Trust at InnoQualis

InnoQualis operates an Electronic Quality Management System for regulated industries — medical devices, pharmaceuticals, and life sciences. This page documents our compliance posture, sub-processors, security stance, and audit-trail commitments so that customers and prospects can verify our claims without booking a sales call.

Current posture is mostly In Progress ahead of our Phase 26 cloud cutover. Items transition to Self-Attested as controls are implemented and to Validated as third-party audits complete.

Compliance posture

We target the following standards for the EQMS itself. Customers using InnoQualis to manage their own ISO 13485 / GMP programmes inherit our controls but operate under their own certifications.

StandardStatusNotes
ISO 9001In ProgressGeneral QMS framework — controls in place, third-party validation targeted Phase 26+ (cloud cutover).
ISO 13485In ProgressMedical-devices QMS — controls in place, third-party validation targeted Phase 26+.
GMPIn ProgressPharmaceutical Good Manufacturing Practice — controls in place, validation targeted Phase 26+.
21 CFR Part 11Self-AttestedElectronic records and electronic signatures — append-only audit trails, soft-invalidation of signatures, six-eyes approval flows. See audit-trails section below.
GDPR / HIPAASelf-AttestedData minimisation, EU residency by default, right-to-erasure tooling. HIPAA Business Associate Agreement (BAA) available on request for US tenants handling PHI.

In Progress — we are targeting this standard; controls are partially or fully in place but no third-party validation has completed.

Self-Attested — we conform to the standard's requirements with documented controls; no third-party audit has occurred.

Validated — third-party auditor has reviewed and attested. None today; transitions expected after Phase 26.

Security overview

Encryption at rest

All persisted data — PostgreSQL, object storage, Stripe webhook secrets per Spec 21.2 — is encrypted with AES-256 via the platform's managed KMS. Encryption keys are rotated per the KMS provider's default schedule.

Encryption in transit

TLS 1.2 or higher is enforced on every public endpoint. Certificate expiry is monitored by the Spec 30.2 blackbox uptime + SSL probes. HSTS is on for all `*.innoqualis.com` hosts.

Vulnerability management

Dependency audit gates run on every PR (Renovate / Dependabot rules per the Phase 13.5.x hardening). Critical CVEs block merge. SAST scans the codebase on every push.

Secret management

Secrets never live in source. Production secrets are scoped per-environment in the platform secrets manager; rotation is automated for managed credentials (DB, KMS) and manual with reminders for third-party API keys.

Data residency

InnoQualis hosts all tenant data inside the European Union.

  • Post Phase 26 cutover — primary residency is AWS Frankfurt (eu-central-1). All managed services (RDS, S3, KMS) are pinned to this region.
  • Pre Phase 26 cutover — primary residency is Hetzner Cloud (Falkenstein, Germany). Same EU jurisdiction, same GDPR posture. The Frankfurt cutover is scheduled per Phase 26 plan.
  • Sub-processor data flows that traverse non-EU jurisdictions (e.g. OpenAI inference in the US) are governed by the Standard Contractual Clauses in each sub-processor's DPA. See the sub-processors table below for the routing of every data flow.
  • Tenants with strict residency requirements can disable AI-Compliance-Officer features (which route prompts through non-EU LLM providers) at the workspace level.

Sub-processors

Per GDPR Article 28(2), we publish the full list of third parties that process tenant data on our behalf. We update this list before onboarding a new sub-processor.

Sub-processorLocationPurposeData flowsDPA
Stripe Payments Europe Ltd.Ireland (EU)Payment processing for paid plansBilling email, payment method (card), tax IDDPA
OpenAI, L.L.C.United StatesLarge language model inference (AI Compliance Officer)Document text and prompts only — training opt-out enabled at the workspace levelDPA
Anthropic, PBCUnited StatesLLM failover provider (stub today, active in Phase 24.1)Prompts only — failover path currently inactive; documented here for forward visibilityDPA
Microsoft Ireland Operations Ltd.EU (Ireland)Email delivery and optional SharePoint document integrationTransactional email content; SharePoint OAuth tokens; document metadata for ingestDPA
Amazon Web Services EMEA SARLGermany — eu-central-1 (Frankfurt) from Phase 26Infrastructure hosting (compute, storage, KMS) post Phase 26 cutoverAll tenant data at rest. Pre-cutover, hosting is on Hetzner (Germany — Falkenstein); page updates when cutover ships.DPA

Audit trails and retention

Quality records and audit trails follow 21 CFR Part 11 §11.10(e): append-only, tamper-evident, retrievable for the regulatory retention period.

  • Every state-changing action on a controlled record (document, deviation, CAPA, change control, audit, training assignment) emits an immutable audit-trail row scoped to the tenant.
  • Electronic signatures use soft-invalidation (invalidated_at + invalidation_reason) — never hard-delete. The full signing history of any record is always recoverable.
  • Default retention: 10 years post decommission. This matches the upper bound of common medical device regulations (e.g. EU MDR Article 10(8); 21 CFR Part 820 §820.180(b)). Tenants in other regulated industries can configure a longer retention via support.
  • Audit trails are tenant-isolated — cross-tenant queries are impossible by construction (every query layer enforces a tenant scope; tested at the integration layer).

Incident history

No public-facing incidents to date.

Incidents that affect customer data, availability, or compliance posture are published at status.innoqualis.com (Phase 26.9 deliverable) with: short description, customer impact, timeline, root cause analysis, and remediation. We commit to publishing within 72 hours of incident resolution.

Compliance officer contact

General compliance

compliance@innoqualis.com

Available after Phase 26 cutover. Until then, reach the founder team via the in-app feedback widget.

Data Protection Officer (GDPR)

dpo@innoqualis.com

For data subject requests (access, erasure, portability) and GDPR-specific queries.