Parallel 6 Overview 5.9.16

3655 Nobel Drive Suite 650 San Diego, CA 92122 w parallel6.com p +1.619.452.1750

Parallel 6 INC Corporate Data Sheet

Parallel 6, is a Software as a Service provider of mobile enrollment, engagement, and eCOA

solutions for clinical research, health, and public sector organizations. Clinical Reach, the patented

flagship product, is an multi-language multi-country end-to-end solution that empowers clinical trial

participants to digitally qualify, consent, enroll, and engage in a clinical trial from the palm of their

hand and in the privacy of their own home when needed. Using any Internet enabled device, Clinical

Reach eliminates delays, errors, and the myriad of issues presented from data dispersed across

voluminous emails, reports, spreadsheets, and reams of paper documents. Government Reach, the

Federal rebranded product to Clinical Reach, has been successfully deployed in several high profile

government programs and initiatives.

“Clinical Reach transforms conventional clinical trial engagement into truly virtual, hybrid, and site-

based clinical studies in multi-language, multi-country configurations anywhere in the world.” said

President and CTO | Founder of Parallel 6, David Turner.

Key Technical Specifications:

The Clinical Reach platform is a Cloud Deployed SaaS Platform that is an end to end patient centric

solution for patient enrollment, engagement, data capture, and reporting using a ‘Bring your own

Device’ philosophy. Deployments of the solution have been primarily in the Amazon AWS HIPAA

cloud as well as the secured Federal cloud. Locations of deployment in AWS include Virginia,

Oregon, Ireland, and Germany.

As a summary to the security posture of the solution, the Clinical Reach platform complies with and

has been audited for the following:

• CFR Part 11 • EU Annex 11 • Safe Harbor • DHS Initiated Security Scans • Cleanroom and Code Audit Process • AES Encryption Standards • Encrypted data at rest and in motion • Multi-Level access controls • Multi-factor authentication • Multiple security zones • Backup and Recovery systems • Auditable and validated SDLC and systems


Financial Summary:

Parallel 6 is achieving rapid growth in both revenues and contract backlog. Top line revenue doubled

from 2014 to 2015 and is expected to triple in 2016. Total contract value in 2015 was ~$8mm going

to ~ $30mm in 2016 with projected 280% growth in 2017.

Audited financials are available for 2014 and 2015 with an audited look back into 2013. Squar Milner

is the 3rd party auditor executing the audits.

Patent Portfolio:

The Parallel 6 patent portfolio below is projected to grow to 10 by the end of 2016. The patent

portfolio is managed in partnership with the law firm Procopio, Cory, Hargreaves & Savitch, LLP.

United States Patent US Application Number 8,856,031 B1 Oct. 7, 2014

SYSTEMS AND METHODS FOR OBTAINING AND USING TARGETED INSIGHTS WITHIN A DIGITAL CONTENT AND INFORMATION SHARING SYSTEM Applicant: Parallel 6, Inc., San Diego, CA (US) | Inventor: David Wayne Turner, Jr., San Diego, CA (US)\

United States Patent Pending US Application Number 13/373,856 Dec 02, 2011

SYSTEM OF INCENTIVE-BASED DIGITAL CONTENT AND INFORMATION SHARING PLATFORM THROUGH MOBILE TECHNOLOGY Applicant: Parallel 6, Inc., San Diego, CA (US) | Inventor: David Wayne Turner, Jr., San Diego, CA (US)

United States Patent Pending US Application Number 14738766 Jun 12, 2015

SYSTEMS AND METHODS FOR MANAGING AND CONDUCTING CLINICAL OR OTHER RESEARCH USING A DIGITAL CONTENT AND INFORMATION SHARING SYSTEM Applicant: Parallel 6, Inc., San Diego, CA (US) | Inventor: David Wayne Turner, Jr., San Diego, CA (US)

United States Patent Pending US Application Number 14/214,653 October 23, 2014

SYSTEMS AND METHODS FOR RECRUITING AND MATCHING PATIENTS FOR CLINICAL TRIALS Applicant: Brad Pruitt San Diego, CA (US) | Inventor: Brad Pruitt , San Diego, CA (US)

United States Patent Pending US Application Number 13/487,155 June 1, 2012

SYSTEMS AND METHODS FOR AUTOMATED INFORMED CONSENT Applicant: Brad Pruitt San Diego, CA (US) | Inventor: Brad Pruitt , San Diego, CA (US)

Corporate Statistics:

Legal Name: Parallel 6, Inc.

State of Incorporation: DE

Date of Incorporation: 10/29/2009

Type of Corporation: C-Corporation

CA SOS File #: C3299664

Tax ID #: 27-1283146

DUNS: 05-116-8604

Legal Corporate Address: 3655 Noble Drive, Suite 650, San Diego, CA 92122


Fiscal Year End: December 31

Officers:

Chief Executive Officer: Allan Camaisa

President & CTO | Founder: David Turner

Chief Financial Officer: Alan Stewart

Secretary: Adam Blejski

Special Characteristics:

Small Business: Yes

Veteran Owned SB: Yes

Primary Partners:

Corporate Counsel: Procopio, Cory, Hargreaves & Savitch, LLP

Auditors: Squar Milner

Banking Relationship: Wells Fargo, Comerica


Parallel 6 INC – Quality Management System (POL-QA-001-1.0)

1. Purpose

The purpose of this document is to describe the Quality Management System (QMS) for

Parallel 6 (P6). The QMS is established and maintained and includes the scope of the quality

management system, and a description of the interaction between elements of the quality

management system.

2. Scope

The Parallel 6 QMS describes the Quality System of P6 located at 3655 Nobel Drive, Suite

650, San Diego, California 92122.

The P6 QMS is applicable to all levels of personnel, and all functions. This policy applies to all

personnel associated with the design, development, distribution, marketing and post-market

surveillance of any product produced by, or bearing a company name, trade name, or trademark

belonging to P6. P6 is responsible for the quality of, and meeting the applicable requirements for,

the products that it develops.

Organization charts that show the relationship of the organization to the corporate

management structure and the relationship of the various functions to each other are maintained

by P6. The corporate organization chart is posted on the P6 Google Drive.

3. Background

A quality management system is a formalized system that documents processes, procedures,

and responsibilities for achieving quality policies and objectives. A QMS helps coordinate and

direct an organization’s activities to meet customer and regulatory requirements and improve its

effectiveness and efficiency on a continuous basis.

4. Responsibilities

4.1. Executive Management

4.1.1. Ensures the establishment of quality management strategies by supporting the

implementation and maintenance of quality management systems, guaranteeing the

continual maintenance of their suitability and effectiveness.


4.1.2. Communicates to all employees the importance of meeting all requirements, including

customer, statutory and regulatory. The communication methods may include executive

management meetings, employee meetings, formal training, job descriptions,

performance reviews, bulletin board postings, memoranda, email notices and verbal

communication.

4.1.3. Ensures that the organization will identify resource requirements and provide resources,

infrastructure, and qualified personnel to establish and maintain the elements of the

Quality System. This includes internal or contracted personnel resources and those for

the performance of work and assessment and verification activities.

4.1.4. Communicates to the organization and maintains awareness of the importance of

meeting customer requirements, as well as regulatory and legal requirements.

4.1.5. Sets expectations, tone and visibility for quality and compliance, as well as effective

implementation of the Quality Policy.

4.1.6. Conducts management reviews.

4.2. Quality Representative

4.2.1. Ensures that the quality policy is appropriate for the organization and P6 customers.

4.2.2. Commits to comply with requirements and to maintain the effectiveness of the quality

management system.

4.2.3. Provides a framework for establishing and reviewing quality objectives.

4.2.4. Ensures quality objectives are communicated and understood within the organization.

4.2.5. Ensures quality objectives are reviewed for continuing suitability.

4.2.6. Reports to Management on the overall performance of the QMS and the need for

improvement on an annual basis.

5. Policy

5.1. Training

5.1.1. Documented procedures for identifying training needs and providing for the training of

all personnel performing activities affecting conformity to product requirements have

been established and maintained.

5.1.2. Personnel performing specific assigned tasks are qualified based on appropriate

education, training, and/or experience as required.


5.1.3. If employees do not have the required education and/or experience, the necessary

training is provided to ensure employees are competent to perform the assigned tasks.

5.1.4. The training provided is periodically assessed to determine its effectiveness.

5.1.5. Records of training and appropriate education or experience are maintained.

5.1.6. Employees within the organization have a clear understanding of their roles and

responsibilities within the company through training and as defined in specific work

instructions.

5.1.7. Job descriptions define each employee's general job requirements and are maintained

within training files for each employee.

5.2. Documentation

5.2.1. Quality management systems have been established, documented, and maintained as

a means of ensuring conformity to specified requirements. This includes the preparation

and effective implementation of documented quality management system procedures

and instructions, as required.

5.2.2. Quality System policies, procedures, forms, and template instructions have been

formally documented and maintained as defined in procedures.

5.3. Document Control

5.3.1. Documented procedures have been established and maintained to control documents

that relate to the requirements of the QMS.

5.3.2. Documents are in electronic media.

5.3.3. Documents and data are reviewed and approved for adequacy by authorized personnel

prior to issue.

5.3.4. Current revisions of appropriate documents are available on the P6 QA Controlled

Drive.

5.3.5. Invalid and/or obsolete documents are promptly removed from current directories.

Obsolete documents are identified to prevent unintended use.

5.3.6. Documents are reviewed as required, changes made when necessary by means of

Document Change Request Forms.

5.3.7. Changes to documents are reviewed and approved either by the original approving

function or by another designated function that has access to pertinent background

information upon which to base its decisions related to review and approval.


5.3.8. Altered or new text shall be identified in the appropriate attachments.

5.3.9. Procedures shall be established to describe how changes in documents maintained in

computerized systems are made and controlled.

5.3.10. P6 shall define the period for which obsolete copies of documents are retained.

5.4. Purchasing

5.4.1. Suppliers/subcontractors have been evaluated and selected based on their ability to

meet product and quality requirements including quality system and any specific quality

assurance requirements.

5.4.2. Suppliers/subcontractors are periodically assessed and product quality reviewed as a

means of controlling suppliers and subcontractors.

5.4.3. Control is dependent upon the type of product, the impact of the supplied

product/service on the quality of the final product and where applicable on quality audit

reports and/or quality records of the performance of suppliers/subcontractors.

5.4.4. Lists of acceptable suppliers and subcontractors are maintained.

5.4.5. Purchasing documents contain information that clearly describes the product to be

ordered.

5.4.6. This information includes (where applicable) type, class, grade, or other precise

identification, title or other positive identification and applicable issues of specifications,

drawings, process requirements, inspection instructions and other relevant technical

data, including requirements for approval or qualification of product, procedures,

process equipment and personnel, and title, number, and issue of any quality system

standard to be applied.

5.4.7. When it has been determined to verify purchased product/services at the

supplier/subcontractor, the purchasing documents specify these verification

arrangements and the method for release of product.

5.4.8. When specified in a customer contract, the customer or his representative may verify at

the supplier/subcontractor or upon receipt at P6 that product conforms to specified

requirements.

5.4.9. Verification by the customer does not absolve P6 of its responsibility to provide

acceptable product nor does it preclude subsequent rejection by the customer.


5.4.10. When customer or his designated representative elects to perform verification at the

supplier/subcontractor's facility, such verification is not used as evidence of effective

control.

5.5. Control of Nonconforming Product

5.5.1. Documented procedures have been established and maintained to ensure that product

that does not conform to specified requirements is prevented from unintended use and

the individuals who have the responsibility and authority for the disposition of the

product is specified.

5.5.2. Control is provided for identification, documentation, evaluation, segregation (when

practical), disposition, and for notification to the functions concerned.

5.5.3. Documented procedures have been established, implemented and maintained for

dealing with actual or potential nonconformities.

5.5.4. The procedure defines the process for identifying and correcting the nonconformity and

action(s) taken to mitigate its impacts, investigating nonconformities, determining their

causes and taking actions in order to avoid recurrences.

5.6. Corrective Action and Preventive Action

5.6.1. Documented procedures for implementing corrective and preventive action have been

established and maintained.

5.6.2. Corrective actions are taken when corrective action requests are received from

customers, when problems occur in process, with product, process, or quality system.

5.6.3. The nonconformity identified is corrected, an investigation conducted to determine the

root cause, and an action implemented to prevent the recurrence of the nonconformity.

5.6.4. Results of the investigation and the corrective action taken are documented and

records maintained.

5.6.5. Follow-up is performed on corrective action responses to ensure that the corrective

action was implemented and effective in correcting the nonconformity.

5.6.6. Appropriate sources of information such as processes and work operations that affect

product quality, waivers, audit results, quality records, and customer complaints are

periodically reviewed to detect, analyze, and eliminate potential causes of

nonconformities.


5.6.7. The records maintained include the analysis performed in determining the preventive

action identified, the steps needed to be performed for implementation, the controls to

be applied to ensure it is effective, and the review to determine effectiveness of the

preventive action implemented.

5.7. Internal Audits

5.7.1. Documented procedures for planning and implementing internal quality and

environmental system audits to verify whether the QMS and related activities and

results comply with planned arrangements and to determine the effectiveness and

implementation of the quality management system have been established and

maintained.

5.7.2. Internal quality management system audits are scheduled on the basis of the status

and importance of the activity to be audited and are carried out by personnel

independent of those having direct responsibility for the activity being audited.

5.7.3. Results of audits are recorded and are brought to the attention of the personnel having

responsibility for the area audited.

5.7.4. Management personnel responsible for the area audited shall ensure that corrective

actions and necessary corrections on deficiencies found during the audit to eliminate

detected nonconformities and their causes are taken without undue delay.

5.7.5. Follow-up audit activities to determine implementation and effectiveness of the

corrective action taken are verified and recorded.

5.7.6. The results of internal quality audits are reported to the management representative for

inclusion in the management review.

5.8. Risk Management

5.8.1. P6 has established, implemented, and maintains a process for managing risk to the

achievement of applicable requirements that includes, as appropriate to the

organization and the product

5.8.1.1. Assignment of responsibilities for risk management,

5.8.1.2. Definition of risk criteria (e.g., likelihood, consequences, risk acceptance),

5.8.1.3. Identification, assessment, and communication of risks throughout product

realization,


5.8.1.4. Identification, implementation and management of actions to mitigate risks

that exceed the defined risk acceptance criteria,

5.8.1.5. Acceptance of risks remaining after implementation of mitigating actions.

5.9. Continuous Improvement

5.9.1. Continuous improvement of the effectiveness of the QMS is evaluated through the use

of the quality policies, quality objectives, audit results, analysis of data, corrective and

preventive actions and management review.

5.10. Management Review

5.10.1. Management review is performed on an annual basis at a minimum to ensure the

QMS continues to be suitable, adequate, and effective.

5.10.2. The review shall include assessing opportunities for improvement and the need for

changes to the Quality Management System including the quality policy and quality

objectives.

5.10.3. Records from management reviews shall be maintained.

5.10.4. The input to management review shall include information on

5.10.4.1. Results of audits, including assessments by external bodies,

5.10.4.2. Customer feedback, including customer complaints,

5.10.4.3. Process performance and product conformance,

5.10.4.4. Suppliers’ quality performance,

5.10.4.5. Status of preventive and corrective actions,

5.10.4.6. Follow-up actions from previous management reviews,

5.10.4.7. Changes that could affect the quality management system,

5.10.4.8. New or revised regulatory requirements,

5.10.4.9. Other relevant factors such as quality control activities, resources and staff

training,

5.10.4.10. Suitability of policies and procedures.

5.10.5. Review output

5.10.5.1. The output from the management review shall include any decisions and

actions related to information on


a) Improvement of product related to customer requirements,

b) Resource needs.

5.10.6. Findings from management reviews and the actions that arise from them shall be

recorded.

5.10.7. Management shall ensure that these actions are carried out within an appropriate

and agreed timescale.

5.10.8. Management review results should feed into planning including the goals, objectives,

and action plans for the coming year.

5.11. Management Representative

5.11.1. A Quality Assurance Representative shall be appointed to ensure that the QMS is

established, implemented, and maintained.

5.11.2. The Representative is responsible for reporting to Management on the overall

performance of the QMS and the need for improvement on an annual basis.

6. References

N/A

7. Attachments

N/A


Parallel 6 | Clinical Reach | Information Security Posture Proprietary and Confidential - Patents Issued and Pending

May 2016 The Clinical Reach platform is a Cloud Deployed SaaS Platform that is an end to end patient centric

solution for patient enrollment, engagement, data capture, and reporting using a ‘Bring your own

Device’ philosophy. Deployments of the solution have been primarily in the Amazon AWS HIPAA

cloud as well as the secured Federal cloud. Locations of deployment in AWS include Virginia,

Oregon, Ireland, and Germany.

As a summary to the security posture of the solution, the Clinical Reach platform complies with and has been audited for the following:

• CFR Part 11 • EU Annex 11 • Safe Harbor • DHS Initiated Security Scans • Cleanroom and Code Audit Process • AES Encryption Standards • Encrypted data at rest and in motion • Multi-Level access controls • Multi-factor authentication • Multiple security zones • Backup and Recovery systems • Auditable and validated SDLC and systems

The following set of questions outline the Security Posture of the Clinical Reach platform. These

questions were compiled from multiple security audits by different organizations including both

Sponsors and CRO’s in the Clinical Trial sector.


Sponsor and CRO Security Audit Questions

SYSTEM SECURITY POLICY POL-IT-001

1. Does your company have documented information security policies in place?

a. Yes - Covered in P6 policies: POL-IT-001 System Security Policy and POL-IT-002

System Access Policy.

2. How frequently are your security policies updated to ensure the policies address new

threats and trends?

a. At a minimum every 6 months although updates can happen more frequently if

needed.

3. Have you designated an individual responsible for information security (herein after

referred to as Information Security Officer) within your organization?

a. Yes - Amit Chakradeo - Chief System Architect and Security Architect

20. Are all areas within company facilities that contain Sponsor Information locked when

not attended?

a. Yes - It is not foreseen that there will be any Sponsor Information stored or otherwise

available in the P6 facility. Data will be stored in the AWS HIPAA Cloud dedicated to

the Sponsor instance of the Clinical Reach Platform. The P6 facility is locked during

non-business hours.

29. Do you have documented acceptance criteria for Systems and Network Devices

before they are put into production?

a. Yes - P6 IT manager performs the configuration and testing of newly added system

and network devices.

30. Do you have documented hardening processes for Systems and Network Devices

that must be completed before they are put into production?

a. Yes - Deployed server instances are built using previously established P6 server

images from production systems. Customized Clinical Reach platform applications

are tested an installed on the deployed server instances and made available to end-

users.

31. Do all laptops, desktops and servers have properly configured commercial anti-

malware software installed and running at all times?

a. Yes - The P6 System Security policy (POL-IT-001 - System Security Policy) requires

this.

48. Are all systems that store, process, or transmit Sponsor information capturing

security relevant events in audit logs? (e.g., Databases, Firewalls, Directories, Servers,

Applications, etc.)


a. Yes

49. How long are the audit logs retained?

a. No minimum retention - The Audit Logs are retained forever unless otherwise noted

by the client.

84. Do you have a documented policy that sets minimum cryptographic standards which

must be followed by all applications as well as networking and computing resources?

a. Yes - Data may be temporarily at rest on mobile devices and is encrypted using AES 256 encryption algorithms. All data in transit is encrypted via SSL

89. Do you have established processes and controls in place to ensure symmetric

encryption keys and asymmetric private keys are encrypted in transmission and storage and

are protected from unauthorized access?

a. Yes - These keys are kept in a restricted-access account in P6’s platform and mobile device software development repository.

94. Does all software installed on workstations, laptops and server systems undergo a

risk assessment and approval by your Information Security Officer (or delegate)?

a. Yes

SYSTEM ACCESS POLICY POL-IT-002

1. Does your company have documented information security policies in place?

a. Yes - Covered in P6 policies: POL-IT-001 System Security Policy and POL-IT-002 System Access Policy

6. Does your company have a process to ensure security requirements are adhered to

by all Related Parties before sharing Sponsor Information with them and before providing

access to your internal networks which store, process or transmit Sponsor Information?

a. Yes - Our process includes not only vendor audits, but security audits and all the artifacts required such as CDA’s etc., followed by training.

17. Do you immediately terminate personnel access to computing and network

resources, facilities, and secure areas when an individual is no longer an employee,

contractor or subcontractor, or when they no longer need access?

a. Yes - Defined in P6 POL-IT-002 System Access Policy.

51. Do you have a policy which ensures only authorized individuals have access to

facilities, secure areas, and computing and networking resources?

a. Yes - P6 follows our System Access Policy (POL-IT-002)

52. Is management required to approve individual’s access to all facilities, secure areas


and Computing and Network Resources?

a. Yes - Requests for access to Parallel 6 systems and applications are made formally to the COO or designee per our System Access Policy (POL-IT-002).

53. Do you restrict each user’s access privileges to the minimum set required for the

performance of their job and only for the duration of the need of that privilege?

a. Yes - The level of security assigned to a user in P6’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.

54. Does Management review and approve all requests for administrative or other

elevated privilege?

a. Yes - Any Parallel 6 workforce member can request change of access. Review of such requests are the same as initial assignments; by the COO or designee. (System Access Policy - POL-IT-002)

55. Are elevated privileges reviewed periodically and revoked when no longer needed?

a. Yes - Review is performed by the COO or designee. (System Access Policy - POL-IT- 002)

56. Are passwords, PINs, shared secrets, and other authentication information always

encrypted (or hashed) in storage and transmission?

a. Yes - Passwords are never in the clear anywhere in the system. All data at rest is encrypted using AES 256. All data in transit is encrypted via SSL.

57. Are passwords and PINs delivered in a confidential manner that requires the recipient

to prove his or her identity before receiving the password or PIN?

a. Yes - Each workforce member has and uses a unique user ID and password that identifies him/her as the user of the information system. Each Customer and Partner has and uses a unique user ID and password that identifies him/her as the user of the information system.

58. Are temporary passwords and initial passwords and PINs required to be changed

upon first use?

a. Yes - This is standard operating procedure for best practice implementation.

59. Are all default passwords changed during or immediately following the completion of

hardware or software installation?

a. Yes - Default accounts on all production systems, including root, are disabled.

60. Consider all authentication credentials under the control of an individual (passwords

and PINs to user accounts, shared accounts, and service accounts). How soon after


resignation or termination are these authentication credentials changed or disabled?

a. Immediately - A terminated user’s account will be users’ access rights terminated immediately upon notification.

61. Do you limit the use of your network to only those individuals (employees, contractors

and other users) who have business need for access?

a. Yes - The level of security assigned to a user to the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out their job duties. All access requests are treated on a “least-access principle”.

70. Is access to applications or systems that store, process, or transmit Sponsor

information disabled after 180 days of non-use?

a. Yes, through a manual process - The Systems Engineer audits and will terminate access of users that have not logged into organization’s information systems/applications for an extended period of time (configurable). (System Access Policy - POL-IT-002)

71. Choose the closest representation to your minimum requirements for user password

length and complexity.

a. On all production systems and applications in the Parallel 6 environment, password configurations are set to require that passwords are a minimum of 8-character length, 90-day password expiration, account lockout after 5 invalid attempts, password history of last 4 passwords remembered, and account lockout after 15 minutes of inactivity. (System Access Policy - POL-IT-002)

73. Do mobile devices require passwords/PINs with a length of a least 6 characters

before allowing access to Sponsor information?

a. Yes - Access to systems is controlled using centralized user management and authentication. All authentication requests utilize two-factor authentication using mobile devices as the second factor. On all production systems and applications in the Parallel 6 environment, password configurations are set to require that passwords are a minimum of 8-character length. (System Access Policy - POL-IT-002)

74. Are individual PINs and passwords set to expire after no longer than 90 days?

a. Yes - 90-day password expiration (System Access Policy - POL-IT- 002)

75. When can the same individual password be reused?

a. After 5 changes - Password history of last 4 passwords is remembered. (System Access Policy - POL-IT-002)

76. Are accounts temporarily disabled for at least 15 minutes when five consecutive

attempts to authenticate fail within a 15-minute window?


a. Yes - Account lockout after 5 invalid attempts and account logout after 15 minutes of inactivity. (System Access Policy - POL-IT-002)

77. Are passwords and PINs suppressed from being displayed in readable form at any

time during entry (including those used for portable computing devices)?

a. Yes

78. Are passwords and PINs required to be changed at any indication of compromise?

a. Yes

79. Are passwords and PINs prevented from being cached at all times?

a. Yes

SOFTWARE UPDATE POLICY POL-IT-003

100. Do you have a policy which governs the maximum amount of time that may elapse

between the time a vendor supplies a critical security patch and the time it is applied to your

network and computing resources?

a. Yes - Patches are installed as soon as they are evaluated for relevance and need.

101. What is your maximum timeframe for applying vendor-supplied critical security

patches to User Systems?

a. Within 30 days or sooner based on threat evaluation.


patches to Internet-Facing Server Systems?



patches to Other Server Systems?



patches to Applications that store, process, or transmit Sponsor information?



patches to Network Devices?


106. Do you have a policy which governs the maximum amount of time that may elapse


between the time a vendor supplies a non-critical security patch and the time it is applied to

your network and computing resources?

a. Yes

107. What is your maximum timeframe for applying vendor-supplied non-critical security

patches to User Systems?



patches to Internet-Facing Server Systems?



patches to Other Server Systems?



patches to Applications that store, process, or transmit Sponsor information?

b. Within 30 days or sooner based on threat evaluation.

GETHUB, CHEF

8. Do you maintain an inventory of hardware and software assets which documents the

identification, ownership, usage, location and configuration of each item?

a. Yes - GitHub is used for configuration and version and ownership of both Clinical Reach platform and mobile device development assets.

9. Are all hardware and software systems and components configured to a known

baseline configuration?

a. Yes – GitHub is used for configuration and version and ownership of both Clinical Reach platform and mobile device development assets. Chef is our configuration management tool focusing on deployment and disaster recovery in some cases, and ensures cloning capability as well as automated build preparation.

10. Do you maintain records of the baseline configuration of each system?

a. Yes - Baseline configurations are maintained using a combination of GitHub and Chef

11. Do you maintain documentation of configuration changes to each system?

a. Yes - Configuration reports can be generated from GitHub and Chef.

95. Are software updates and patches researched, tested and verified by appropriate

personnel before deployment?


a. Yes - The fixes for Critical and Major are applied immediately and deployed automatically using our Chef Operations Infrastructure to all of the servers within minutes of updating the software code. Minor issues are typically fixed and scheduled for deployment in the next release cycle.

TRAINING MANAGEMENT SOP-QA-002

14. Have you established training programs to ensure that personnel understand their

responsibilities regarding information security?

a. Yes - Defined in P6’s Training Management Policy (SOP-QA-002)

15. How often is information security training performed and refreshed?

a. Performed within 90 days of Hire, Refreshed Annually - Training starts on employee’s first day at P6

BUILDING SECURITY SOP-OPS-001

18. Does your company implement physical access control mechanisms to ensure only

authorized individuals can access facilities?

a. Yes - Defined in P6 Building Security SOP (SOP-OPS-001).

19. Are data centers, equipment rooms, telecommunications closets, and utilities

physically protected so that only authorized individuals can access them?

a. Yes - P6 employs Amazon Web Services to support all deployable server configurations. Other access to equipment rooms, telecommunications closets, and utilities physically protected by the mechanisms documented in the P6 Building Security Policy (SOP-OPS-001).

20. Are all areas within company facilities that contain Sponsor Information locked when

not attended?

a. Yes - It is not foreseen that there will be any Sponsor Information stored or otherwise available in the P6 facility. Data will be stored in the AWS HIPAA Cloud dedicated to the Sponsor instance of the Clinical Reach Platform. The P6 facility is locked during non-business hours.

21. How often does your company conduct inspections of the perimeter and all access

control mechanisms to provide assurance that all physical access control methods cannot be

bypassed?

a. Annually - Facilities are locked at the end of the business day or anytime when the suite is empty. We are located in a locked building on the 6th floor through an additional double locked door.

23. Do you use a badging system or any other approach to ensure that everyone within

your facilities can be immediately identified?


a. Yes - Personnel are stationed at the entrance to the P6 Suite. Visitors also sign in a visitor log at the front desk.

CHANGE CONTROL SOP-EN-004

26. Do you have a documented Change Management process and supporting

procedures in place to control all changes to Computing and Network Resources?

a. Yes - P6 has a change control policy, SOP-EN-004 Software Change Control, which can be extended to our network and AWS changes.

BACKUP & RECOVERY SOP-EN-005

33. Do you log data backup and recovery events?

a. Yes

32. Do you perform regular data backups on systems processing or storing Sponsor

Information?

a. Yes - All Clinical Reach client databases have full daily backups scheduled (See P6 procedure Backup and Recovery SOP-EN-005). Incremental restores are facilitated by AWS RDS point-in-time (PIT) restores. The AWS RDS PIT functions provide instantaneous restoration of data for any period within a sliding predefined time window.

34. Do you perform data backups immediately prior to any system upgrade or

maintenance activity?

a. Yes

35. If encrypted information is backed up, does it remain encrypted throughout the data

backup process?

a. Yes

36. Are data backups stored in a geographically separate, physically secure facility?

a. Yes - For customer data, Parallel 6 implements MySQL cluster for live replication and redundancy between two availability zones. One full daily backup is taken and placed on the backup server. The backup is shipped over VPN to DR region (Rsync over VPN). The DR site is restored with the latest backup as soon as transfer is completed.

37. How often is the ability to restore data backups tested?

a. Annually - For customer data backup, Parallel 6 implements MySQL cluster for live replication and redundancy between two availability zones. One full daily back is taken and placed to the backup server. The backup is shipped over VPN to DR region (Rsync over VPN). The DR site is restored with the latest backup as soon as transfer is completed.


VENDOR QUALIFICATION SOP-QA-004

47. Do you have documented policies and procedures to protect Sponsor information

when shared with external entities?

a. Yes - This is covered in the Vendor Qualification and Management procedure SOP-QA-004.

SYSTEMS DEVELOPMENT LIFE CYCLE - SDLC SOP-EN-003

96. Do you have a documented System Development Lifecycle (SDLC) which governs

the development and deployment of systems and applications?

a. Yes - P6 System Development Life Cycle policy document (SOP-EN-003).

97. Does your SDLC incorporate activities and deliverables to ensure security

requirements are met?

a. Yes - HIPAA requirements are included in the platforms requirement set and are tracked throughout development to testing.

98. Do such activities include testing of interfaces among systems and systems

components?

a. Yes - New Interfaces are tested as part unit and system tests with existing (previously developed) interfaces validated (regression testing) using automated test scripts.

CORRECTIVE ACTION PREVENTIVE ACTION - CAPA SOP-QA-005

119. Do you have a formal security incident monitoring, reporting and response process to

identify, report, and appropriately respond to known or suspected security incidents?

a. Yes - Corrective and Preventive Action Management - SOP-QA-005 CAPA Management.

120. Does your security incident reporting process include providing notification to

Sponsor within 24 hours of any known or suspected compromise of Sponsor information (or

applications hosting Sponsor information)?

a. Yes - Client notification is called out in P6’s Corrective and Preventive Action Management procedure. (SOP-QA-005 CAPA Management)

121. Is the theft or loss of user systems (such as workstations or laptops) considered

security incidents and follow your incident reporting process?

a. Yes

RISK ASSESSMENT SOP-QA-007

12. Do you have formally defined policies and practices for performing risk assessments


of software and systems?

a. Yes - See results of the risk assessment for Clinical Reach—Clinical Reach Risk Assessment.docx. Also P6 procedure Risk Assessment and Management (SOP-QA-007)

BUSINESS CONTINUITY SOP-OPS-003

122. Do you maintain an Information Systems Continuity of Business and Disaster

Recovery Plan (CoB/DR Plan) that will prevent catastrophic data loss and ensure timely

restoration of network and computing services in the event of system failure, damage or

destruction?

a. Yes – Business Continuity Plan SOP-OPS-003


PARALLEL 6 CONTROLLED DOCUMENTS

DOCUMENT # TITLE F-CO-001-01 Compliance Incident Reporting Form F-EN-004-01 Software Change Control Request Form F-IT-002-01 System Access Request Form F-QA-001-01 Document Change Request Form F-QA-002-01 Read and Understand Training Record F-QA-002-02 Instructor Led Training Record F-QA-005-01 CAPA Report Form F-QA-008-01 Non-Conformance Report Form POL-CO-001 HIPAA POL-CO-002 Privacy Rule POL-CO-003 Hotline Policy POL-CO-004 Complaint Handling POL-CORP-001 Code of Business Conduct and Ethics POL-CORP-003 Conflict of Interest POL-CORP-004 Computer Fraud and Abuse POL-CORP-005 Electronic Signatures POL-CORP-006 Online Copyright Infringement POL-IT-001 System Security Policy POL-IT-002 System Access Policy POL-IT-003 Software Update Policy POL-OPS-001 Record Retention POL-PM-001 Program-Project Management Policy POL-QA-001 Quality Management System SOP-CO-001 Compliance Incident Reporting SOP-EN-003 Software Development Lifecycle (SDLC) SOP-EN-004 Software Change Control SOP-EN-005 Backup and Recovery SOP-OPS-001 Building Security SOP-OPS-003 Business Continuity Plan SOP-QA-001 Controlled Documents SOP-QA-002 Training Management SOP-QA-003 Internal Audit SOP-QA-004 Vendor Qualification and Management SOP-QA-005 CAPA Management SOP-QA-006 Creating and Using Electronic Signatures SOP-QA-007 Risk Assessment and Management SOP-QA-008 Non-Conformance Reporting N/A Notice of Privacy Practices

| | JULY 201412CIOReview

PHARMATECHOUTLOOK.COMMARCH - 2016

Top 10 eClinical Trial Management Solution Providers 2016

Company:CLINICAL REACH BY PARALLEL6

Description:An innovative software as a service provider of mobile enrollment & engagement solutions for clinical research, health, and public sector organizations

Key Person:Allan CamaisaCEO & Chairman

Website:parallel6.com

Clinical Reach by Parallel6

An Annual Listing of 10 Companies that are at the forefront of providing eClinical Trial Management solutions for the Pharma & Life Science

Industry and impacting the marketplace

recognized by magazine asTECH OUTLOOK

eClinicalTrial Management

The progressive course of technology and digitization has left no stone unturned in the clinical trial industry. Clinical trials must comply with several regulatory mandates, are confined to strict timelines, and are

often performed on large data sets of varying complexity. With legacy systems, there is always a risk of data inconsistency and delay in dispatch of information that will lead to wrong trials. Dictating innovation and efficiency, many companies have risen up in the recent decades to underpin the eClinical trial management arena.

The advent of modern trial management solutions have greatly enhanced patient recruitment and monitoring processes. These comprehensive solutions start at the bottom of the clinical trial cycle from dynamic data capture to trial migration, centralized data hosting to historical data repositories and go all

the way up to drug approval. To complement these solutions, there is an array of turnkey solutions surfacing in the market, including remote radiology, portable research kits, and mobile suites, which is paving way for accuracy and rapid delivery of results.

In an effort to help clinical scientists set the stage towards a digital trial management system, a panel of prominent CEOs, CIOs, VCs, analysts, along with the Pharma Tech Outlook’s editorial board has assessed scores of eClinical trial management solution providers and picked out a list of prime choices.

We have considered the vendor’s ability in building solutions that can effectively and efficiently manage clinical trials, and at the same time deliver consistent information.

We present to you Pharma Tech Outlook’s Top 10 eClinical Trial Management Solution Providers 2016.

TECH OUTLOOK

| | JULY 201413CIOReview 37TECH OUTLOOK

March 2016

The pharmaceutical and life sciences industry is undergoing a transformative shift triggered by the

wide-spread adoption of digital health, mobile medical devices and technology platforms that are bringing improvements to medical and clinical research practices. However, the clinical research process for market approval of new treatments and devices is encumbered by complex long-term trials and strict regulations that have resulted in a shortage of qualified physician investigators and willing participants. To address these impediments, pharma and research companies seek befitting software solutions for clinical trial management to improve trial efficiencies, cut costs and critical errors, disseminate necessary data to the stakeholders, and increase the number of volunteers in clinical research. The California based firm, Parallel 6, is a provider of enterprise cloud and mobile technologies that works to enhance and support clinical research by harnessing the ongoing digital health revolution with its Clinical Reach platform.“Our solution reduces the burden of all stakeholders, and offers real-time operational metrics to drive trial efficiencies,” says Allan Camaisa, CEO and Chairman of Parallel 6.

Clinical Reach is a mClinical (mobile clinical) platform for patient enrollment, engagement and retention in clinical trials. “Over the course of a clinical trial many participants forget to take their scheduled medication or physician appointments, the Clinical Reach mobile application connects the patient with their physician or care team,” asserts Camaisa, “this empowers the patient to stay in control of their own tasks and remain

in compliance with the clinical trial protocol.” As most of the users prefer personalization in the trial processes, the Clinical Reach platform helps participants to communicate with the physicians throughout the duration of the study on their preferred mobiles devices – iOS, Android or Windows phones.The platform also allows a virtual clinical operations team to manage and monitor the entire trial with multi-site, multi-language, and multi-country capabilities—identifying areas of risk in real-time.

As clinical trials are becoming more virtual, the need to improve the patient experience and empowerment in the clinical trial has increased drastically. To serve this need, the Clinical Reach platform has made additions to it's suite of products with a new companion app, which drives clinical trial compliance by empowering the patient’s invited family or friends to receive reminders for patient medication adherence, and appointments. The platform also reduces the time and cost of patient recruitment for clinical trial sponsors and contract research organizations (CROs) through the nPruv recruitment module. The nPruv solution securely matches patient-to-trial and

engages them both at the point of care and online, thereby improving patient recruitment and enrollment workflow.

The Clinical Reach platform is HIPAA compliant and designed to encrypt data from the patient’s internet enabled device to the platform ensuring secure data transport at every stage of the qualification and enrollment process. “Aside from all the capabilities and benefits delivered to the users, our solution helps clinical trial stakeholders to digitally recruit, qualify, consent, engage, record, and manage clinical trial participants through our patented platform,” comments Camaisa.

Apart from the above, the Clinical Reach platform connects to all mobile technologies including medical devices, mHealth wearables, smart phones, smart watches, and other patient centric sensors and devices. “We are excited to see the momentum behind Clinical Reach, some of the largest pharma companies see that our platform gives clinical trial stakeholders the ability to securely view trial specific information, medication adherence reports, and eCOA in real-time. This means they have immediate access to the data they need to make informed decisions, faster, and empower patient experience at a reduced cost to the trial sponsor,” concludes Camaisa.

Our solution offers real-time operational metrics to drive clinical trial efficiencies

CLINICAL REACH BY PARALLEL6Unleashing Clinical Trial Efficiencies

Allan Camaisa

eClinicalTrial Management

Parallel 6 Overview 5.9.16

Documents

Transcript of Parallel 6 Overview 5.9.16