Privacy & data handling
Damaros processes clinical data inside an institution-approved boundary under deterministic, auditable execution. This policy describes what data is handled, where it lives, and the controls that keep it governed.
What this covers
This policy applies to the Damaros platform and its FHIR integration when deployed for a site, sponsor, or hospital system. Protected health information (PHI) handling is governed by the executed Business Associate Agreement (BAA) or Data Processing Agreement (DPA) for each deployment, which prevails where terms differ.
Data we process
- Clinical evidence. Read-only FHIR resources for site-approved cohorts, normalized to protocol-scoped facts. Only contract-mapped fields persist; everything else is discarded before evaluation.
- Execution records. Criterion-level PASS / REVIEW / FAIL outcomes, evidence references, and replay lineage.
- Operational identity. Coordinator and staff sessions carry a subject, role, organization scope, and trial scope for attribution and access control.
- Telemetry. Structured logs favoring stable identifiers (request id, org id, trial id, non-PHI codes). Free-text clinical narrative is excluded from default log templates.
PHI and AI boundary
Screening outcomes are deterministic. Eligibility verdicts come only from the engine evaluating normalized FHIR facts, never from a generative model. Luna governs AI-assisted work that sits outside the screening path, with provenance, reviewability, PHI gating, and scoped tasks enforced.
PHI never touches an LLM. No patient identifiers and no cohort-linked clinical fields are serialized into any AI-assisted path. Eligibility remains traceable to the protocol version and the evidence inputs that produced it.
Where data lives
- PHI is processed inside the institution-approved deployment boundary (VPC or tenant isolation per the deploy contract).
- Deny-by-default network egress with explicit allowlists for Epic FHIR, OIDC, and in-cluster data stores.
- Damaros is not a secondary clinical record store. Ingest ends in protocol-scoped screening artifacts; the EHR remains system of record.
- Encryption at rest and retention follow the deployment architecture and the customer BAA or DPA.
Access, retention, and your rights
Access is role-based and attributable. Administrative and export actions are RBAC-gated, and web sessions are time-bound. Data subject requests, retention schedules, and deletion are handled through the contracting institution under the applicable BAA or DPA. The geographic readout shown on this site is derived from a coarse IP lookup for display only and is not stored.