Access and Security

The Flatiron software system is built to be compliant with HIPAA (45 CFR Part 164.C), predicate GCP/ICH, 21 CFR part 11 and the new GCP E6 R2 addendum that merges research and medical encounter data to transform trial conduct. Access to the system is controlled by a protocol administrator from the Sponsor and/or CRO. Users, with guidance from the Sponsor, determine what will be entered and uploaded into the system to best serve their clinical trial needs. Flatiron acts in the role of a data curator without access to study data.

One Time Passcode (OTP)

To ensure a high level of security, we do not require you to remember a traditional username and password. Instead we make use of a One Time Passcode (OTP) which will be generated each time you want to login. The OTP is a 8 digit number that provides a secure method for authenticating users while eliminating issues of lost passwords and password resets.

To login to the system, simply enter your email address in the login screen and click the “Send Passcode” button. You will immediately be emailed your current OTP which you can enter (or copy and paste) into the login screen.

Each OTP is valid for a maximum of 5 minutes and the time of expiration will be included in the email that you receive.

Note: If you don’t receive your OTP email, please look in your CLUTTER or SPAM folders.

Logging on with an Authentication App

Authentication apps generate security codes for signing in to sites that require a high level of security. You can use these apps to get security codes even if you don’t have an internet connection or mobile service.

You can set up an authentication app to generate your Vessel security code. First, you’ll need to download an authentication app to your computer or phone. After installing and configuring the application to work with Vessel, you will be able to receive security codes without a phone number. Some options for authentication apps include:

Android options: Epic Authenticator

iOS options: Epic Authenticator

Inactivity Timeout

Due to the types of data (including PHI) that are collected in the system, user sessions are timed-out after 15 minutes of inactivity. An alert will be presented after 14 minutes allowing you to renew your session before the timeout occurs.

If your session does get timed out, the process for logging back in is the same as for your initial login. Just request your current OTP from the time out screen and then enter the code that is emailed to you. Once your session is renewed you will be returned to where you last were when the timeout occurred.

Extended Session

Users have the ability to extend the inactivity timeout from 15 minutes to 12 hours by enabling the “Extended Session” feature.  Once a session is extended, you will be prompted to renew after 12 hours of inactivity. The session will reset upon renewal or logout.  I.e. Users must enable “Extended Session” at each login.

To enable an extended session:


1.  Select “Extended Session” from the drop down under your username

  1. Acknowledge that you have screen saver enabled that meets the following requirements:
  • Password enabled to unlock screen.
  1. Screen saver will be invoked automatically with 10 minutes or greater inactivity.

To disable an extended session:

1.  If an Extended Session is inadvertently selected or no longer needed, select “Logout” from the drop down under your username

2. Your user session will reset to renew after 15 minutes of inactivity upon the next logon.

System Access and User Roles

Access to the Flatiron System is role based and the functionality that you have available is based on the role that you’ve been assigned. If you have questions about the role that you’ve been assigned or feel that you’ve been provided with the incorrect access please contact your protocol administrator. The administrator for your protocol is listed in the access email that you received when you were invited to the protocol.

Account Management Best Practices

As with any secure account, Flatiron accounts should not be shared and users should take care to log out of the system when access is no longer needed.  Although each One Time Passcode expires after 5 minutes, they should never be written down.

Still need help? Contact Us Contact Us