Tastermonial Data Security Policy

Last Updated: Jan 31, 2025

1. Introduction

Tastermonial is committed to protecting the privacy, security, and integrity of all data collected through our platform. As a Contract Research Organization (CRO), we conduct research on behalf of brands, supplement companies, and institutions while adhering to strict data security and privacy protocols.

We do not share Personally Identifiable Information (PII) with researchers, partners, or third parties unless a user has explicitly provided media release consent. Our security framework is aligned with SOC 2 standards and informed by HIPAA best practices, ensuring compliance with industry-leading security protocols.

2. Data Lifecycle & Security Measures

Tastermonial follows a structured data lifecycle with safeguards at every stage.

Data Collection

• Data is collected through HIPAA-compliant forms and securely transmitted to TimescaleDB hosted on AWS.
• Personally Identifiable Information (PII) and Protected Health Information (PHI) are stored separately from research data.
• All data transfers occur over encrypted channels (TLS 1.2/1.3).
• A Business Associate Agreement (BAA) is signed with our HIPAA-compliant form and data storage provider.

Data Storage & Protection

• Data is stored in TimescaleDB on AWS, located in SOC 2-certified US data centers.
• Encryption is applied as follows:
  • At rest: AES-256 encryption.
  • In transit: TLS 1.2/1.3 secure transmission.
• Automated backups occur daily, with secure retention policies.
• Data used for research is de-identified and anonymized where applicable.

Data Access & Transmission

• Only authorized research personnel can access data through role-based access controls (RBAC).
• Multi-factor authentication (MFA) is enforced for all administrative accounts.
• Audit logging tracks data access to ensure compliance.
• No PII is shared unless a user provides explicit media release consent.

Data Usage & Processing

• Data is used strictly for research and never sold or shared for advertising.
• All data processing activities follow strict audit logging and confidentiality protocols.
• Researchers receive only de-identified or aggregated study data.

Data Retention & Destruction

• Data is retained based on regulatory requirements and business needs.
• Users can request data deletion at any time via [contact email].
• Upon request or expiration of retention periods, data is securely erased using cryptographic deletion methods.

3. Security & Compliance Measures

Technical Safeguards

• Data is encrypted at rest using AES-256 and in transit using TLS 1.2/1.3.
• AWS security controls include firewall protection and intrusion detection.
• Role-based access control (RBAC) ensures that only authorized users can access sensitive data.
• Multi-factor authentication (MFA) is enforced for all system administrators.
• Security logs and monitoring systems track all access and activities.

Administrative Safeguards

• Dedicated security personnel oversee compliance and risk management.
• Employees handling sensitive data undergo regular security training.
• A formal incident response plan is in place to handle potential data breaches efficiently.

Compliance & Certifications

Tastermonial aligns with:

• SOC 2 Type II best practices (security, confidentiality, availability).
• HIPAA-informed security standards for health data.
• GDPR privacy principles for applicable users.

4. User Rights & Privacy Choices

• Users may request access to their data and corrections if needed.
• Users may request deletion of their data at any time.
• Personal data is never shared without explicit user consent.
• Users are informed about how their data is collected, used, and protected.

For further questions or security concerns, please contact lou@tastermonial.com.