This software complies with all major regulations governing human subject research and privacy of data stored online. The system complies with both HIPAA and Common Rule for customers in the United States. For customers in Canada, it complies with the Personal Information Protection and Electronic Documents Act, as well as the Tri-Council Statement. For customers in the European Union or in countries that follow OECD rules, it complies with OECD privacy rules and the European Union Directive of Data Protection. Your organization may or may not need to comply with the relevant regulations. Your research administrator can advise you on this situation.
Even if you are not required to comply, compliance is always a good idea. Protecting sensitive data is always a good thing. Compliance in the context of this system is as simple as reading the remaining paragraphs of this section, that apply to your organization, and following the guidelines contained therein. The software handles all the remaining compliance issues involving software, privacy and electronic data storage automatically. You should still consult with your IRB or organization to learn about additional compliance rules you must follow outside of use of this software. For example, the handling of the data you collect during your study.
Some regulations, particularly the US HIPAA regulations) are focused primarily on health data. You may think the system does not store confidential health data (in HIPAA terms, it is called PHI — Protected Health Information), but depending on how your organization uses the software, there may very well be confidential data in the system. Consider the case of a study that requires a participant to come from a family that has a history of mental illness. Merely knowing who signed up for that study could be considered confidential because that type of information should not be revealed to the public. It may turn out that your studies are not of such a nature, but it applies in even more benign situations. For example, a study that requires that participants be regular contact lens wearers can be construed as confidential information. Organizations typically err on the side of caution given the criminal and civil penalties for violation of these types of regulations.