This page summarises the security, privacy, and data-handling practices that procurement, IT security, and legal teams ask about during eQMS evaluations. For deeper detail or signed documents (DPA, security overview, questionnaire responses), contact our team. For regulatory frameworks the platform supports (FDA 21 CFR Part 11, EU GMP Annex 11, ISO 13485, GAMP 5, ALCOA+), see Compliance.
GDPR-aligned controls for personal data processed through the Complere platform.
Complere processes personal data as a processor on behalf of customers. Lawful basis, purpose limitation, data minimisation, storage limitation, and integrity / confidentiality principles are reflected in the platform configuration and DPA.
Customers can fulfil data-subject requests through tenant administration tools or via Complere support. Standard turnaround is 30 days from validated request, in line with GDPR Article 12.
Customer tenant data is hosted in the region selected at provisioning. Cross-border transfers, where applicable, are governed by Standard Contractual Clauses (SCCs) referenced in the DPA.
Technical and organisational controls protecting customer tenant data.
TLS 1.2+ for all data in transit. AES-256 encryption at rest for primary stores and backups. Customer credentials stored as salted hashes; secrets managed through dedicated secret stores.
Customer-side: role-based access control, SSO (SAML / OIDC) on supported plans, password and session policies. Internal access to production is least-privilege, MFA-enforced, and logged.
Multi-tenant architecture with per-tenant database scoping. Cross-tenant queries, cache keys, and queue payloads are prevented at the application layer. Reviewed under our internal validation procedures.
Every create / update / delete on regulated records is captured in an immutable audit trail with actor, timestamp, and reason. E-signatures are bound to status transitions where required.
Tenant data is backed up on a regular schedule with point-in-time recovery available within the retention window defined per environment. Restore procedures are exercised periodically.
Code changes follow peer review, automated testing, and controlled deployment. Production change records are retained. GxP-impacting changes are managed through formal change control.
Third parties that may process customer personal data on Complere's behalf.
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloud infrastructure provider | Compute, managed database, object storage, network for hosted tenants | Customer-selected region |
| Email delivery provider | Transactional email (notifications, password resets, system alerts) | Provider-managed |
| Error monitoring service | Application error and performance monitoring; access restricted to engineering on-call | Provider-managed |
| Customer support tooling | Ticket management for customer-initiated support contact | Provider-managed |
| Current vendor names available on request via DPA. Material changes to sub-processors are notified to customers through the contact channel on file. | ||
What to expect if a security event affects customer data.
In the event of a confirmed personal data breach affecting a customer, Complere notifies the impacted customer without undue delay and, in any case, within 72 hours of becoming aware — aligned with GDPR Article 33.
Notification is sent to the security or admin contact listed on the customer account. Customers should keep this contact current and inform Complere of changes.
Notifications describe the nature of the incident, categories of data affected, likely consequences, mitigation steps taken, and recommended actions for the customer's own assessment.
For procurement, legal, and IT security review.
GDPR-aligned DPA including SCCs for international transfers and the current sub-processor list.
Request DPASummary of technical and organisational controls, suitable for inclusion in supplier risk assessments.
Request overviewPre-filled responses to common questionnaires (CAIQ-style) on request; bespoke questionnaires accepted.
Request responseUptime commitments, support response targets, and incident communication standards.
Request SLAReach out to our team for documents, questionnaire responses, or specific clauses your procurement process requires. We respond within one business day.
