Security & Compliance

Built for regulators, not retrofitted for them.

Trelice handles the documents that define how patients are treated. We build the platform to the standard the regulator expects — because anything less isn’t real.

Regulatory standards

21 CFR

Part 11

E-signatures, audit trails, access control.

ICH

M11

Harmonised protocol template & terminology.

—

TransCelerate

Common protocol template v8.

CDISC

Aligned

Standard vocabulary & data structures.

Infrastructure

SOC 2

Type II (in progress)

Report available on request under NDA — placeholder.

ISO

27001 (planned)

Target: 2026. Policies documented today.

HIPAA

BAA-ready

Business Associate Agreements available for US sites.

GDPR

Compliant

EU data residency optional on Enterprise.

Practices

Security practices

Encryption

AES-256 at rest, TLS 1.3 in transit. Customer data encrypted with per-tenant keys.

Access control

SSO via SAML / OIDC. Role-based access at document and field level. Session binding.

Audit trail

Every read, write, and approval event logged, immutable, exportable, 21 CFR Part 11–compliant.

Backup & continuity

Point-in-time recovery to any second in the last 35 days. Multi-region standby on Enterprise.

Vulnerability management

Annual pen test by an independent third party. Continuous dependency scanning. 48-hour critical patch SLO.

Data residency

US or EU at standard tier. APAC on Enterprise. No cross-region replication without written consent.

Disclosure

Responsible disclosure

Found a vulnerability? Email security@trelice.com. We aim to acknowledge within one business day and resolve critical issues within 7 days. We run a private bug-bounty programme — contact us for scope.