Trust Centre

Transparency by design

Everything you need to evaluate ChemCapital for regulated procurement: DPA, sub-processor list, data residency, ALCOA+ data integrity, GAMP 5 readiness, AI governance, continuity, incident response, and our SOC 2 and ISO 27001 roadmaps.

DPA ALCOA+GAMP 5 AI Governance Validation Pack Continuity Security Q&A ISO 27001 NIS2 Sub-Processors Incident Response

Share Trust Centre

Data Processing Agreement (DPA)

ChemCapital provides a Data Processing Agreement to enterprise customers on request. The DPA governs how we process personal data on your behalf, including sub-processor obligations, data subject rights, and breach notification procedures aligned with UK GDPR, EU GDPR, and applicable transfer mechanisms.

Request DPA →Privacy Notice Make a data request

ALCOA+ Data Integrity

ALCOA+ is the internationally recognised framework for data integrity in regulated industries (FDA, MHRA, EMA). It specifies that records must be Attributable, Legible, Contemporaneous, Original, and Accurate — plus Complete, Consistent, Enduring, and Available. The table below describes how ChemCapital addresses each principle today.

Principle	Term	How ChemCapital addresses it
A	Attributable	Every record is linked to the user who created or changed it. Name, timestamp, and company context are stored on every entry.
L	Legible	Records are stored in structured, human-readable fields. No overwriting: values are preserved in a versioned audit log.
C	Contemporaneous	Timestamps are applied at the moment of the action in UTC. Users cannot back-date entries.
O	Original	Uploaded documents are stored with an SHA-256 checksum on receipt. Originals are not modified; new versions create a new record.
A	Accurate	Structured data fields enforce format and range validation. Free-text fields are preserved exactly as entered.
+C	Complete	Mandatory reason-for-change fields prevent partial records. Required document fields flag missing attachments.
+C	Consistent	All timestamps use UTC throughout. Currency and unit fields are standardised across the platform.
+E	Enduring	Retention controls and legal hold prevent deletion during regulated lifecycle. Export of all tenant data is available on request.
+A	Available	Audit records are accessible to authorised users at all times. Export routes are available for regulator requests.

All nine ALCOA+ principles are implemented. Retention controls and legal hold — which underpin the Enduring (+E) principle — are live and configurable per tenant under Enterprise Settings → Compliance. Records under legal hold cannot be deleted until the hold is released by an authorised administrator.

GAMP 5 Readiness (2nd Edition, 2022)

GAMP 5 (Good Automated Manufacturing Practice) is the pharmaceutical industry's primary guide for computerised system validation (CSV). ChemCapital has reviewed the GAMP 5 Second Edition (ISPE, July 2022) against our architecture. The table below summarises our current position against each relevant module.

M11

IT InfrastructureImplemented

Supabase, Vercel, Stripe, Sentry, and Resend are classified as GAMP Category 1 infrastructure. Sub-processor DPAs are documented. An Infrastructure Qualification Pack covering SOC 2/ISO 27001 evidence, data residency, change-management pace, incident escalation, and contingency plans for all five vendors is available on request — contact us directly.

Request the Infrastructure Qualification Pack →

M12

Critical ThinkingImplemented

Each Validation Pack module carries a Critical Thinking rationale field capturing intended use, risk level, SME judgement, and departure from prescriptive rules. Rationale is entered per artefact in Procurement → Regulated Readiness → Validation Evidence, stored on ValidationArtifact.criticalThinkingRationale, and serialised into the Validation Pack JSON export.

Agile DevelopmentImplemented

ChemCapital operates iterative sprints with controlled release notes. Each release note carries a GAMP change-classification (Category 1–5, minor/major), a validation-impact assessment, and a reason-for-change. The release notes register is live at Procurement → Regulated Readiness → Release Notes.

D11

AI / MLImplemented

Every AI feature in ChemCapital has a D11 AI/ML control set entry covering intended use, training-data statement, model name and version, confidence threshold, human-review gate, and drift-detection notes. The control set is maintained in the admin D11 AI/ML dashboard and auto-seeded with 5 core AI features on first use.

Category 4/5

Configured / Custom SoftwarePartial

ChemCapital is classified as Category 5 (custom software). Risk-based testing applies. Jest unit tests and Playwright end-to-end tests cover core workflows. Trace-link creation (URS → test evidence) and Critical Thinking rationale are live and included in the Validation Pack JSON export. A PDF/XLSX Validation Pack renderer with formal IQ/OQ/PQ evidence structure is on the roadmap.

ChemCapital is not “GAMP 5 certified” — no such certification exists. We are implementing the practices described in the guide on a risk-based schedule. Our GAMP 5 alignment document is available on request to qualified customers.

AI Governance

ChemCapital uses AI to assist with tasks such as quote field extraction, comparison scoring, and cost estimation. We do not use AI to make autonomous regulated decisions. The controls below describe how AI is governed within the platform.

Model & version logging

Every AI inference call records the model name and version used. This is persisted in the AIModelPromptVersion registry.

Confidence score display

AI-generated values surface a confidence score to the end user. Users can accept, edit, or reject AI suggestions before they are saved.

Human-in-the-loop gating

Regulated procurement actions (RFQ approvals, quotation sign-off) require a human decision step. AI may suggest; it may not approve autonomously.

Tenant opt-out

Enterprise tenants may disable AI features entirely for their workspace. In ISOLATED mode, no AI-derived content crosses the tenant boundary.

Audit trail for AI decisions

Accepted, edited, and rejected AI suggestions are recorded in the AuditEvent log, attributable to the acting user.

NIST AI RMF alignment (roadmap)

A structured AI Risk Assessment record (AiRiskAssessment model) is in the data model. The full NIST AI RMF Govern–Map–Measure–Manage dashboard is targeted for Phase 2.

Our AI governance approach is aligned with the NIST AI Risk Management Framework (AI RMF 1.0) and GAMP 5 2nd Edition Appendix D11 (AI/ML). A formal D11 AI/ML control set per feature — covering intended use, training-data statement, model version, confidence threshold, human-review gate, and drift-detection notes — is live in the admin D11 AI/ML dashboard.

Validation Pack (CSV / FDA CSA)

Enterprise customers conducting Computer System Validation (CSV) or operating under the FDA’s Computer Software Assurance (CSA) guidance may request a Validation Pack. The Phase 1 scaffold is live — artefacts, trace links, and Critical Thinking rationale are exportable as JSON today. A formal PDF/XLSX renderer is on the roadmap.

User Requirements Specification (URS) (roadmap)
Functional Specification (FS) (roadmap)
Design Specification (DS) summary (roadmap)
Risk assessment with GAMP Category 5 classification
IQ / OQ / PQ test evidence with traceability matrix (roadmap)
Trace links: URS → artefact → test evidence
Annual Periodic Review artefact (roadmap)
GAMP 5 2nd Ed Critical Thinking rationale per module
JSON export of all validation artefacts

Artefacts, trace links, and Critical Thinking rationale are accessible under Procurement → Regulated Readiness → Validation Evidence. JSON export is available today via the export API.

Request Validation Pack briefing →

Continuity & Exit Package

Customers in regulated industries require assurance that they can access, export, and migrate their data at any time — not only at end-of-contract. Our continuity commitments are described below.

Customer data ownership

All data you create on ChemCapital belongs to you. We act as a processor on your behalf. You retain full ownership and the right to export at any time.

Export formats

RFQs, quotations, purchase orders, VDR entries, and audit logs are exportable as JSON. Audit log CSV export is live. Project handover manifest is exportable as a signed JSON package. A full ZIP bundle with all attachments is on the roadmap.

RTO / RPO

We target a Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for production data, using Supabase automated backups.

Source code escrow

A source code escrow arrangement for enterprise customers is on our roadmap for 2026. Contact us to discuss your specific requirements.

Offboarding process

On contract termination, we provide a structured offboarding window with full data export before deletion. Data is not deleted until you confirm receipt.

Supabase infrastructure

Application data is hosted on Supabase (AWS eu-west-2). Supabase maintains its own DR procedures; their security page is linked in the sub-processor list.

Full continuity and exit details →

Security Questionnaire

Many regulated buyers require vendors to complete a security questionnaire as part of supplier due diligence. ChemCapital maintains a pre-answered questionnaire covering common questions from pharma, biopharma, and EPCM procurement teams.

Topics covered include: data encryption, access controls, vulnerability management, backup and recovery, sub-processor oversight, incident notification, personnel vetting, and penetration testing.

View questionnaire →Request custom Q&A

ISO 27001 Roadmap

ChemCapital is not currently ISO 27001 certified. We are building our information security management system (ISMS) in alignment with ISO/IEC 27001:2022 controls as part of our Phase 1 and Phase 2 security programme. The controls below are implemented today; the roadmap shows what is planned.

AES-256 encryption at rest (Supabase/AWS)

TLS 1.2+ in transit

Tenant data isolation (companyId scoping at DB level)

Role-based access controls (OWNER / ADMIN / MEMBER / VIEWER / ENGINEER / QA_REVIEWER / FINANCE_APPROVER)

Tamper-evident audit log with SHA-256 hash chain on all data-change events

Audit log CSV export (up to 5,000 events, with digest header)

Fine-grained permission grants with expiry, scope, and reason-for-change

SSO / SAML / OIDC for enterprise tenants (Okta, Azure AD, Google Workspace)

MFA for all user accounts (TOTP)

Incident response procedure (INC-SOP-001)

Sub-processor inventory and DPAs

Retention policies + legal hold (configurable per tenant)

Electronic signatures (21 CFR Part 11-style, re-auth + manifest)

Dual-approval / four-eyes workflow with value-threshold gating

MFA step-up for sensitive actions beyond e-sig re-auth

Formal vulnerability management programme

Annual penetration test with remediation report

Formal ISMS documentation set

ISO 27001:2022 certification

Implemented In progress Planned

NIS2 Awareness

The EU’s NIS2 Directive (Network and Information Security Directive 2, effective October 2024) imposes cybersecurity obligations on operators of essential services and their critical suppliers. Many of ChemCapital’s enterprise customers in the pharmaceutical and chemical sectors are NIS2-regulated entities.

ChemCapital acts as a digital supplier to NIS2-regulated operators. We take supply-chain security responsibilities seriously.
We maintain an incident response procedure with customer notification within 72 hours of a confirmed breach.
Our sub-processor inventory is kept current and all sub-processors are bound by contractual security obligations.
We can provide NIS2 supply-chain questionnaire responses to customers on request.
A formal NIS2 supplier assessment response is on our 2026 roadmap.

Request NIS2 questionnaire response →

Sub-Processor List

All sub-processors are bound by data processing agreements and reviewed for data handling, reliability, and contractual fit before use.

Provider	Purpose	Region
Supabase	Database, Auth, Storage	AWS eu-west-2
Vercel	Application hosting, edge	EU edge
OpenAI	AI inference (non-ISOLATED tenants)	Varies by mode
Resend	Transactional email	EU
Stripe	Payment processing	EU
Sentry	Error monitoring	EU

Data Residency

Region	Location	Status
EU	AWS eu-west-2 · London	Live
UK	AWS eu-west-2 · London	Live
US	AWS us-east-1 · N. Virginia	Planned · Q3 2026

Enterprise tenants select their residency region during onboarding. Default is eu-west-2 (London, UK).

Incident Response

ChemCapital maintains an incident response procedure covering containment, investigation, notification, and remediation. Key commitments:

Initial triage within 2 hours of confirmed incident
Customer notification within 72 hours of confirmed personal data breach
Root cause analysis provided within 14 days
All incidents logged and tracked to closure

SOC 2 Roadmap

HTTPS / TLS encryption on all traffic

AES-256 encryption at rest (database and storage)

Role-based access control (RBAC) with server-side enforcement

Expanded RBAC roles (ENGINEER, QA_REVIEWER, FINANCE_APPROVER)

Fine-grained permission grants with per-resource scope, expiry, and reason-for-change

Centralised company membership authorization guard

HTTP security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy)

Invite-based user onboarding with token expiry

Multi-factor authentication (MFA) via TOTP

SSO / SAML / OIDC for enterprise identity providers (Okta, Azure AD, Google Workspace)

Tamper-evident audit log with SHA-256 hash chain (ALCOA+ / 21 CFR Part 11)

Audit log CSV export with tamper-evident digest header (up to 5,000 events)

Customer audit trail log viewer in-app with search, filter, and pagination

Retention policies + legal hold (configurable per tenant, 7-year GxP default)

Electronic signatures — 21 CFR Part 11-style ceremony with re-auth and manifest PDF

Dual-approval / four-eyes workflow with configurable value-threshold gating

SOC 2 readiness dashboard with 20 core controls and evidence export

API key hashing and revocation

Stripe webhook signature verification

Outbound webhook HMAC-SHA256 signing

Rate limiting across API, upload, and auth routes

Server-side password complexity enforcement

Server-side input validation (Zod)

MIME type and file size validation on uploads

Fail-closed cron job authentication

IDOR protection on document parsing API

Error and security monitoring (Sentry, EU region)

Data retention engine with configurable policies

Enterprise DPA availability

IP allowlisting for enterprise accounts

Downloadable audit log export — PDF render

Annual penetration test with public remediation report

ISO 27001:2022 certification

Implemented In progress Planned

Cross-Tenant Data Flow

ChemCapital enforces strict data segregation at the database level. All records are scoped by companyId. For enterprise tenants, an additional data exchange mode governs whether and how AI-processed content crosses organisational boundaries:

ISOLATED: AI-derived content is stripped before being shown to buyers. No data crosses the tenant boundary.
OUTBOUND / INBOUND / BIDIRECTIONAL: Data exchange rules are negotiated per-contract and enforced programmatically. Egress can be logged in a manifest for customer review.

View full security practices →

Regulated procurement teams

If you are evaluating ChemCapital for pharmaceutical, biotech, EPCM, or process engineering procurement — and need a consolidated briefing pack for your compliance team — visit our Compliance Briefing page or contact us directly.

Regulated Compliance Briefing →Contact compliance team

Security overview Request DPA Enterprise features Security questionnaire Continuity & exit