Trust & Security

Security Policy

Last updated: 1 January 2026

Security is foundational to what we build. The Nessa platform handles sensitive pharmaceutical data that must meet the highest standards of integrity, confidentiality, and availability. Here is how we protect it.

FDA 21 CFR Part 11

ALCOA+ Validated

GxP Compliant

AES-256 Encrypted

Infrastructure

Nessa is hosted on enterprise-grade cloud infrastructure with ISO 27001 certified data centres. All environments (production, staging, DR) are isolated with strict network segmentation. Infrastructure is defined as code and reviewed before every deployment.

Encryption

In transit: TLS 1.3 enforced on all connections. HSTS enabled with preloading.
At rest: AES-256 encryption for all stored data, including audit trail records and uploaded study files.
Audit trails: Each record is cryptographically hashed using SHA-256 and chained to form a tamper-evident log, satisfying 21 CFR Part 11 §11.10(e) requirements.

Access Controls

Access to the Nessa platform is governed by role-based access control (RBAC). All access to production systems requires multi-factor authentication (MFA). Privileged access is logged, time-limited, and subject to quarterly review.

Customer data is logically isolated — no cross-tenant data access is possible by design.

Audit Trails

All actions within the Nessa platform generate immutable audit trail entries including: user identity, timestamp (UTC), action type, before/after values, and system metadata. These records are cryptographically signed and cannot be altered or deleted, meeting ALCOA+ attributability and contemporaneity requirements.

Vulnerability Management

Automated dependency scanning on every build (SAST + SCA)
Quarterly penetration testing by independent third-party security firms
Responsible disclosure programme — report vulnerabilities to security@clinivion.com
Critical patches deployed within 24 hours of CVE disclosure

Business Continuity

We maintain a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. Data is replicated in real-time across geographically separated availability zones. Disaster recovery is tested quarterly.

Incident Response

In the event of a security incident affecting customer data, we will notify affected customers within 72 hours of discovery, consistent with GDPR Article 33 requirements. Our incident response team operates 24/7.

Validation Documentation

Clinivion provides a complete validation package for the Nessa platform including Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) protocols. Available upon request to qualified customers.

Contact

Security enquiries: security@clinivion.com
General: hello@clinivion.com