This page summarises the security, validation, privacy, and data-handling practices that QA, IT security, legal, and procurement teams ask about during eQMS evaluations. For regulatory framework deep-dives (FDA 21 CFR Part 11, EU GMP Annex 11, ISO 13485, GAMP 5, ALCOA+), see Compliance.
GDPR-aligned controls for personal data processed through the Complere platform.
Complere processes personal data as a processor on behalf of customers. Lawful basis, purpose limitation, data minimisation, storage limitation, and integrity / confidentiality principles are reflected in the platform configuration and DPA.
Customers can fulfil data-subject requests through tenant administration tools or via Complere support. Standard turnaround is 30 days from validated request, in line with GDPR Article 12.
Tenant data is hosted in the cloud region the customer selects at provisioning — chosen to match local regulatory, sovereignty, or latency requirements. Data stays pinned to that region with no cross-region spill at the application or storage layer. Cross-border transfers, where applicable, are governed by Standard Contractual Clauses (SCCs) referenced in the DPA.
Evidence-led posture for regulated buyers — Part 11 / Annex 11, CSA-first validation, traceable from requirement to CI test artifact.
Validation effort is scoped per requirement risk under FDA's Computer Software Assurance Final Guidance (February 3, 2026). High-risk requirements receive deep scripted testing; lower-risk receive lighter qualification. PHPUnit / JUnit / Allure CI runs are preserved as part of the validation record so test evidence ties directly to a build.
Every requirement carries an end-to-end identifier chain: URS-ID → FRS-ID → RA-ID → CS-ID → TEST-ID → CI artifact. Auditors and customer QA teams can reproduce the path from a user requirement to the exact test that exercised it. Sample matrix available on request.
VMP, URS, FRS, Risk Assessment, Configuration Specification, IQ / OQ / PQ scripts, Test Summary Report, and Validation Summary Report are maintained per module — Document Control, CAPA & Deviations, Quality Events, Audit Management, Change Control, Risk Assessments, and Training & Competency, plus the platform core and administration layer — to support your CSV / CSA programme.
Sample exports, traceability matrix, and evidence demos shared securely with qualified teams for your supplier qualification. Request pack →
ALCOA+ per-record history tables capture old / new values on every change via the platform's CustomAuditable trait. Status transitions and approvals route through e-signature middleware that re-authenticates the user (SSO ID-token validation or password) at the moment of signing — aligned with FDA 21 CFR Part 11 and EU GMP Annex 11 control expectations.
Each requirement carries a risk score (severity × likelihood × detectability) recorded in the Risk Assessment. Scripted testing depth, evidence retention, and review intensity scale with that score, so high-impact paths get the strongest evidence and effort is not wasted on low-impact configuration.
Complere runs validation as a continuous, version-controlled programme — not a one-time exercise. Each module's VMP, URS, FRS, RA, CS, and IQ / OQ / PQ artifacts are kept in step with the codebase, refreshed with every regulated release, and shared with customer QA teams during supplier qualification so the evidence state is always current and auditable.
Regulatory framework deep-dives → Compliance hub · CSA approach → Validation approach · CSV pack → Validation pack · AI position → AI governance
Where Complere stands on third-party certification, stated plainly. We tell you what is in place today and what is in preparation — no implied certifications.
In preparation — control implementation and audit-readiness work are underway; the formal audit has not yet started. A summary of implemented controls is available for qualified evaluations during vendor assessment.
In preparation — information security management system alignment is on the certification roadmap; control mapping and evidence requests are supported during procurement.
Per-module validation evidence (VMP through VSR), the security controls on this page, and our DPA are available now for supplier qualification — ahead of formal certification. Security & privacy details
Technical and organisational controls protecting customer tenant data.
TLS 1.2+ for all data in transit. AES-256 encryption at rest for primary stores and backups. Customer credentials stored as salted hashes; secrets managed through dedicated secret stores.
Customer-side: role-based access control, SSO via SAML 2.0 and OIDC, password and session policies. Internal access to production is least-privilege, MFA-enforced, and logged.
Multi-tenant architecture with per-tenant database scoping. Cross-tenant queries, cache keys, and queue payloads are blocked at the application layer and re-tested with every regulated release as part of the validation programme.
Every create / update / delete on regulated records is captured in a per-record history table with actor, timestamp, and old / new values. Audit records are immutable from the application layer and align with ALCOA+ data integrity principles.
Tenant administrators can restrict platform access to defined IPv4 ranges (allowlist) or block specific ranges (blocklist). Enforced at the application gateway before authentication; supports VPN-only or office-only access models.
Status transitions and approval actions that require an electronic signature force the user to re-authenticate (SSO ID-token validation or password re-entry) at the moment of signing — Part 11 / Annex 11 aligned.
Customer-side: SAML 2.0 SSO with major identity providers, role-based access control with granular permissions, password and session policies, optional API tokens for service integrations.
API requests are rate-limited per authenticated user, with stricter per-IP limits on authentication and SSO endpoints to throttle credential-stuffing and bot traffic. Failures are logged for monitoring.
Tenant data is backed up on a regular schedule with point-in-time recovery available within the retention window defined per environment. Restore procedures are exercised on a defined cadence and recorded as part of operational evidence.
Code changes follow peer review, automated testing, and controlled deployment. Production change records are retained. GxP-impacting changes are managed through formal change control.
Where customer data lives, who can reach it, and how it stays portable.
Tenant data resides in the cloud region selected at the time of provisioning. Cross-region replication, where used, is documented per environment.
Retention windows for documents, training records, audit history, and CAPA evidence are configurable to match your quality manual. Soft-delete plus audit history preserves chain of custody.
Customers can request structured export of their tenant data (records, attachments, audit history) in machine-readable form for migration, regulatory submission, or archival purposes.
On contract termination, customer data is deleted per the procedure in the Data Processing Addendum, with written confirmation provided on request. Backup retention follows the schedule referenced in the DPA.
Scheduled maintenance is announced in advance through the customer admin contact. Production deploys are gated through change control with a maintenance-mode middleware that returns informative 503 responses, not silent failures.
Validation Master Plan, URS, IQ / OQ / PQ test scripts, and traceability matrix are available to support your computer system validation and inspection readiness.
Third parties that may process customer personal data on Complere's behalf.
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloud infrastructure provider | Compute, managed database, object storage, network for hosted tenants | Customer-selected region |
| Email delivery provider | Transactional email (notifications, password resets, system alerts) | Provider-managed |
| Error monitoring service | Application error and performance monitoring; access restricted to engineering on-call | Provider-managed |
| Customer support tooling | Ticket management for customer-initiated support contact | Provider-managed |
| Current vendor names available on request via DPA. Material changes to sub-processors are notified to customers through the contact channel on file. | ||
What to expect if a security event affects customer data.
In the event of a confirmed personal data breach affecting a customer, Complere notifies the impacted customer without undue delay and, in any case, within 72 hours of becoming aware — aligned with GDPR Article 33.
Notification is sent to the security or admin contact listed on the customer account. Customers should keep this contact current and inform Complere of changes.
Notifications describe the nature of the incident, categories of data affected, likely consequences, mitigation steps taken, and recommended actions for the customer's own assessment.
For procurement, legal, and IT security review.
Single-page summary of security, validation, and compliance posture for fast procurement / IT-security review.
Request Trust SummaryPer-module sample showing the URS → FRS → RA → CS → TEST → CI artifact chain, with a worked example QA teams can drop into their own validation pack.
Request matrix sampleGDPR-aligned DPA including SCCs for international transfers and the current sub-processor list.
Request DPASummary of technical and organisational controls, suitable for inclusion in supplier risk assessments.
Request overviewPre-filled responses to common questionnaires (CAIQ-style) on request; bespoke questionnaires accepted.
Request responseUptime commitments, support response targets, and incident communication standards.
Request SLAReach out to our team for documents, questionnaire responses, or specific clauses your procurement process requires. We respond within one business day.
