Security & Trust — ComplianceSuite

21 CFR Part 11 · EU GMP Annex 11 · GAMP 5 · ALCOA+

We follow the guidelines of SOC 2 Type II · ISO 27001 · EU AI Act

01 — Certifications

Aligned to the controls auditors look for. Documentation shareable under MNDA.

SOC 2

Following SOC 2 Type II controls

We follow the guidelines of SOC 2 Type II — security, availability, processing integrity, confidentiality and privacy controls operated today. Formal Type II audit in progress; sample report shareable under MNDA.

Type II audit in progress

ISO 27001

Following ISO 27001 controls

We follow the guidelines of ISO 27001:2022. ISMS, documented controls, internal audits and risk register operated today. Formal certification audit planned.

Certification audit planned

GDPR

EU data protection

EU-hosted, EU-controlled, with a redlined DPA template available pre-contract. Sub-processor list maintained publicly.

DPA template available

EU AI Act

High-risk system controls

RAG-grounded generation, human-in-the-loop signing, model cards and data lineage. Conformity assessment artefacts available.

Compliance statement available

02 — Regulatory alignment

Built against the regulations validation teams actually defend.

21 CFR 11

FDA Part 11 ready

Validated electronic records and electronic signatures. Two-component identification per §11.200, computer-generated time-stamped audit trails per §11.10(e), signed records bound to e-signatures per §11.50.

EU GMP

Annex 11 aligned

Risk-based validation, signature linking, periodic review, supplier qualification and incident management aligned to EU GMP Annex 11. Pre-built Annex 11 control matrix included.

GAMP 5

GAMP 5 (2nd ed.) v-model

Lifecycle phases — Concept, Project, Operation, Retirement — modelled in the platform. ISPE GAMP 5 categorisation (1, 3, 4, 5) drives default validation depth.

ALCOA+

Data integrity by default

Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, Available. Built into the audit data model.

03 — Controls

Six categories. Twenty-four primary controls.

Encryption

Data at restAES-256 with envelope encryption per tenant
Data in transitTLS 1.3, HSTS, certificate pinning on internal services
BackupsEncrypted with separate KMS key, geo-redundant
SecretsPer-tenant secret store; no long-lived credentials in code paths

Identity

AuthenticationJWT-backed sessions with bcrypt password hashing
MFATOTP available; required for privileged roles
SessionsConfigurable timeout and idle lock
Account modelAccount ▸ Tenant scoping; user lifecycle managed in-app

Access control

RBACTenant-scoped roles with least-privilege defaults
Separation of DutiesEnforced at workflow layer — author ≠ approver
Privileged accessAccount/system admin paths logged with reason codes
Customer supportZero standing access; break-glass logged in audit trail

Monitoring

Audit logAppend-only event capture across all GxP entities
Tamper-evidenceHash-anchored audit entries with periodic verification
Inspector exportsOn-demand audit bundle export (DOCX / PDF / JSON)
Status pagestatus.compliancesuite.com — public uptime

Resilience

Uptime SLA99.9% Network · 99.95% Enterprise
RPO / RTO15 min RPO · 4 h RTO Network · 1 h RTO Enterprise
DR drillsQuarterly tested, annual report shared
Backups35-day retention, 7-year legal hold available

AppSec

SDLCSecure SDLC with peer review + automated SAST/DAST
Pen testsAnnual third-party + continuous bug bounty
DependenciesSBOM published per release, CVE SLA <72 h critical
Secret hygieneNo long-lived credentials in code paths

04 — Data residency

Your data, in your region.

Choose where customer data lives at provisioning time. We never replicate cross-region without explicit written approval.

RegionCloud tagResidency

EU — Frankfurteu-central-1GDPR · EU GMP

US — Virginiaus-east-1HIPAA-aligned · 21 CFR 11

US — Oregonus-west-2HIPAA-aligned · 21 CFR 11

Dedicated regulated cloudenterpriseFedRAMP-aligned

05 — Procurement pack

The paperwork your CFO and InfoSec lead will ask for.

DPA, MSA, SOC 2 sample report, ISO 27001 alignment, EU AI Act compliance statement, full security whitepaper, business case template and SLA — all downloadable today.

DOCUMENT · CS-LEG-0001