to maintain a quality management system and educational/training system that is compliant with regulatory expectations.  Medidata has established and agrees to maintain a system of self-inspection, with a record that such inspection has occurred.

Debarred Persons

Medidata is not using and will not knowingly use the services of any person debarred under any country-specific debarment lists (in particular 21 U.S.C. § 335a of the FDA regulations) in any capacity in connection with the performance of Medidata Services.  In addition, Medidata is not using and will not knowingly use the services of any person or affiliate person/firm for whom convictions subject to debarment have occurred in the past five (5) years in any capacity in connection with the performance of Medidata Services.  If, at any time during the Term of the Agreement, Medidata becomes aware that it or any person employed or engaged by it or an affiliate person/firm in any capacity in connection with the performance of Medidata Services for Client has been or is in the process of being debarred or is convicted of any offense subjecting it or any person to debarment, subject to applicable law, Medidata will notify Client promptly in writing and such person will cease providing Medidata Services.


Medidata may amend its obligations under the Regulatory Policies.  Client will be notified thirty (30) days in advance of any change of material impact to Medidata’s obligations under these Policies.


Last Updated: June 2016