You may use this form to request access to certain advanced functionality, third-party external modules, and/or the REDCap API.
This form aims to reduce the risk of security, privacy, and performance issues by warning you of possible concerns and providing guidance on how to avoid them.
First Name
* must provide value
Last Name
* must provide value
Deprecated, hidden from survey
Phone number
* must provide value
E-mail
* must provide value
Department
* must provide value
Are you the principal investigator of the project?
* must provide value
Yes No
If No, please also provide contact information for the PI in the fields that will be shown below.
Some third-party external modules are available within your IU REDCap project without needing any additional approval, so are not listed below.
Other third-party external modules could potentially be made available within IU REDCap, but doing so requires a sometimes lengthy vetting process. See the REDCapRepo to learn what's available. To request vetting of an external module, please send email to redcap@iu.edu specifying the module of interest and how it will help meet your needs.
REDCap-ETL external module Automates the transformation and export of data into relational form for use in relational databases like MySQL, SQL Server, and PostgreSQL.
Access from Tableau
Be sure to review the guidance on how to configure and secure Tableau workbooks to access data from IU REDCap.
Enables retrieval of data from IU REDCap into Tableau.
API Sync external module Transfers data between REDCap projects. Scheduled or manual.
Copy Data on Save external module Transfers data to other REDCap projects. Triggered by new data.
Cross-Project Piping external module Pulls data from other projects. Manual or triggered by save.
Flight Tracker external module Tracks scholarly career development.
API (Application Programming Interface) Programmatically import/export data.
Yes
Automates the export of data and/or transformation of data into relational form.
Requires a REDCap API token
Access from Tableau
Be sure to review the
guidance on how to configure and secure Tableau workbooks to access data from IU REDCap.
Yes
Enables retrieval of data from IU REDCap into Tableau
Requires a REDCap API token
Yes
Transfers data between REDCap projects. Scheduled or manual.
Requires a REDCap API token
While we vet third-party external modules for security and privacy, we do not maintain them. Use at your own risk.
API Sync external module -- external API tokens only
Will only use API tokens from REDCap projects at other institutions
Programmatically import/export data
Copy Data on Save external module
Yes
Transfers data to other REDCap projects. Triggered by new data.
Warning: Does not check 'write' User Rights during configuration.
Warning: Does not check User Rights during operation.
While we vet third-party external modules for security and privacy, we do not maintain them. Use at your own risk.
Yes
Pulls data from other projects. Manual or triggered by save.
Warning: Does not check 'read' User Rights during configuration.
Warning: Does not check User Rights during operation.
While we vet third-party external modules for security and privacy, we do not maintain them. Use at your own risk.
Yes
Tracks scholarly career development
While we vet third-party external modules for security and privacy, we do not maintain them. Use at your own risk.
Flight Tracker, in particular, changes quickly and every change brings with it additional risk of functionality breaking down.
API (Application Programming Interface)
Yes
Programmatically import/export data
One or more of the other options you've chosen require the use of the API. Please select 'Yes'.
API (Application Programming Interface) - previous approval
Have already received approval to use the API
Programmatically import/export data
You must take responsibility for securing your REDCap API tokens. We are happy to meet with you to offer guidance on how to use the API safely and efficiently.
What types of software clients will use your REDCap API token?
Choose at least one of these options.
If you will ONLY store your REDCap API token in the Biostatistics Token Vault, you do NOT need to fill out this form!
Please let us know, however, when requesting your API token from within your project, that you will be using the Vault.
(already chosen above ) API-based external modules and/or built-in functionality
Because we can't dynamically update the value of a radio button, we can't update the value of api_clienttype_inapp based on choices for redcapetl, etc.
Instead, we hide api_clienttype_inapp if certain EMs or other built-in functionality was previously chosen, use this calculated field to combine choices from the functionality list with the possible choice of api_clienttype_inapp directly, and then use this calculated field for later branching logic and reports.
View equation
Please provide a short description of the work that will be supported, including the role the client software will play.
(e.g. We are developing a Java program to read data from IU REDCap once a night and add that data to a data warehouse, or data managers will be using SAS and SPSS to read data from IU REDCap as needed for data analysis).
* must provide value
Will you be storing the REDCap API token only on systems that are known to the REDCap team to be approved for storing protected health information (PHI)?
IU REDCap itself The Quartz cluster The Research Database Complex Regenstrief servers that are approved for protected health information (PHI) Biostatistics Token Vault If using Quartz, please be sure to review the guidance on working with data containing PHI on Quartz.
If using the Research Database Complex, please be sure to review the guidance on working with data containing PHI on the Research Database Complex.
Note: Other places are allowed for storing the API token, but will require you to take additional responsibility for safeguarding your data.
* must provide value
Yes No
Will you be importing data into IU REDCap, exporting data from IU REDCap, or both?
* must provide value
Import only
Export only
Import and Export
Will the REDCap API be used to access protected health information (PHI) data?
* must provide value
Yes No
For any external modules and for the REDCap API, specify which IU REDCap project (or projects) will use each external module and/or require API tokens.
Please provide the project id(s) of the project(s). You can find the project id for a project by navigating to that project and looking in the URL for 'pid=NNNNN', where NNNNN would be the project id.
* must provide value
If some or all of the projects don't exist yet, include the ones that exist and note that some projects don't yet exist.
The REDCap-ETL external module and Tableau both involve exporting data. If using either of these, make sure to select 'Export only' or 'Import and Export' above.
Please avoid writing the same data over and over again!
REDCap creates a new row in its log table EVERY TIME a record is updated.
Import only new or changed data, if possible.
Do imports only once a day, or at most hourly, rather than every minute.
Will you be exporting data via the REDCap-ETL module only to approved infrastructure? This includes the Research Database Complex and Regenstrief servers that are approved for protected health information (PHI).
If using the Research Database Complex, please be sure to review the
guidance on working with data containing PHI on the Research Database Complex.
Yes No
Deprecated as of 26-Jan-2024
Will you be using the REDCap API solely to export data via REDCap-ETL?
* must provide value
Yes No
DEPRECATED as of 14-Oct-2022
Will you be exporting data using a software client besides the REDCap-ETL external module and/or Tableau?
* must provide value
Yes No
Deprecated as of 26-Jan-2024
Note: An SOP is not required if one of the following conditions holds:
Your project does not involve protected health information (PHI). You will only import data into IU REDCap, not export it. You will only export data via the REDCap-ETL external module to approved infrastructure, including the Research Database Complex, the Carbonate cluster, and Regenstrief servers approved for protected health information (PHI). You will only export data for use in Tableau. You will only run other API client software from approved infrastucture (as above). NOTE: If you plan to use the REDCap API only from another location, not listed above, that is approved for Protected Health Information (PHI), please include that in the comments at the end of this form and we will contact you to discuss including that other location in the list of places for which an SOP is not required in order to use the IU REDCap API. Please provide a standard operating procedure (SOP) for your application. The SOP is a detailed listing of the procedures you will use to maintain the security and privacy of the application that will use the REDCap API token. IT IS NOT NECESSARY to have a complete SOP when you first request pre-approval, but you will need to complete an SOP before a REDCap API token will be issued. Here is a template you can use to build a SOP: SOP Template If you would like assistance with creating a SOP, please note that in the comments at the end of this form.
deprecated as of 4-4-2023; SOP no longer required in any case; field hidden from survey
The API token or tokens used by the software client will not be shared with others for any reason.
* must provide value
Yes No
API tokens will be revoked when no longer needed.
For information about how to revoke an API token, please see:
Revoking API tokens .
* must provide value
Yes No
All users will have met their specific research affiliate/institution mandated HIPAA training and research training before using the API software client.
* must provide value
Yes No
The owner of the IU REDCap software client has reviewed the
Information Security and Privacy Program Safeguards , particularly domain 8 (Identity and Access Control) and domain 9 (Information Systems Acquisition, Development, and Maintenance) for any applicability to this IU REDCap client and its hosting environment.
* must provide value
Yes No
If the client software has a graphical, web-based interface, the owner of the client takes responsibility for the client being scanned by the
Indiana University application scanner . Scanning must be done before the application is put into production, at least twice a year, and before any major changes to the application.
* must provide value
Yes No
The client will only provide data to those who are allowed to see that data.
* must provide value
Yes No
Individual access to data is logged. IU REDCap identifies and logs access using the API token to determine identity. If the client does not use different API tokens for different user access, the client must separately log individual access.
* must provide value
Yes No
The SSL certificate of the IU REDCap application is validated on every request from the software client.
* must provide value
Yes No
REDCap API tokens will be stored on secure machines.
The software client and the IU REDCap API token might be stored on separate computers. In that case, the following requirements refer to the host that stores the IU REDCap API token.
All hosts must adhere to the
IU Security of Information Technology Resources policy . Note, in particular, the 'Procedures' section which specifies a set of technical requirements.
For laptops and other mobile devices, they will be secured according to Indiana University's
IT-12.1 Mobile Device Security Standard and any departmental mobile device policies relevant to the department sponsoring the use of the mobile devices.
All security incidents will be communicated to the IU REDCap administrators (redcap@iu.edu) and to Indiana University incident response (it-incident@iu.edu).
This includes compromised, unsecured, lost and/or stolen devices, computers, and API tokens.
* must provide value
Yes No
Which IT person or department have you conferred with to make sure that the computers that will host the API token(s) will follow all relevant policies?
* must provide value