Back to home

Compliance and security, in detail

This page documents how NexIndu answers the requirements of FDA 21 CFR Part 11, EU GMP Annex 11 and the ALCOA+ principles, and which security controls protect your plant's data. It is written for quality, validation and IT teams.

Full regulatory mapping

Requirement by requirement, the technical control that meets it inside the system.

21 CFR Part 11 §11.10(a)System validation to ensure accuracy and reliabilityDevelopment under a documented secure lifecycle, with a security review per change, an automated test suite and traceable requirements.
21 CFR Part 11 §11.10(d)System access limited to authorized individualsIndividual accounts with roles (admin, engineer, technician), delegable permissions and per-organization isolation enforced at row level in the database.
21 CFR Part 11 §11.10(e)Secure, computer-generated, time-stamped audit trailAppend-only audit table: the database revokes UPDATE and DELETE, and every event is hash-chained to the previous one so any alteration is detectable.
21 CFR Part 11 §11.50 + §11.70Electronic signatures with meaning, linked to the recordSigning requires re-verifying a password or biometrics (WebAuthn) and stores signer, meaning, method, date and a permanent link to the signed record, in an immutable table.
EU GMP Annex 11 §7Protection of data against damage or lossEncrypted backups: database daily and file storage weekly, with scheduled restore tests.
EU GMP Annex 11 §9Recording of changes and deletions of critical dataPhysical deletion is disabled for GxP records: reversible deletion flags are used and every change is written to the audit trail with author and date.
EU GMP Annex 11 §12Physical and logical securityEncryption in transit and at rest, a strict nonce-based CSP, rate limits on sensitive endpoints and penetration tests on a regular cadence with documented remediation.
ALCOA+ · AttributableEvery data point has an identified authorEach record stores who created it, who modified it and who signed it. There are no shared accounts.
ALCOA+ · ContemporaneousData recorded at the time of the operationServer timestamps in the plant's declared time zone, immutable; exports declare the time zone used.
ALCOA+ · Original and accuratePreservation of the original dataDrafts are stored separately from the final record; once signed, the original cannot be modified and any correction creates a new traceable record.

This mapping describes the product's technical controls. Qualifying the system in the context of each plant (validation, procedures and training) is part of the implementation process with the customer.

Security posture

Operational controls that protect the platform, beyond regulatory compliance.

  • Encrypted backups (AES-256): database daily and file storage weekly, with defined retention.
  • Scheduled disaster-recovery restore tests to verify that backups are usable.
  • Multi-tenant isolation enforced in the database: each organization can only read and write its own rows.
  • Penetration tests on a regular cadence with documented remediation of findings.
  • Personal data is masked before any call to external AI models.
  • Audit exports as PDF with the plant time zone declared, ready to hand to an inspector.

Validation FAQs

Can I export the audit trail for an inspection?
Yes. The audit trail exports to PDF with the applied filters, the plant's declared time zone and the ALCOA+ principles block included.
Can an administrator delete or edit signed records?
No. Immutability is enforced in the database itself: update and delete operations are revoked for audit records, signatures and handovers. No application role can bypass it.
Where is the data hosted and how is it backed up?
Data is hosted on cloud infrastructure with encryption in transit and at rest. Backups are AES-256 encrypted, run daily, and restores are tested on a schedule.
What support is there for validating the system at my plant?
NexIndu provides requirements documentation, the control mapping on this page and technical evidence for your validation file. The validation plan in the context of your plant is agreed during implementation.

Does your quality team want to review the system?

Compliance | NexIndu