Risk-Based Approach

All validation activities are driven by a formal risk assessment using a Failure Modes and Effects Analysis (FMEA). We identify potential failures and assess their impact on patient safety, data integrity, and regulatory compliance. High and medium-risk items receive exhaustive testing.

Continuous Validation

Every change to the Harbor platform is managed through a version-controlled continuous integration/continuous deployment (CI/CD) pipeline that ensures the production software stays in a constantly validated state.

• Change Control: Changes are developed in isolated branches and submitted via a pull request (PR). These changes must include a description of the change and updates to the risk assessment and the test plan.
• Peer Review & Approval: Every PR must be independently reviewed and formally approved.
• Automated Testing: Upon approval, the change triggers a pipeline that automatically executes our full suite of validation tests. Test results are stored and a traceability matrix mapping tests to requirements and risk items is automatically generated.
• Controlled Deployment: Only if all tests pass and all requirements and risk items are validated is the change deployed to production. Failed builds are blocked automatically.

Auditable by Design

Harbor maintains all validation deliverables as version-controlled "documents-as-code." This ensures that our User Requirements Specification (URS), Risk Assessment, and Traceability Matrix are always in sync with the tested software, providing a complete and auditable validation package for every release. These validation artifacts are made available to customers upon request.

Physical Access Control

Harbor software and client data are hosted exclusively within secure data centers managed by Google Cloud Platform (GCP) and Amazon Web Services (AWS). These providers maintain comprehensive physical security controls (e.g., biometric access, 24/7 surveillance, perimeter security) and are responsible for the physical security of your data.

Harbor employees do not have physical access to our cloud providers' data centers, servers, network equipment, or storage.

Logical Access Control

Harbor is the assigned administrator of its infrastructure on Google Cloud Platform and Amazon Web Services. Only designated authorized Harbor operations team members have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.

Network Security

In our production environment, all infrastructure, including application servers and databases, resides within a private network, inaccessible to the outside world unless access is explicitly granted. The only publicly accessible entry point is our main application server, which is protected behind a firewall and only allows traffic over HTTPS. All other services, including our Cloud SQL databases and Redis session store, have no public IP addresses in production and can only be accessed from within the private network, effectively blocking all external threats at the network level. Finally, all connections from the application server to the production database are encrypted using SSL/TLS to prevent eavesdropping on internal traffic.

Intrusion Detection and Prevention

All critical Harbor infrastructure resides within a private Google Cloud VPC with no public IP addresses. This design, enforced by strict firewall rules, inherently prevents a wide range of common attacks by making our databases and internal services inaccessible from the public internet. Furthermore, our infrastructure benefits from Google Cloud's foundational DDoS mitigation services. Additionally, we monitor security alerts generated by Google Cloud Platform, which identify suspicious activity at the infrastructure level.

High Availability

Every part of the Harbor service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. The promised uptime for Harbor is specified in individual service level agreements with each customer and the real-time availability of services is available on the Harbor Status page.

Business Continuity

Production databases are configured for automated, point-in-time recovery backups. These backups are encrypted, geographically redundant, and retained to facilitate rapid recovery from a data loss event. In the unlikely event of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.

Contingency Plans

Harbor's incident response plan includes identifying, containing, eradicating, recovering from, communicating, and documenting security or downtime events. Harbor notifies customers of any incidents as soon as possible via email and/or phone call, followed by multiple periodic updates throughout each day addressing progress and impact. All Harbor customers have a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations.

Data Encryption

All sensitive clinical trial data, including ePHI, is encrypted at rest using industry-standard AES-256 encryption. This applies to all databases, object storage, and backups. All data transmitted between your browser and our servers is encrypted using HTTPS with TLS 1.2 or higher, protecting it from interception over public networks.

Data Isolation

Harbor utilizes a unique database architecture where each clinical trial is provisioned its own dedicated, logically isolated database. This fundamental design choice prevents data cross-contamination between studies and allows for precise enforcement of data retention and disposal policies on a per-study basis, aligning with ICH GCP requirements.

Client Data Retention

Upon completion or termination of a clinical trial, customers may place the study database into a "Locked" state, rendering the data read-only to prevent further modification, in compliance with 21 CFR Part 11 requirements. Data can be kept within the Harbor platform in either hot or cold storage. For cold storage, the data is moved from production infrastructure to secure, lower-cost archival storage within our cloud environment. The data will be retained in this archived state for the period specified by the client in the master services agreements (MSAs) or study-specific agreements. You retain control over your access to your clinical trial data and Harbor makes it easy to export all clinical trial data, study metadata, and relevant audit logs for storage outside of the Harbor platform, if desired.

Upon the expiration of the predefined archival period, we will notify our customers. Destruction will only proceed after receiving explicit, written authorization from you. Upon destruction, Harbor will provide your team with a formal Certificate of Destruction.

Harbor Data Retention

Harbor's internal infrastructure, application, and security audit logs are retained for a minimum of six (6) years from the date of creation to support security incident investigations and to comply with HIPAA documentation retention requirements. User accounts within Harbor's platforms will be retained as long as customer's maintain an active MSA with Harbor. Upon termination of the client relationship, associated user accounts will be deactivated immediately and permanently deleted after a 90-day grace period.

Internal Controls

Harbor implements strict internal policies and procedures to ensure the security and confidentiality of client data. Outside of a designated security officer, we enforce a Zero Standing Access policy. This means our employees have no default or persistent access to production systems or client ePHI. In the rare event temporary production access is needed to resolve a critical issue, it is granted via a formal "break-glass" procedure. Access is approved by the security officer and strictly limited in scope and duration.

Workforce Policies

All Harbor employees are required to sign a confidentiality agreement (NDA) and receive annual security training. Upon termination of employment, all system access is immediately revoked. The storage of any client data, especially ePHI, within Harbor's physical offices or on employee workstations is strictly prohibited. All company-provided laptops are managed with mandatory full-disk encryption and strong authentication. Employees who are found to be in violation of these policies may face disciplinary action, including termination of employment.