I am writing to ask for support on an issue of research compliance and information security. In planning a field study using CommCare, my information security officer has asked that a research compliance review of CommCare be done before CommCare is used as part of the research project. To conduct this compliance review, the officer would need one of the following:
- SOC2 report of the company – not AWS/Google, etc
- HiTrust Certificate for the company
- Completed HECVAT survey
- Contact information for a person at Dimagi, likely InfoSec, who can answer my university's information security officer's standard security questions.
Any support on this front is greatly appreciated. Many thanks!