At High Enroll, we take security and privacy very seriously. Our technology is designed from the ground up to collect minimal personal information and to never collect, store or process protected health information. This document provides

an overview of our security posture and data collection practices

Summary of High Enroll Technology

The High Enroll platform and associated mobile application is a tool to disseminate study information to healthcare providers. This study information helps them introduce study participation opportunities to their patients. Study information
is entered into the platform by account holders at each site; that information is then sent to providers who have subscribed to receive updates for their specialties.

While High Enroll positively impacts recruitment by keeping relevant studies top-of-mind, it does NOT collect, store or transmit PHI (Protected Health Information) or any patient information. When healthcare providers find relevant
studies for their patients, they contact the site’s research staff, outside of the High Enroll platform, just as they have always done.

Protected Health Information (PHI)

High Enroll does not collect, store or process patient information of any kind. For the sake of clarity, neither the platform, nor the mobile application are used to store names, medical histories, provider data, etc.

Personally Identifiable Information (PII)

Health Care Providers

Health care providers may choose to add personally identifiable information to their High Enroll account; however, it is not required to use the platform or mobile application. If they choose to create an account, the platform collects
their name, email address, time zone, password, and optionally phone number.

Site Administrators

Site administrators must create secure accounts to access the online dashboard. Name, email address, time zone, password, and phone number are required to create an account that can administer site and study information.

Security Measures

Safeguarding the information of our clients, providers, and users is extremely important to us. Some of the security measures we have implemented are:

Data Encryption

● TLS is used to protect all network traffic

● All data at rest are encrypted

Passwords

● Always transmitted over TLS

● Hashed with salt and stored in a table with a derived key

● Encrypted tokens are used to authenticate requests

Virtual Infrastructure

Leveraging the security provided by Amazon Web Services allows us to focus on developing world-class software. We use industry-best practices to further secure the High Enroll platform and continue to evolve with the changing technology
landscape. A few examples are:

● Application servers have a lifespan of 1 hour, limiting intrusion exposure

● Incoming requests are limited to HTTP and HTTPS

● Virtual networks make use of a bastion host for configuration

● Application firewall rules evolve as threats change

● Using physical tokens to access all infrastructure

More Information

For more information, please feel free to contact Matt Vorst, Chief Technology Officer at: mavorst@highenroll.org and/or see our Privacy Policy at: https://www.highenroll.org/privacy-statement/