Trust & Compliance
InnoQualis operates an Electronic Quality Management System for regulated industries — medical devices, pharmaceuticals, and life sciences. This page documents our compliance posture, sub-processors, security stance, and audit-trail commitments so that customers and prospects can verify our claims without booking a sales call.
Current posture is mostly In Progress ahead of our Phase 26 cloud cutover. Items transition to Self-Attested as controls are implemented and to Validated as third-party audits complete.
The canonical app-side version of this page is hub.innoqualis.com/trust. The two pages carry the same content — this one is the docs-domain mirror.
Compliance posture
Section titled “Compliance posture”We target the following standards for the EQMS itself. Customers using InnoQualis to manage their own ISO 13485 / GMP programmes inherit our controls but operate under their own certifications.
| Standard | Status | Notes |
|---|---|---|
| ISO 9001 | In Progress | General QMS framework — controls in place, third-party validation targeted Phase 26+ (cloud cutover). |
| ISO 13485 | In Progress | Medical-devices QMS — controls in place, third-party validation targeted Phase 26+. |
| GMP | In Progress | Pharmaceutical Good Manufacturing Practice — controls in place, validation targeted Phase 26+. |
| 21 CFR Part 11 | Self-Attested | Electronic records and electronic signatures — append-only audit trails, soft-invalidation of signatures, six-eyes approval flows. See audit-trails section below. |
| GDPR / HIPAA | Self-Attested | Data minimisation, EU residency by default, right-to-erasure tooling. HIPAA Business Associate Agreement (BAA) available on request for US tenants handling PHI. |
Status definitions:
- In Progress — we are targeting this standard; controls are partially or fully in place but no third-party validation has completed.
- Self-Attested — we conform to the standard’s requirements with documented controls; no third-party audit has occurred.
- Validated — third-party auditor has reviewed and attested. None today; transitions expected after Phase 26.
Security overview
Section titled “Security overview”Encryption at rest
Section titled “Encryption at rest”All persisted data — PostgreSQL, object storage, Stripe webhook secrets per Spec 21.2 — is encrypted with AES-256 via the platform’s managed KMS. Encryption keys are rotated per the KMS provider’s default schedule.
Encryption in transit
Section titled “Encryption in transit”TLS 1.2 or higher is enforced on every public endpoint. Certificate expiry is monitored by the Spec 30.2 blackbox uptime + SSL probes. HSTS is on for all *.innoqualis.com hosts.
Vulnerability management
Section titled “Vulnerability management”Dependency audit gates run on every PR (Renovate / Dependabot rules per the Phase 13.5.x hardening). Critical CVEs block merge. SAST scans the codebase on every push.
Secret management
Section titled “Secret management”Secrets never live in source. Production secrets are scoped per-environment in the platform secrets manager; rotation is automated for managed credentials (DB, KMS) and manual with reminders for third-party API keys.
Data residency
Section titled “Data residency”InnoQualis hosts all tenant data inside the European Union.
- Post Phase 26 cutover — primary residency is AWS Frankfurt (
eu-central-1). All managed services (RDS, S3, KMS) are pinned to this region. - Pre Phase 26 cutover — primary residency is Hetzner Cloud (Falkenstein, Germany). Same EU jurisdiction, same GDPR posture. The Frankfurt cutover is scheduled per Phase 26 plan.
- Sub-processor data flows that traverse non-EU jurisdictions (for example OpenAI inference in the US) are governed by the Standard Contractual Clauses in each sub-processor’s DPA. See the sub-processors table below for the routing of every data flow.
- Tenants with strict residency requirements can disable AI-Compliance-Officer features (which route prompts through non-EU LLM providers) at the workspace level.
Sub-processors
Section titled “Sub-processors”Per GDPR Article 28(2), we publish the full list of third parties that process tenant data on our behalf. We update this list before onboarding a new sub-processor.
| Sub-processor | Location | Purpose | Data flows | DPA |
|---|---|---|---|---|
| Stripe Payments Europe Ltd. | Ireland (EU) | Payment processing for paid plans | Billing email, payment method (card), tax ID | Stripe DPA |
| OpenAI, L.L.C. | United States | Large language model inference (AI Compliance Officer) | Document text and prompts only — training opt-out enabled at the workspace level | OpenAI DPA |
| Anthropic, PBC | United States | LLM failover provider (stub today, active in Phase 24.1) | Prompts only — failover path currently inactive; documented here for forward visibility | Anthropic DPA |
| Microsoft Ireland Operations Ltd. | EU (Ireland) | Email delivery and optional SharePoint document integration | Transactional email content; SharePoint OAuth tokens; document metadata for ingest | Microsoft DPA |
| Amazon Web Services EMEA SARL | Germany — eu-central-1 (Frankfurt) from Phase 26 | Infrastructure hosting (compute, storage, KMS) post Phase 26 cutover | All tenant data at rest. Pre-cutover, hosting is on Hetzner (Germany — Falkenstein); page updates when cutover ships. | AWS GDPR DPA |
Audit trails and retention
Section titled “Audit trails and retention”Quality records and audit trails follow 21 CFR Part 11 §11.10(e): append-only, tamper-evident, retrievable for the regulatory retention period.
- Every state-changing action on a controlled record (document, deviation, CAPA, change control, audit, training assignment) emits an immutable audit-trail row scoped to the tenant.
- Electronic signatures use soft-invalidation (
invalidated_at+invalidation_reason) — never hard-delete. The full signing history of any record is always recoverable. - Default retention: 10 years post decommission. This matches the upper bound of common medical device regulations (EU MDR Article 10(8); 21 CFR Part 820 §820.180(b)). Tenants in other regulated industries can configure a longer retention via support.
- Audit trails are tenant-isolated — cross-tenant queries are impossible by construction (every query layer enforces a tenant scope; tested at the integration layer).
Incident history
Section titled “Incident history”No public-facing incidents to date.
Incidents that affect customer data, availability, or compliance posture are published at status.innoqualis.com (Phase 26.9 deliverable) with: short description, customer impact, timeline, root cause analysis, and remediation. We commit to publishing within 72 hours of incident resolution.
Compliance officer contact
Section titled “Compliance officer contact”- General compliance — compliance@innoqualis.com. Available after Phase 26 cutover. Until then, reach the founder team via the in-app feedback widget.
- Data Protection Officer (GDPR) — dpo@innoqualis.com. For data subject requests (access, erasure, portability) and GDPR-specific queries.