Regulatory and External Client Audit Policies for Medidata Services

These regulatory and audit policies (“Regulatory Policies”) are applicable to Customers and Partners (“Clients”) that have been given access to those Medidata Application Services which are subject to regulatory health authority review pursuant to the terms and conditions contained within the applicable agreement (the “Agreement”) between Medidata Solutions, Inc. (“Medidata”) and each Client.  Unless otherwise noted, these Regulatory Policies are subject to the terms of the Agreement and capitalized terms contained herein shall have the meanings set forth in the Agreement.


Medidata’s control environment is subject to routine third party inspections and attestations (e.g. Service Organization Control ‘SOC’ 1 and 2, and International Standard on Assurance Engagement ‘ISAE’ 3402).  Following completion of implementation of any applicable Services, Medidata will provide Clients with controlled copies of applicable reports that directly relate to the Services. To the extent that the scope of such reports does not include Services provided to Clients, Medidata agrees to permit Client representatives to examine or audit such documentation and records regarding such Application Services performed upon at least forty-five (45) days advance notice during regular business hours, to determine whether the Application Services are being conducted in accordance with the Agreement and applicable laws, rules and regulations.  The parties shall agree to the scope of any audit in advance. The proposed scope of such audit must be reasonable and suitable for the intended purpose of such audit and may not include examination of any Medidata internal controls that are the subject of audits conducted by Medidata’s independent auditor.

In each twelve (12) month period, Client shall be entitled to conduct one (1) audit without charge by Medidata.  If such audit would require subsequent audit(s) as may be necessary to verify corrective action(s), such audit(s) shall be at no charge to Client.  Any information of Medidata or its subcontractors obtained or observed during such examination or audit shall be deemed Medidata’s Confidential Information.


In the event either party is notified of an inspection or inquiry by a regulator that relates directly to the Client’s clinical trial for which Medidata is providing Application Services, the party so named is encouraged to promptly notify the other party of any such regulatory inspection or inquiry.  This notification can be made by either party via email or mail service.  When notifying Medidata, this information shall be sent to the attention of the head of Medidata’s Global Compliance and Strategy function at  Medidata agrees that during any such regulatory inspection or inquiry of the Client and its contracted sites that relate to the Application Services provided to Client, Medidata shall make available to the regulatory authority via the Client all records lawfully required.  

Furthermore, Medidata has a written agreement with its infrastructure-as-a-service (IaaS) third-party hosting provider that documents the provider's commitment to support regulatory investigations (e.g., inspections) of Medidata, as well as regulatory investigations of Medidata Clients using our Application Services, including provision of relevant documents, information and records to Medidata.  In the event Medidata requires further input to satisfy a regulatory investigation, the provider will use commercially reasonable efforts (taking into account potential risks to their systems, services, or intellectual property) to assist Medidata in responding to the regulatory authority's questions.


Medidata’s products are designed and its services are conducted in accordance with Medidata’s Quality Management System (QMS) which specifies the parties’ roles and responsibilities and is designed to assist Clients in satisfying their compliance obligations under generally accepted standards of good clinical practice (GCP) and/or good post-marketing study practice (GPSP).  Medidata’s QMS is captured through a set of controlled documents, maintained within Medidata’s regulatory compliant electronic Document Management System (eDMS). These Quality System Documents (QSDs) are developed and maintained in accordance with applicable national and international regulatory requirements and industry standards and best practices. The QSDs include Policies, Standard Operating Procedures, Work Instructions, and Templates, Forms, and OTHER documents.       


Medidata has analyzed the applicability of globally recognized regulation and guidance applicable to a technology provider serving the clinical trial industry.  The analysis is available to Medidata’s customers through the enclosed link.


Medidata is not using and will not knowingly use the services of any person debarred under any country-specific debarment lists (in particular 21 U.S.C. § 335a of the FDA regulations) in any capacity in connection with the performance of Medidata Services.  In addition, Medidata is not using and will not knowingly use the services of any person or affiliate person/firm for whom convictions subject to debarment have occurred in the past five (5) years in any capacity in connection with the performance of Medidata Services.  If, at any time during the Term of the Agreement, Medidata becomes aware that it or any person employed or engaged by it or an affiliated person/firm in any capacity in connection with the performance of Medidata Services for Client has been or is in the process of being debarred or is convicted of any offense subjecting it or any person to debarment, subject to applicable law, Medidata will notify Client promptly in writing and such person will cease providing Medidata Services.