Privacy Policy

This is the NESS Privacy Policy for Personal Information and/or Personal Data entered by users of NESS software. NESS provides solutions for our clients for processing and storing data in support of clinical trials and medical studies. NESS clients determine what data to collect with the NESS solutions. Such data may include personal information about their authorized users, employees, and clinical trial patients. Only as instructed by our clients, NESS processes and provides access to this data. NESS does not “control” or own such personal data.

Prior to any study deployment, all data that is requested to be collected by our client or customer relating to a natural person who may be identified either directly or indirectly must be classified as personal data. Such “personal data” classification is the responsibility of the client (the “data Controller”).

Once identified by the client, access to such personal data that is processed by NESS is under strict access control rules, expressly dictated by the client, and implemented by NESS. Those data points identified by the client as personal information will be logically segregated from non-personal information. Access to personal information is defined by the NESS client (the “data Controller”).

Data sets and Data points on any forms with such personal data will default to the word “Redacted” or other artificial/pseudonymized data; the only exceptions being those entities authorized by the client to access such personal data. Access to identified personal data is restricted solely as instructed by the client.

Further, data that is processed by NESS is never transmitted outside of NESS without a Data Transfer Specification that is agreed to and signed by the NESS client.

The purpose of this Privacy Policy is to provide an overall structure for embracing the goals and procedures to maintain the privacy of individuals interacting with NESS NEForm applications and externally-facing websites

Applicable Regulations. This Policy addresses NESS compliance with the US Health Insurance Portability and Accountability Act (HIPAA) privacy rule and the European Union General Data Protection Regulation (GDPR) (2016/679), effective 25 May 2018.

A Data Controller determines the purpose and means of the processing of personal data. The client contracting with NESS for NEForm applications is the Data Controller.

Data NESS Collects

NESS collects for personal data collected from the NESS public websites (NESS website is accessible outside of the NESS firewall). NESS may passively collect personal data such as IP addresses, log files, or cookies through the external facing website. NESS may also collect personal data, such as email addresses, given voluntarily by individuals contacting NESS through the external facing website.

The website is not intended for use by minors. NESS does not knowingly collect personal information of minors via

Applicable Law

This Privacy Policy covering individuals who use NESS solutions will be construed under the laws of the State of Massachusetts, USA, without giving effect to any conflict of law provisions. Submission of any dispute will be to the state and federal courts located in Boston, Massachusetts, USA.


This Policy is explicitly applicable to, but not limited to, Clinical Trial Privacy issues. This Policy addresses the procession, use, and retention of Protected Health Information under the US Health Insurance Portability and Accountability Act (HIPAA) privacy rule.

This Policy addresses the processing, use, and retention of personal information collected in the European Union then transferred to the United States, under the auspices of the GDPR.

NESS does not intend to collect the personal information of minors unless explicitly required by a client.

How We Use Collected Information

NESS commits to protecting the privacy of all users interacting with NESS software products –web-based applications and mobile applications.

This Policy describes the personal information NESS processes, how NESS protects that information, and the conditions controlling how the information is shared.

This Policy defines Personal Information as nonpublic information relating to an identified or identifiable living individual.

Personal Information Collection: NESS client-specific applications will provide clear and conspicuous notice regarding the uses of personal information collected directly from individuals, such as through a registration process or a webpage.

Personal Information Processing: In the course of using a NESS application, a user may be requested to provide personal information. Personal information may include but is not limited to the following:

Contact information: As part of the registration process, a user may provide their name, date of birth, mailing address and email address, and phone number.

Other Information Processing: Through the use of NESS application, other information which does not reveal an individual’s specific identity or does not directly relate to an individual may be processed. Other information may include but is not limited to:

Internet Protocol (IP) address: An IP address may be collected from a user of NESS NEForm applications. The IP address may be used to monitor activities such as location.

Combined Information: If there are any instances where NESS combines Other Information with Personal information, such as combining a precise geographical location with an individual’s name, the combined information becomes Personal Information and is treated as Personal Information.

Personal Information Sharing and Use: The personal information processed by NESS may be used to contact an individual:

  • In connection with the NESS application registration
  • To respond to their comments, questions, concerns, and suggestions
  • As required by government authorities or by law or regulation
  • As specified by the terms of NESS’s contracts with the data Controller.

NESS processes and retains personal information only as explicitly directed by the data Controller (NESS’s client). NESS does not own the personal information processed by NESS client-specific applications. NESS does not share personal information with third parties.

NESS will immediately inform the Client (data controller), in writing:

  • Of any request for access to any Personal Information received by NESS from an individual who is (or claims to be) the subject of the data, or a request from such individual to cease or not begin Processing, or to rectify, block, erase or destroy any such Personal Information;
  • Of any request for access to any Personal Information received by NESS from any government official (including any data protection agency or law enforcement agency), or a request from such government official to cease or not begin processing, or to rectify, block, erase or destroy any such Personal Information;
  • Of any inquiry, claim or complaint regarding the Processing of the Personal Information received by Vendor;
  • Of any other requests with respect to Personal Information received fro the client’s employees or other third parties, other than those set forth in the agreement or a request to cease or not begin processing, or to rectify, block, erase or destroy any such Personal Information.
  • NESS will not respond to those requests unless explicitly authorized in writing by the Client.

Information Access, Revision and Opting Out:

An individual may choose to ‘opt out’ of receiving communication from NESS and/or request removal of their contact information. An individual with issues about access, correction, amendment, deletion or restriction of use of personal information must direct those concerns to the data Controller (NESS’s Client) who in turn authorizes NESS to take appropriate action. NESS cannot withdraw any previous disclosures made with the individual’s authorization. NESS reserves the right to retain and disclose an individual’s information as permitted or required by law or regulation. If you have any questions regarding this Privacy Policy, please contact

Dispute Resolution

An individual with complaints regarding NESS’s compliance with this Policy should contact NESS Management or Regulatory Compliance. NESS will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with this Policy and SOP NESS-032 Defect and Complaint Resolution.

Personal Information Transfer

The data Controller (NESS Client) is responsible for complying with laws and regulations regarding notice, disclosure and/or obtaining prior consent prior to transferring personal information to NESS for processing. NESS transfers personal information only as directed by the data Controller (NESS Client). NESS does not share personal information with third parties.

Choice and Consent

An individual providing NESS with their information, must choose to consent and agree to the terms of this Privacy Policy. Any Personal Information collected about EEA or Swiss individuals via NEForm applications are processed in the United States by NESS. NESS applications are hosted in the United States.


NESS makes every effort to ensure the integrity and confidentiality of personal information under Ness’s control and uses state-of the art security procedures to protect personal information throughout its lifecycle. NESS uses physical, electronic and administrative procedures to safeguard an individual’s personal information from unauthorized destruction, alteration, disclosure, or access and to protect personal information from loss or misuse.

Breach Notification

In the unlikely event that an individual’s personal information is acquired (or is reasonably believed to have been acquired) by an unauthorized person, as required by applicable law, NESS will promptly notify the individual by e-mail, fax, or U.S mail. Working with law enforcement –if applicable- NESS will determine the scope of the data breach, and will investigate and restore the integrity of the NESS data system.

Contact Us

You may contact us at

NESS · 1415 beacon st brookline, ma 02446 · (617)738-1800 ·