Frequently asked questions about privacy, security, and compliance.
This article covers:
- Data Ownership and Access
- Privacy and Security Policies
- Institutional Documentation & Compliance
- Data Storage, Retention & Compliance
Data Ownership & Access
Who owns the data collected from participants?
You own your data, and we do not access it. Our strict privacy and security policies ensure that your project data remains private. These policies are typically sufficient for grant and IRB applications, but we can provide additional guidance if needed.
To what extent does Labfront influence the data collected via its platform?
Labfront serves as a data platform that facilitates research by collecting and processing data before making it accessible to researchers. While data flows through Labfront’s platform, we do not alter or take ownership of it. Researchers retain full ownership and control. Labfront processes and stores the data securely but does not restrict researchers’ ability to manage, export, or analyze it. If a research team requests data deletion, Labfront will comply, ensuring researchers have complete authority over their data management and retention decisions.
Does Labfront solely act as a data processor, or can it be a joint controller in some cases?
Labfront primarily acts as a data processor, meaning it processes data on behalf of research teams, who act as the data controllers. The research team dictates the purpose and means of data collection.
However, in cases where Labfront provides analytical insights, data structuring, or predefined research tools, Labfront may play a nuanced role. That said, Labfront does not claim ownership or decision-making authority over the intended use of the data.
Privacy & Security Policies
Can you provide more information about your privacy and security policies?
Yes, our privacy and security policies are available here:
Do you offer privacy and security information for IRBs?
Yes! You can find our supporting documentation for IRB compliance in this article.
To give further confidence to our strict policies, we've passed all IRBs since our inception 🙌🏻.
Institutional Documentation & Compliance
My institution uses HECVAT (Higher Education Community Vendor Assessment Tool). Do you have this documentation available?
Yes, we have completed the HECVAT form that many higher institutions use. You can contact us at support@labfront.com to request the documentation.
My institution has requested Labfront's EULA (End User License Agreement). What should I provide?
Since Labfront’s service includes multiple applications (e.g., mobile app, web dashboard), we provide comprehensive Terms of Service instead of a standalone EULA. If your institution requests a EULA, please direct them to Labfront's Terms of Service.
My institution has requested a Data Use Agreement (DUA). What should I provide?
Most institutions do not require a separate DUA with Labfront, as all necessary terms are covered in our Terms of Service and Data Privacy Policies (Labfront Terms of Service, Labfront Privacy Policy, Security Statement).
However, if a DUA is specifically required, you can contact support@labfront.com for a template.
Data Storage, Retention & Compliance
Where is the data stored?
We currently only support U.S. data centers and the data is stored in Virginia, America. However, we're currently working with several institutions outside of the US, including Europe, Canada, and Australia.
How long is research data stored on Labfront’s servers?
We typically retain research data for 3 years after study completion, following the write-up of the results.
For relevant studies, Labfront is also compliant with the NIH Data Management and Sharing (DMS) Policy, effective January 25, 2023.
Researchers can also request full data deletion at any time.
How does Labfront ensure compliance with Canadian data privacy protection laws?
With regards to Canadian data privacy/data residency, we have numerous ongoing projects in conjunction with CIHR/NSERC/SSHRC, and abide by their Research Data Management Policy. There are slight differences based on which province you're collecting data in, but we have always passed all of our IRB/ethics reviews in Canada.
How does Labfront ensure compliance with European data protection laws (e.g., GDPR)?
Labfront adheres to global privacy and security standards, including GDPR, ensuring compliance for European research institutions. Key strategies include:
- Data Hosting: Secure cloud storage aligned with GDPR and other regulations.
- User Control & Consent Management: European institutions can maintain compliance by implementing consent mechanisms and managing participant data in accordance with GDPR principles.
- Security & Retention Policies: Labfront enforces strict data retention and deletion policies, ensuring research teams control how long participant data is stored and when it is deleted.
For long-term data storage, Labfront utilizes AWS S3 Glacier, a secure and durable cloud storage service designed to meet stringent regulatory requirements.