V5 Ultimate
Security & Trust

Built for the data auditors read line-by-line.

V5 Ultimate stores eBMRs, eDHRs, complaints, CAPAs and operator e-signatures — the records a regulator opens first. We engineer security as if the next FDA inspector is reading the database tomorrow. Because eventually one is.

Six pillars

What we protect, how we protect it

Encryption — in transit and at rest

TLS 1.2+ on every connection. AES-256 at rest for database, file storage and backups. On-Premises customers own their encryption keys via your KMS — we never see them.

Identity — SAML SSO + SCIM 2.0

Self-serve SAML 2.0 against any IdP (Okta, Entra ID, OneLogin, Google Workspace SAML, JumpCloud). SCIM 2.0 auto-provisioning — deprovision in your IdP and V5 atomically revokes sessions, roles and membership the same second.

Access control — RBAC + workspace isolation

Roles are stored in a separate user_roles table (not on profiles) to prevent privilege escalation. Every query is RLS-scoped per tenant via security-definer SQL functions. Platform admin gated by hard-coded email allowlist.

Audit trail — immutable, queryable, Part 11

Every signature, every override, every regulated record write lands in an immutable audit table with operator, timestamp, IP, reason, before/after hash. Surfaceable in compliance reports — never edited, never deleted.

Monitoring & incident response

Production monitoring with alerts on failed sign-ins, unusual export volume and SCIM token misuse. Documented incident-response runbook with customer notification on confirmed incidents per contract. 24/7 SOC on the roadmap (see below).

Deployment — Cloud or On-Premises

Cloud is hosted on hardened infrastructure (AWS + Cloudflare) with encrypted daily backups and point-in-time recovery. On-Premises ships as container images you stage in your own environment — air-gap capable when deployed without outbound telemetry, with customer-owned database and encryption keys.

Controls catalog

The checklist your security team will ask for

Application controls

  • Two e-signatures (preparer + independent reviewer) on formula and master document approval — same-person approvals rejected per 21 CFR 211.186 / 111.205.
  • Immutable approved formulas — edits create v+1 and the previous version stays read-only.
  • Operator-only users locked to /app/kiosk — no admin UI access.
  • Hard kiosk gating — operator cannot start a task if assigned required training docs are overdue or unacknowledged.
  • Out-of-calibration devices refuse to write to any regulated record.

Platform controls

  • Row-Level Security on every tenant-scoped table; security-definer functions for cross-tenant operations.
  • Service-role database key isolated to server-side admin operations; never bundled to client.
  • Secrets stored in encrypted secret manager; rotated on schedule.
  • Third-party penetration test scheduled Q3 2026 — executive summary will be available under NDA.
  • Working toward SOC 2 Type II (target observation window 2027). On-Premises customers inherit the control posture of their own accredited environment.

Data residency & ownership

  • Cloud: choose data residency at workspace creation (US / EU on request).
  • On-Premises: data never leaves your environment — air-gap capable.
  • Customer-owned export: every regulated record exportable as signed PDF + machine-readable JSON.
  • No customer data used to train AI models. AI inference can be pointed at your private endpoint on On-Premises.
Release management for regulated customers

Updates that respect your validated state.

A short, honest summary. Specifics are agreed per contract.

Regulated customers receive advance notice of releases, access to a validation pack on request, and an opt-in upgrade window before changes are applied to their workspace. Full release-management terms — notification lead times, supported version windows, rollback provisions and validation artefacts — are agreed in the customer contract.

If you have specific GxP, Part 11 or Annex 11 requirements you need us to commit to in writing, raise them during procurement and we'll address them in the MSA.

Certifications & roadmap

Honest about where we are

We don't hold formal certifications today. We're investing in them on a published schedule so enterprise buyers can see exactly when each milestone lands. We'll only ever claim a certification once the certificate is in our hand.

TargetMilestoneStatus
Q3 2026Cyber Essentials (UK NCSC)In progress
Q3 2026First external penetration test (CREST-accredited)In progress
Q3 2026Published vulnerability disclosure policy (security.txt)Achieved
Q4 2026Cyber Essentials Plus (audited)Planned
Q4 2026SOC 2 Type I readiness assessmentPlanned
Q1 2027SOC 2 Type II observation window beginsPlanned
Q2 2027ISO 27001 gap analysisPlanned
Responsible disclosure

Found a vulnerability?

Email info@sgsystemsglobal.com with a clear description and reproduction steps. We acknowledge within two working days, will keep you informed of remediation, and won't pursue good-faith researchers who follow this policy. Full policy at /.well-known/security.txt.

Sub-processors

Who touches your data

We notify designated Customer contacts at least 30 days before adding a new sub-processor. Customers may object on reasonable grounds within that period. Current list below.

Sub-processorPurposeRegion
Amazon Web Services (AWS)Compute, object storage, backupsUS-East / EU-West (per workspace)
CloudflareEdge CDN, DDoS, WAF, Workers runtimeGlobal edge; data residency honoured
SupabaseManaged Postgres, auth, file storageUS-East / EU-West (per workspace)
ResendTransactional email deliveryUS / EU
PaddleSubscription billing & merchant of record (no card data stored by us)Global
Google WorkspaceInternal email and document collaboration (no Customer Data)US / EU

On-Premises deployments: no sub-processor has access to Customer Data — all data stays in your environment.

For regulated buyers

SQA, DPA, Part 11 — under NDA

Supplier Quality Addendum (SQA)

GxP-specific obligations: change-control notification, deviation reporting, audit rights, validation deliverables. Available on request under NDA — pre-signed by our Head of Quality.

Data Processing Addendum (DPA)

GDPR Article 28 compliant, with Standard Contractual Clauses for international transfers. Auto-incorporated when you sign an Order Form against the MSA.

21 CFR Part 11 / EU Annex 11

Control matrix mapping platform features to each clause is available on request. An independent assessment of V5 Ultimate is scheduled for Q3 2026 — the existing V5 Traceability 5.9 assessment covers the inherited control model in the interim.

For security reviews

We answer security questionnaires without flinching.

Architecture diagrams, sub-processor list, DPA, SCCs, SQA, supplier qualification questionnaire and current security roadmap — available on request. Pen-test executive summary will be available under NDA once Q3 2026 testing completes.