Security Policy
Effective date: 1 January 2026 — Last updated: 16 April 2026
Clinivion, LLC ("Clinivion", "we", "us") operates clinivion.com, nessa.clinivion.com, and app.clinivion.com. Security is foundational to what we build. The Nessa platform handles sensitive pharmaceutical data that must meet the highest standards of integrity, confidentiality, and availability. This policy describes how we protect it.
Built for Regulated Industries. Nessa is designed to meet FDA 21 CFR Part 11, ALCOA+, EU Annex 11, and GxP compliance requirements out of the box.
All pharmaceutical data is protected with defence-in-depth security controls across infrastructure, application, and data layers.
1. Infrastructure Security
Nessa is hosted on enterprise-grade cloud infrastructure with ISO 27001 certified data centres. All environments (production, staging, disaster recovery) are isolated with strict network segmentation.
- Infrastructure defined as code and peer-reviewed before every deployment
- Automated configuration management with drift detection
- Network segmentation with private subnets, security groups, and Web Application Firewall (WAF)
- Continuous monitoring with automated alerting for anomalous activity
2. Encryption
- In transit — TLS 1.3 enforced on all connections. HSTS enabled with preloading. No fallback to older protocols.
- At rest — AES-256-GCM field-level encryption for all stored data, including audit trail records and uploaded study files. Encryption keys managed via AWS KMS with automatic rotation.
- Audit trails — each record is cryptographically hashed using SHA-256 and chained to form a tamper-evident log, satisfying 21 CFR Part 11 §11.10(e) requirements.
- Digital signatures — ED25519 signatures with entry-specific nonces for electronic records, per 21 CFR 11.50/11.70.
3. Access Controls
Access to the Nessa platform is governed by role-based access control (RBAC) with five defined roles:
- Admin — full platform configuration and user management
- QA Manager — approval workflows, compliance oversight, report generation
- QA User — data entry, electronic signatures, routine operations
- Auditor — read-only access to audit trails, compliance reports, and validation records
- Viewer — read-only access to approved data and dashboards
All access to production systems requires multi-factor authentication (MFA). Privileged access is logged, time-limited, and subject to quarterly review. Customer data is logically isolated using PostgreSQL Row-Level Security — no cross-tenant data access is possible by design.
4. Audit Trails
Immutable by Design. All actions within the Nessa platform generate tamper-proof audit trail entries that cannot be altered or deleted.
Each audit record includes:
- User identity and authentication context
- Timestamp (UTC) verified via NTP quorum (3 sources, 500ms drift tolerance)
- Action type and detailed event description
- Before/after values for all data modifications
- Cryptographic hash chain linking each entry to its predecessor
- System metadata (IP address, session ID, client version)
These records meet ALCOA+ attributability and contemporaneity requirements and are retained for the lifetime of the associated data.
5. Vulnerability Management
- Automated dependency scanning on every build (SAST + SCA via cargo-audit and Trivy)
- Container image scanning before deployment with SBOM generation
- Quarterly penetration testing by independent third-party security firms
- Secrets scanning (Gitleaks) in CI/CD pipeline to prevent credential leakage
- Critical patches deployed within 24 hours of CVE disclosure
To report a vulnerability, contact us at edem@clinivion.com. We operate a responsible disclosure programme and will acknowledge reports within 48 hours.
6. Business Continuity & Disaster Recovery
- Recovery Time Objective (RTO) — 4 hours
- Recovery Point Objective (RPO) — 1 hour
Data is replicated in real-time across geographically separated availability zones. Automated failover ensures continuity in the event of an infrastructure failure. Disaster recovery procedures are tested quarterly with documented results.
7. Incident Response
In the event of a security incident affecting customer data, we will:
- Notify affected customers within 72 hours of discovery, consistent with GDPR Article 33
- Provide a detailed incident report including scope, root cause, and remediation steps
- Conduct a post-incident review and implement preventive measures
Our incident response team operates 24/7 with defined escalation procedures.
8. Validation Documentation
Clinivion provides a complete validation package for the Nessa platform, including:
- Installation Qualification (IQ) — verifying correct installation and configuration
- Operational Qualification (OQ) — verifying the system operates as intended
- Performance Qualification (PQ) — verifying consistent performance under real-world conditions
Validation packages are available upon request to qualified customers.
9. Compliance Certifications
Standards & Frameworks. Nessa is built to support compliance with FDA 21 CFR Part 11, ALCOA+, EU Annex 11, GxP, ISO 27001, GDPR, and HIPAA security requirements.
We maintain documented evidence of our security controls and make compliance documentation available to customers under NDA.
10. Contact
Clinivion, LLC
Edem Agbeko, Founder & Security Lead
edem@clinivion.com
clinivion.com