Built for the data auditors read line-by-line.
V5 Ultimate stores eBMRs, eDHRs, complaints, CAPAs and operator e-signatures — the records a regulator opens first. We engineer security as if the next FDA inspector is reading the database tomorrow. Because eventually one is.
What we protect, how we protect it
Encryption — in transit and at rest
TLS 1.2+ on every connection. AES-256 at rest for database, file storage and backups. On-Premises customers own their encryption keys via your KMS — we never see them.
Identity — SAML SSO + SCIM 2.0
Self-serve SAML 2.0 against any IdP (Okta, Entra ID, OneLogin, Google Workspace SAML, JumpCloud). SCIM 2.0 auto-provisioning — deprovision in your IdP and V5 atomically revokes sessions, roles and membership the same second.
Access control — RBAC + workspace isolation
Roles are stored in a separate user_roles table (not on profiles) to prevent privilege escalation. Every query is RLS-scoped per tenant via security-definer SQL functions. Platform admin gated by hard-coded email allowlist.
Audit trail — immutable, queryable, Part 11
Every signature, every override, every regulated record write lands in an immutable audit table with operator, timestamp, IP, reason, before/after hash. Surfaceable in compliance reports — never edited, never deleted.
Monitoring & incident response
Production monitoring with alerts on failed sign-ins, unusual export volume and SCIM token misuse. Documented incident-response runbook with customer notification on confirmed incidents per contract. 24/7 SOC on the roadmap (see below).
Deployment — Cloud or On-Premises
Cloud is hosted on hardened infrastructure (AWS + Cloudflare) with encrypted daily backups and point-in-time recovery. On-Premises ships as container images you stage in your own environment — air-gap capable when deployed without outbound telemetry, with customer-owned database and encryption keys.
The checklist your security team will ask for
Application controls
- Two e-signatures (preparer + independent reviewer) on formula and master document approval — same-person approvals rejected per 21 CFR 211.186 / 111.205.
- Immutable approved formulas — edits create v+1 and the previous version stays read-only.
- Operator-only users locked to /app/kiosk — no admin UI access.
- Hard kiosk gating — operator cannot start a task if assigned required training docs are overdue or unacknowledged.
- Out-of-calibration devices refuse to write to any regulated record.
Platform controls
- Row-Level Security on every tenant-scoped table; security-definer functions for cross-tenant operations.
- Service-role database key isolated to server-side admin operations; never bundled to client.
- Secrets stored in encrypted secret manager; rotated on schedule.
- Third-party penetration test scheduled Q3 2026 — executive summary will be available under NDA.
- Working toward SOC 2 Type II (target observation window 2027). On-Premises customers inherit the control posture of their own accredited environment.
Data residency & ownership
- Cloud: choose data residency at workspace creation (US / EU on request).
- On-Premises: data never leaves your environment — air-gap capable.
- Customer-owned export: every regulated record exportable as signed PDF + machine-readable JSON.
- No customer data used to train AI models. AI inference can be pointed at your private endpoint on On-Premises.
Updates that respect your validated state.
A short, honest summary. Specifics are agreed per contract.
Regulated customers receive advance notice of releases, access to a validation pack on request, and an opt-in upgrade window before changes are applied to their workspace. Full release-management terms — notification lead times, supported version windows, rollback provisions and validation artefacts — are agreed in the customer contract.
If you have specific GxP, Part 11 or Annex 11 requirements you need us to commit to in writing, raise them during procurement and we'll address them in the MSA.
Honest about where we are
We don't hold formal certifications today. We're investing in them on a published schedule so enterprise buyers can see exactly when each milestone lands. We'll only ever claim a certification once the certificate is in our hand.
| Target | Milestone | Status |
|---|---|---|
| Q3 2026 | Cyber Essentials (UK NCSC) | In progress |
| Q3 2026 | First external penetration test (CREST-accredited) | In progress |
| Q3 2026 | Published vulnerability disclosure policy (security.txt) | Achieved |
| Q4 2026 | Cyber Essentials Plus (audited) | Planned |
| Q4 2026 | SOC 2 Type I readiness assessment | Planned |
| Q1 2027 | SOC 2 Type II observation window begins | Planned |
| Q2 2027 | ISO 27001 gap analysis | Planned |
Found a vulnerability?
Email info@sgsystemsglobal.com with a clear description and reproduction steps. We acknowledge within two working days, will keep you informed of remediation, and won't pursue good-faith researchers who follow this policy. Full policy at /.well-known/security.txt.
Who touches your data
We notify designated Customer contacts at least 30 days before adding a new sub-processor. Customers may object on reasonable grounds within that period. Current list below.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Compute, object storage, backups | US-East / EU-West (per workspace) |
| Cloudflare | Edge CDN, DDoS, WAF, Workers runtime | Global edge; data residency honoured |
| Supabase | Managed Postgres, auth, file storage | US-East / EU-West (per workspace) |
| Resend | Transactional email delivery | US / EU |
| Paddle | Subscription billing & merchant of record (no card data stored by us) | Global |
| Google Workspace | Internal email and document collaboration (no Customer Data) | US / EU |
On-Premises deployments: no sub-processor has access to Customer Data — all data stays in your environment.
SQA, DPA, Part 11 — under NDA
Supplier Quality Addendum (SQA)
GxP-specific obligations: change-control notification, deviation reporting, audit rights, validation deliverables. Available on request under NDA — pre-signed by our Head of Quality.
Data Processing Addendum (DPA)
GDPR Article 28 compliant, with Standard Contractual Clauses for international transfers. Auto-incorporated when you sign an Order Form against the MSA.
21 CFR Part 11 / EU Annex 11
Control matrix mapping platform features to each clause is available on request. An independent assessment of V5 Ultimate is scheduled for Q3 2026 — the existing V5 Traceability 5.9 assessment covers the inherited control model in the interim.
We answer security questionnaires without flinching.
Architecture diagrams, sub-processor list, DPA, SCCs, SQA, supplier qualification questionnaire and current security roadmap — available on request. Pen-test executive summary will be available under NDA once Q3 2026 testing completes.
