Security, Compliance, and Data Governance Built for Pharmaceutical Requirements

FDA 21 CFR Part 11

ArcaScience is fully compliant with FDA 21 CFR Part 11 requirements for electronic records and electronic signatures in regulated pharmaceutical environments.

• ✓ Electronic Records: All platform-generated records are maintained in validated electronic format with full traceability to source data.
• ✓ Electronic Signatures: Legally binding electronic signatures with unique user identification, date/time stamps, and meaning of signature (author, reviewer, approver).
• ✓ Audit Trails: Immutable, computer-generated, time-stamped audit trails recording the operator, action, date/time, and reason for every change to electronic records.
• ✓ System Validation: IQ/OQ/PQ validation protocols, change control, and periodic review processes per GAMP 5 guidelines.

GDPR (General Data Protection Regulation)

As a Paris-headquartered company, ArcaScience is natively designed for GDPR compliance across all data processing activities.

• ✓ Data Processing Agreement (DPA): Standard DPA template available for all clients, defining roles (controller/processor), processing purposes, and sub-processor management.
• ✓ Data Subject Rights: Full support for access, rectification, erasure, portability, and restriction of processing requests with documented response procedures.
• ✓ Data Storage Location: Primary data storage in EU-based data centers (France). Client-selectable data residency options available.
• ✓ Data Protection Officer: Designated DPO contactable at dpo@arcascience.ai.

ISO 27001

ArcaScience maintains ISO 27001 certification for its Information Security Management System (ISMS), covering the design, development, and operation of the benefit-risk analysis platform.

• ✓ ISMS Scope: Covers all platform infrastructure, application code, data processing pipelines, and personnel involved in service delivery.
• ✓ Annual Surveillance Audits: External certification body conducts annual surveillance audits with full recertification every three years.
• ✓ Risk Management: Formal information security risk assessment and treatment process aligned with ISO 27005.

HDS (Hébergement de Données de Santé)

ArcaScience is certified under the French HDS framework for health data hosting, meeting the requirements of Article L.1111-8 of the French Public Health Code.

• ✓ HDS certification covers the hosting and processing of personal health data on French and EU territory.
• ✓ Compliant with CNIL requirements for health data processors operating in France.

HIPAA

For US-based clients handling Protected Health Information (PHI), ArcaScience implements HIPAA-compliant technical and administrative safeguards.

• ✓ Technical Safeguards: Access controls, audit controls, integrity controls, and transmission security per the HIPAA Security Rule.
• ✓ Business Associate Agreement (BAA): Standard BAA available for execution prior to any PHI processing.
• ✓ Breach Notification: Documented incident response and breach notification procedures compliant with HIPAA Breach Notification Rule.

Encryption

• ✓ Data at Rest: AES-256 encryption for all stored data, including databases, file storage, and backups. Encryption keys managed via hardware security modules (HSMs).
• ✓ Data in Transit: TLS 1.2/1.3 enforced for all data transmission. No support for deprecated protocols (SSL, TLS 1.0, TLS 1.1). HSTS headers enforced.
• ✓ Key Management: Customer-managed encryption keys (CMEK) available for enterprise clients requiring full key custody.

Access Control

• ✓ Role-Based Access Control (RBAC): Granular permission model with predefined roles (Viewer, Analyst, Reviewer, Approver, Admin) and custom role support.
• ✓ Multi-Factor Authentication (MFA): MFA enforced for all user accounts. Support for TOTP authenticator apps, hardware security keys (FIDO2), and SSO integration.
• ✓ Single Sign-On (SSO): SAML 2.0 and OpenID Connect support for enterprise identity provider integration (Okta, Azure AD, Ping Identity).

Client Data Segregation

Each client's data is logically segregated at the infrastructure level. No client can access another client's data, models, or outputs. Segregation is enforced at the database, storage, and application layers with automated validation.

Penetration Testing and Vulnerability Management

• ✓ Annual Penetration Testing: External, independent penetration tests conducted annually by a qualified third-party security firm. Remediation tracked to completion.
• ✓ Continuous Vulnerability Scanning: Automated vulnerability scanning of infrastructure and application code on a weekly cadence.
• ✓ Responsible Disclosure: Documented vulnerability disclosure program with defined SLAs for critical (24h), high (72h), and medium (30d) severity findings.

Comprehensive Audit Logging

Every action within the ArcaScience platform generates an immutable audit log entry. Audit records cannot be modified or deleted by any user, including system administrators.

Each audit entry captures:

Reproducibility and Tamper-Evidence

• ✓ ALCOA+ Compliance: All data follows Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available principles.
• ✓ Tamper-Evident Logging: Cryptographic hash chaining ensures any alteration to audit records is immediately detectable.
• ✓ Reproducible Outputs: Every AI-generated analysis can be re-executed against its original inputs to produce identical results, with version-pinned model references.

Electronic Signatures

Platform-integrated electronic signature workflows support multi-level approval chains (author, reviewer, approver) with meaning-of-signature capture, re-authentication at signing, and signature manifestation linking the signature to the signed record. Compliant with FDA 21 CFR Part 11 Subpart C and EU eIDAS Regulation.

Data Lineage

Every output generated by the ArcaScience platform includes complete data lineage -- tracing from the final regulatory document back through AI model processing, data transformations, and source data ingestion. Inspectors and auditors can follow the full chain of custody from any output to its originating data sources.

Patient Data Handling

ArcaScience's platform is designed to work with aggregate and anonymized data wherever possible. When individual patient-level data is required for analysis, it is processed under strict contractual controls, purpose limitation, and access restrictions. Patient data is never used for purposes beyond the scope defined in the Data Processing Agreement.

De-identification Standards

• ✓ De-identification follows the HIPAA Safe Harbor method (removal of 18 identifier categories) or Expert Determination method, as appropriate to the data context.
• ✓ Pseudonymization techniques applied where full anonymization would reduce analytical utility, with re-identification keys stored separately under enhanced access controls.

Data Minimization

ArcaScience applies the principle of data minimization at every stage of the analytical pipeline. Only data elements required for the specified analytical purpose are ingested, processed, and retained. Unnecessary personal data fields are excluded at the point of ingestion, not retroactively stripped.

Cross-Border Data Transfer

• ✓ Standard Contractual Clauses (SCCs): EU-approved SCCs incorporated into all cross-border data transfer agreements for transfers outside the EEA.
• ✓ Transfer Impact Assessments: Documented TIAs conducted for each cross-border transfer scenario, evaluating the legal framework of the destination country.
• ✓ EU Data Residency: Default data residency in France/EU. US data residency available for US-only clients upon request.

Cloud Infrastructure Provider

ArcaScience is hosted on enterprise-grade cloud infrastructure that maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, HDS, and HIPAA compliance certifications. Infrastructure is deployed in EU (France) regions by default, with US region availability.

A complete sub-processor list detailing all third parties with access to client data is maintained and updated, with advance notification to clients of any sub-processor changes as required under GDPR Article 28.

Third-Party Security Assessment

• ✓ All third-party vendors with access to client data undergo security assessment prior to onboarding and annually thereafter.
• ✓ Vendor risk is categorized (critical, high, medium, low) with corresponding assessment depth and monitoring cadence.
• ✓ Security questionnaire responses (SIG, CAIQ, custom) available upon request for client vendor assessment processes.

Business Continuity and Disaster Recovery

• ✓ RTO/RPO: Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for critical platform services.
• ✓ Backup Strategy: Automated encrypted backups with geographic redundancy. Daily full backups and continuous incremental backups.
• ✓ DR Testing: Disaster recovery plan tested semi-annually with documented results and corrective actions.
• ✓ Uptime SLA: 99.9% platform availability SLA with credit-based remedies defined in client agreements.