Overview
SMEDTEC OS is a regulatory project management and operations platform for medical device companies. Customers use it to store submission documentation, track regulatory pathways across global markets, manage UDI data, and maintain product registration records.
Because our customers operate in regulated industries — under EU MDR, FDA 21 CFR, UKCA, and equivalent frameworks — we apply the same discipline to platform security that we ask of their own quality management systems.
Security and data integrity are not features in SMEDTEC OS — they are architectural properties. Every design decision, from database schema to authentication flow, is made with data isolation and auditability as constraints, not considerations.
This document provides a public overview of our security posture. Prospective customers with additional due diligence requirements may request the extended Security Information Pack (SMEDTEC-SEC-002), which covers sub-processor details, penetration testing status, and access control policies in full.
Infrastructure Security
SMEDTEC OS runs on a SOC 2 Type II–certified managed cloud backend platform built on AWS infrastructure, with data centres in EU and UK regions.
Hosting & Cloud
All platform infrastructure runs within a managed cloud backend environment. We do not operate self-managed server infrastructure. Underlying compute, storage, and networking are provided by AWS, with physical security, environmental controls, and network segmentation handled by our infrastructure provider under their enterprise security programme. The full named sub-processor list is provided to customers under our Data Processing Agreement.
Network Security
All data in transit between client and platform is encrypted using TLS 1.2 or higher. Plain HTTP connections are rejected.
All API requests are routed through our managed edge network with built-in rate limiting and request validation.
AI-powered features run in isolated Edge Functions — no AI API keys or processing occurs client-side.
All API keys and credentials are stored as server-side environment secrets. No sensitive credentials are exposed in client-side code or public repositories.
Data Isolation
Data isolation is the most critical security property for a multi-tenant SaaS platform used by regulated industries. SMEDTEC OS enforces isolation at the database level — not just the application level.
Every table in SMEDTEC OS enforces Row-Level Security (RLS) policies at the PostgreSQL layer. This means that even if application-level access controls were bypassed, a user could not read or write data belonging to another organisation. Isolation is a database guarantee, not an application promise.
Row-Level Security (RLS)
RLS is implemented via PostgreSQL policies that scope every query to the authenticated user's organisation. Policies are applied automatically by the database engine on every SELECT, INSERT, UPDATE, and DELETE operation — with no possibility of accidental bypass in application code.
Organisation Scoping
Every record in the platform carries an organisation_id foreign key. RLS policies verify that the requesting user belongs to the organisation that owns the record before permitting any operation. Anonymous or cross-organisation access is structurally impossible.
Role-Based Access Within Organisations
Within an organisation, users are assigned roles that determine their read and write permissions. Viewer-role users cannot modify records. Member-role users can create and edit. Admin-role users have full access including configuration. Role checks are enforced at both the application and database layers.
Access Controls
Authentication
User authentication is handled by a dedicated managed authentication service that provides industry-standard JWT-based session management. Passwords are hashed using bcrypt. Session tokens expire and are rotated on re-authentication.
Invitation-Only Onboarding
New users cannot self-register into an existing organisation. They must be explicitly invited by an Org Admin. This prevents unauthorised account creation within customer environments.
Internal Access
SMEDTEC Ltd personnel do not have routine access to customer data. Administrative database access is restricted to named personnel and requires justification. There is no "support backdoor" into customer organisations.
| Role | Read Access | Write Access | Admin Access |
|---|---|---|---|
| Viewer | Full | None | None |
| Member | Full | Full | None |
| Admin | Full | Full | Full |
| SMEDTEC Ltd | None (routine) | None (routine) | Break-glass only |
Encryption
All data stored in our managed PostgreSQL databases is encrypted at rest using AES-256. This is managed at the infrastructure level by our cloud provider on AWS.
All communications between clients and the platform use TLS 1.2+. Certificate management is handled by our managed edge network.
Documents uploaded to the platform (vault files, registration certificates) are stored in managed object storage with server-side encryption. Pre-signed URLs are used for time-limited access.
Any regulatory portal credentials stored in the platform are encrypted at the application layer using pgcrypto before storage, in addition to the infrastructure-level encryption at rest.
Data Protection
SMEDTEC Ltd is registered as a Data Controller and Data Processor under UK GDPR. We maintain a Data Processing Agreement (DPA) that governs the processing of personal data on behalf of customers.
Data Residency
Customer data is stored in EU/UK data centres by default. SMEDTEC Ltd does not transfer customer data outside of the UK/EEA without appropriate safeguards in place.
Data Retention
Customer data is retained for the duration of the subscription. Upon termination, customers have a 30-day window to export their data. Following the export window, data is deleted from production systems within 30 days and from backups within 90 days.
Personal Data in the Platform
SMEDTEC OS processes limited personal data — primarily user names, email addresses, and activity logs for audit purposes. The platform is not designed or intended to store patient data, clinical trial data, or special category personal data under GDPR.
The full Data Processing Agreement is available at smedtec.co.uk/dpa.
Availability & Recovery
Uptime
SMEDTEC OS targets 99.9% uptime for the application layer. Underlying infrastructure uptime commitments are governed by our cloud provider's SLA. Planned maintenance is communicated with advance notice.
Backups
Database backups are performed continuously by our managed database provider with point-in-time recovery available. Backup retention periods align with the provider's standard managed database policy. SMEDTEC Ltd additionally performs periodic logical backups of customer data.
Disaster Recovery
In the event of a significant infrastructure failure, SMEDTEC OS can be restored from backup to a point-in-time state. Recovery objectives are reviewed as part of our ongoing security programme.
Sub-processors
SMEDTEC OS relies on a small number of carefully selected sub-processors. Each is subject to data processing agreements and assessed against our security requirements.
| Sub-processor | Role | Data Processed | Location |
|---|---|---|---|
| Managed Cloud Backend Provider | Database, Auth, Storage | All platform data | EU / UK |
| Anthropic | AI features (Claude API) | Query content only — no persistent storage | US (API calls) |
| Vercel / CDN | Application hosting & delivery | Request metadata only | EU edge nodes |
AI features: Content submitted to AI-powered features is processed by Anthropic's API on a zero-retention basis for inference — it is not used to train models and is not stored by Anthropic beyond the duration of the API call. Customers may disable AI features within their organisation settings.
Named sub-processor list: the table above describes the categories of sub-processor relied on by the platform. The current named sub-processor list (including legal entity, registered address, and contact for data protection enquiries) is provided to customers under the Data Processing Agreement and made available to prospective customers under NDA on request.
Compliance Roadmap
SMEDTEC Ltd is actively pursuing formal security certification. Our compliance roadmap is as follows:
| Milestone | Status | Target |
|---|---|---|
| Platform Validation Statement (SMEDTEC-VAL-001) | Complete | February 2026 |
| Data Processing Agreement (SMEDTEC-DPA-001) | Complete | February 2026 |
| Security Overview (SMEDTEC-SEC-001) | Complete | March 2026 |
| ISO 27001 Gap Analysis | In Planning | H2 2026 |
| Penetration Testing (Initial) | In Planning | H2 2026 |
| ISO 27001 Certification | Roadmap | 2027 |
Customers with enterprise procurement requirements who need evidence of certification sooner than our roadmap permits are encouraged to contact us to discuss our current security controls in detail. We are committed to transparency and will make available our validation documentation, DPA, and this security overview as a starting point for due diligence conversations.
Contact
For security enquiries, vulnerability disclosures, or requests for the extended Security Information Pack, please contact us directly.
SMEDTEC Ltd — Security & Trust
For general security questions and due diligence requests:
We aim to respond to all security enquiries within 2 business days. For urgent matters or confirmed security incidents, please mark your subject line [SECURITY] for prioritised handling.