Medidata and other marks used herein are trademarks of Medidata Solutions, Inc. All other trademarks are the property of their respective owners. Copyright © 2018 Medidata Solutions, Inc. Jan. 2018

INFORMATION SHEET 1

Medidata Clinical Cloud®: The General Data Protection Regulation The General Data Protection Regulation (GDPR) is a comprehensive European privacy law that takes effect on May 25, 2018. Medidata views this law as an opportunity for us to deepen our commitment to data protection and its important role in ensuring a trustworthy and robust clinical development process. Our Commitment to the GDPR Medidata is committed to meeting the GDPR’s requirements for all our customers. As our solutions support the entire clinical development process through innovative clinical cloud technology, ensuring the confidentiality, integrity and availability of customer data is of the highest importance to us. We deliver our clinical cloud computing solutions in accordance with security best practices in order to ensure end-to-end security and end-to-end privacy. Similar to existing privacy laws, compliance with the GDPR requires a partnership between Medidata and our customers in their use of our clinical cloud solutions. Medidata will comply with the GDPR in the delivery of our solutions to our customers, and we are dedicated to helping our customers comply as well. Our Ongoing Commitment to Data Protection We have consistently reinforced our commitment to protecting our customers’ data through our actions around data privacy: § Medidata is dedicated to using best-in-class security to protect

our customers and the patients whose lives they improve. As there is no privacy without security, Medidata has sought and obtained independent certifications and attestations related to its security controls, as detailed in our Information Security Whitepaper.

§ Within days of the European Court of Justice invalidating the EU-

U.S. Safe Harbor program in October 2015, we offered all of our customers a data processing addendum with the model clauses that allowed them to continue to transfer data to Medidata without interruption.

§ Medidata obtained its EU-U.S. Privacy Shield certification in

November 2016 and its Swiss-U.S. Privacy Shield certification in May 2017, both within months of these new mechanisms becoming available.

Medidata Security Certifications & Standards Medidata has a long history of successful independent certification and attestation for security, confidentiality, availability, processing integrity, and privacy controls.

SOC 2 Type 2: Medidata publishes a Service Organization Controls 2 (SOC 2) report conducted in accordance with SSAE 16 and the ISAE 3402 professional standards. The SOC 2 report audit attests that Medidata data center control objectives are appropriately designed and operating effectively.

ISO 27001:2013 Certification: Medidata maintains an International Standards Organization (ISO) 27001 certification addressing security management best practices and comprehensive security controls.

Privacy Shield: The EU-U.S. Privacy Shield imposes strong obligations on U.S. companies to protect Europeans’ personal data. Medidata maintains EU-E.S. and Swiss-U.S. certifications with the U.S Department of Commerce.

FISMA: Medidata is evaluated each year for compliance with the Federal Information Security Management Act (FISMA) standards. This requires Medidata to implement and operate an extensive set of security configurations and controls.

INFORMATION SHEET Medidata Clinical Cloud®: The General Data Protection Regulation

Medidata Clinical Cloud® Cloud-based clinical research solutions | Innovative technology | Data-driven analytics Reduced costs | Improved time to market | Faster decisions | Minimized risk

2

Our Role in Our Customers’ GDPR Readiness Medidata is a Software-as-a-Service (SaaS) provider that acts as a data processor under the GDPR. Medidata implements appropriate technical and organizational controls to safeguard personal data entrusted to us by our data controller customers. Below we provide some highlights about the protections Medidata provides to personal data and the tools we offer our customers to meet their data controller responsibilities under the GDPR. § Security: Medidata has built our data protection and security

standards to regularly pass rigorous third-party compliance audits for security, confidentiality, availability, processing integrity, and privacy controls. Medidata’s solutions provide encryption in transit using Transport Layer Security (TLS) with a minimum key length of 256 bits; encryption at rest will be in place for all our solutions by May 25th.

§ Cross-border Data Flows: The GDPR continues to allow the

flow of personal data across country borders, and includes provisions ensuring existing data transfer mechanisms remain valid going forward. Customers may leverage Medidata’s Privacy Shield Certification or use the standard contractual clauses.

§ Access Controls: All of Medidata’s solutions offer robust access

controls to enable customers to restrict access to personal data to only those users with a need-to-know. Access to Medidata’s servers is limited to personnel with a business need and is strictly controlled using Multi-Factor Authentication, logging and auditing.

§ Certifications & Standards: Customers can reference and rely

on the procedures performed by our independent auditors as part of the SSAE18 (SOC) and ISO audits to demonstrate GDPR compliance.

Upcoming Resources Medidata is preparing GDPR readiness materials for our customers as part of our mutual accountability obligations under the GDPR. These materials will provide in one convenient place the information needed to assess the privacy of our solutions. Please reach out to your account manager or to Medidata’s Chief Privacy Counsel (dataprivacy@mdsol.com) to learn more.

About Medidata Medidata is reinventing global drug and medical device development by creating the industry’s leading cloud- based solutions for clinical research. Through our advanced applications and intelligent data analytics, Medidata helps advance the scientific goals of life sciences customers worldwide, including nearly 850 global pharmaceutical companies, biotech, diagnostic and device firms, leading academic medical centers, and contract research organizations.

The Medidata Clinical Cloud®

brings a new level of quality and efficiency to clinical trials that empower our customers to make more informed decisions earlier and faster. Our unparalleled clinical trial data assets provide deep insights that pave the way for future growth. The Medidata Clinical Cloud is the primary technology solution powering clinical trials for 17 of the world’s top 25 global pharmaceutical companies and is used by 16 of the top 20 medical device developers—from study design and planning through execution, management and reporting.

info@mdsol.com|mdsol.com+18665156044