Veeva Vault and GDPR

Veeva Vault is a platform that provides a set of software applications across both commercial and R&D functions. Each application provides a base framework configuration, which life sciences companies then populate with data and documents – this means Veeva Vault acts as a Data Processor. Veeva Vault has been designed to protect personal data and supports GDPR product obligations as a Data Processor.

Duration of Data Processing

Data is processed for as long as a customer has a contract with Veeva and requires the data to be retained. The ability to delete all customer data in a Vault is available at any time a customer requests this, as per the contract.
Learn more »

Data Access on Vault

Vault users can view and edit (with restrictions) their user information at any time once logged in.

When data is collected from individuals who are not Vault users, it is your responsibility to make such individuals aware of what data will be collected and processed.

If an individual submits an access request to you to understand the data that is being stored within Vault on him / her, Veeva can provide a copy of that data, in an electronic format, within 20 business days.

You can authorize any other third-party data and document integrations with Vault.

Right to Be Forgotten

If an individual submits a “right to erasure” request to a Veeva customer to have their data deleted from a Veeva database, then the Veeva customer has the following options:

  • Process the data deletion themselves: Vault users can remove data at any time within the security controls configured by our customers.
  • Request that Veeva deletes that data: If a Veeva customer requests Veeva’s assistance in the removal of subject data, Veeva will respond to such requests within 20 business days.
These deletions should only be processed if other global and European regulations (particularly regarding the long-term storage of clinical trial data) permit such data deletion. It is for Veeva customers to make that determination.

Breach Notification

Veeva has a data breach management policy and a security team in place to identify violations and to ensure correct and timely action. If Veeva becomes aware of a data breach, it will contact the customer(s) affected within 72 hours.