Castor EDC

Castor EDC

Castor EDC offers Electronic Data Capture for medical researchers. Founded by healthcare professionals who’d experienced problems with data management and a lack of user-friendly tools, Castor EDC is an easy-to-use cloud solution for capturing medical research data and running clinical trials: eCRFs, ePRO, eCOA, ePROMs, randomization and more.


  • User-friendly form builder for eCRF construction
  • ePRO patient surveys
  • Centralized advanced user rights management
  • Source Data Verification
  • Monitoring module with query management and audit trail
  • Multicenter trial management
  • Stratification & variable block randomisation
  • API available for integration with devices & systems
  • ISO 27001 and ISO 9001 certified
  • Compliant with GCP, 21 CFR Part 11 and Annex 11


  • Easily create advanced electronic Case Report Forms (eCRFs) yourself
  • Reuse eCRFs created by others
  • Conduct advanced calculations directly in the system
  • Capture high quality data with real-time edit checks
  • Store unlimited fields and data points
  • Capture patient directly via ePRO surveys
  • Manage your study team and their authorisations easily
  • Automatically schedule triggers and events to automate your trial
  • Randomise patients using variable weighted block randomisation
  • Keep track of progress with real-time dashboarding


£0 to £4000 per licence per year

Service documents

G-Cloud 10


Castor EDC

Sales Team

0031 (0)20 3374 095

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints There are no service constraints.
System requirements
  • Castor EDC is cloud-based and runs on any operating system
  • Multi-browser: Google Chrome, Mozilla Firefox, Safari, and Internet Explorer
  • Works best with the three latest versions of aforementioned browsers

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Contact us with questions via our online form and receive a response within an hour.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Basic Support: free email support during working hours (9-5) | Additional Support options (at extra cost): Personal consultations when you start building your study, A technical check on your study before you go “Live”, Premium Support (priority email support & phone support).

Site licenses: yearly training included in base-package. Additional support can be included in contract, or can be purchased per training or per study basis.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Site license:
Yearly training for researchers within base-package. Online or on-site training and workshops available, depending on contract. Additional support can be agreed upon per license. Webinars available for all users.

Single study:
Our one-hour workshop is made up of concise how-to videos, from setting up your study to managing survey automation, to help you get started. We also offer an online support manual, filled with useful content that explains each and every feature on the platform. Free email support is also available during working hours. Frequent webinars are available for all users.

Study building, on-site training, personal consultations, pre-live technical check, priority email- and phone support are available at an additional price.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Online user manual
  • Documentation can be provided on request
  • Video
End-of-contract data extraction Users can export their data at any point in their study. Castor stores study data free of charge for 15 years. Data will be deleted on request and we can include a certificate of removal.
End-of-contract process After the termination of the Agreement Client may choose one of the following options: Castor deletes the Data, Castor transfers the Data to Client and deletes the Data in its possession (Castor is entitled to charge reasonable costs for such transfer), Castor will keep all Data for fifteen years on the servers (during this period Castor shall provide Client with access to the saved Data).

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are no major differences between the mobile and desktop versions of Castor EDC.
Accessibility standards None or don’t know
Description of accessibility The current interface is not optimised for disabled users but our new interface that we are currently designing will be fully support disabled users.
Accessibility testing This is on our roadmap for our new User Interface that we are rolling out in 2019
What users can and can't do using the API Users can use our API for almost all Castor EDC functionality including Importing and Exporting of data and the creation of Records (Cases) and Surveys (Questionnaires).

Device data can be imported for medical device trials. Benefit from Castor EDC’s advanced functionality while using your own interface. Retrieve, add, and analyse study data with full Castor compliance and security, while maintaining your own branding and image.

API documentation is available here:
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Our system features are modular. Users choose which features they want to use on a per study basis (Basic EDC + Monitoring, Surveys, Randomisation). For site licenses, all additional features are normally included. The study admin can customise the study structure. There are over 20 available data fields that can be selected and customised.
Layout customization is limited to structuring the CRF with remark fields and limited HTML styling on Summary Fields.


Independence of resources Continuous monitoring of service loads is performed by both our managed hosting companies and Castor. In case of increasing load, we detect this early and increase our server capacity.

For site license, responsibility lays on the institute if billing code is restricted or not. Castor sends out recurring reports with number of studies using billing code. Studies above number of agreed studies, will be billed at a fixed price.


Service usage metrics Yes
Metrics types The system generates basic study statistics (inclusions per center, number of randomised patients, etc). We are developing a Premium Module that will enable you to run advanced reports in the browser, contact us for more information.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach We support SPSS, Excel, CSV, HTML. We export everything, including a code book. This means you can also easily import this into SAS, Stata, or R.
Data export formats
  • CSV
  • Other
Other data export formats
  • HTML
  • SPSS
  • Excel
  • PDF (per patient)
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • Data can be imported using the API

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The SLAs with our hosting companies guarantee us of the server- and networking hosting and redundancy. As data is our main asset, we have all our database servers configured in a redundant server set up with master / master replication so we can always failover to another fully up to date db server. If both fail we have backups readily available that are created 4 times per day and stored for 28 days. One backup a month, stored for 1 year. In the event of failure of one the main servers, a response team will be immediately notified, with the lead developer assisting in diagnosing the issue. Our technical team will assess the problem in tandem with the hosting providers.
Approach to resilience Information available on request.
Outage reporting Currently through e-mail alerts, a public dashboard for status updates is on our roadmap.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication 2-factor authentication can be enabled.
Access restrictions in management interfaces and support channels We apply Privacy by Design in both our main application, Castor EDC, as well as the support tooling. For example only a select number of support staff have access to the patient data level and our support ticketing system is divided into departments that restrict the access level of each employee.

All employees with access to patient data sign an additional agreement indicating that they treat this data with the utmost care.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance Ltd
ISO/IEC 27001 accreditation date 19/12/2017
What the ISO/IEC 27001 doesn’t cover Unsure
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • ISO 27001
  • ISO 9001

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We are ISO 27001 certified and have an internal information security procedure available to all employees.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our processes are defined through ISO 27001.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Server infrastructure is fully managed by G-Cloud vendor Pulsant and ISO 27001/ISO 9001 Dutch hosting company TRUE. We follow our ISO 27001 Secure Development Policy, that explains how we integrate security into our SDLC. Additionally we have quarterly external security audits performed. Vulnerabilities get resolved as quickly as possible.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Pen-tests are performed every quarter by an external party. Vulnerabilities are remediated as soon as possible. There are a minimum of 2 code reviews for each commit made onto our production codebase and a strong engineering culture where finding vulnerabilities is rewarded with a weekly prize. We have a responsible disclosure clause on our website. We respond to incidents within two working hours.
ISO 27001: Secure development policy, can be reviewed upon request.
Incident management type Supplier-defined controls
Incident management approach Questions/issues can be raised by email or by submitting a ticket online. The customer support team aims to respond within an hour for any question (business hours). Most issues are resolved within 24 hours.
Questions are answered on a rolling basis, except for premium support questions (which are prioritized).
In case of urgent issues (incidents, application problems etc.), these assume the highest priority.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0 to £4000 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Researcher can set up study for free themselves. Users pay once the study is set to 'Live' and data collection begins. Small trials for non-profit organisations are entirely free with unlimited users. Additional modules are not included in the free trial. See our pricing page for more information.
Link to free trial


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑