Trust & Security

Security by design,
not by afterthought.

SMEDTEC OS is built for regulated industries. Security and data integrity are architectural properties of the platform — every organisation's data is isolated at the database level, independent of application code.

Document Ref SMEDTEC-SEC-001
Version 1.0
Last Reviewed March 2026
Classification Public
Encryption at rest & in transit
Database-level data isolation (RLS)
UK GDPR & EU GDPR compliant
Audit trail on all data mutations
ISO 27001 roadmap in progress
Section 1

Overview

SMEDTEC OS is a regulatory project management and operations platform for medical device companies. Customers use it to store submission documentation, track regulatory pathways across global markets, manage UDI data, and maintain product registration records.

Because our customers operate in regulated industries — under EU MDR, FDA 21 CFR, UKCA, and equivalent frameworks — we apply the same discipline to platform security that we ask of their own quality management systems.

Security and data integrity are not features in SMEDTEC OS — they are architectural properties. Every design decision, from database schema to authentication flow, is made with data isolation and auditability as constraints, not considerations.

This document provides a public overview of our security posture. Prospective customers with additional due diligence requirements may request the extended Security Information Pack (SMEDTEC-SEC-002), which covers sub-processor details, penetration testing status, and access control policies in full.

Section 2

Infrastructure Security

SMEDTEC OS runs on a SOC 2 Type II–certified managed cloud backend platform built on AWS infrastructure, with data centres in EU and UK regions.

Hosting & Cloud

All platform infrastructure runs within a managed cloud backend environment. We do not operate self-managed server infrastructure. Underlying compute, storage, and networking are provided by AWS, with physical security, environmental controls, and network segmentation handled by our infrastructure provider under their enterprise security programme. The full named sub-processor list is provided to customers under our Data Processing Agreement.

Network Security

TLS Everywhere

All data in transit between client and platform is encrypted using TLS 1.2 or higher. Plain HTTP connections are rejected.

API Gateway Controls

All API requests are routed through our managed edge network with built-in rate limiting and request validation.

Edge Function Isolation

AI-powered features run in isolated Edge Functions — no AI API keys or processing occurs client-side.

Secrets Management

All API keys and credentials are stored as server-side environment secrets. No sensitive credentials are exposed in client-side code or public repositories.

Section 3

Data Isolation

Data isolation is the most critical security property for a multi-tenant SaaS platform used by regulated industries. SMEDTEC OS enforces isolation at the database level — not just the application level.

Every table in SMEDTEC OS enforces Row-Level Security (RLS) policies at the PostgreSQL layer. This means that even if application-level access controls were bypassed, a user could not read or write data belonging to another organisation. Isolation is a database guarantee, not an application promise.

Row-Level Security (RLS)

RLS is implemented via PostgreSQL policies that scope every query to the authenticated user's organisation. Policies are applied automatically by the database engine on every SELECT, INSERT, UPDATE, and DELETE operation — with no possibility of accidental bypass in application code.

Organisation Scoping

Every record in the platform carries an organisation_id foreign key. RLS policies verify that the requesting user belongs to the organisation that owns the record before permitting any operation. Anonymous or cross-organisation access is structurally impossible.

Role-Based Access Within Organisations

Within an organisation, users are assigned roles that determine their read and write permissions. Viewer-role users cannot modify records. Member-role users can create and edit. Admin-role users have full access including configuration. Role checks are enforced at both the application and database layers.

Section 4

Access Controls

Authentication

User authentication is handled by a dedicated managed authentication service that provides industry-standard JWT-based session management. Passwords are hashed using bcrypt. Session tokens expire and are rotated on re-authentication.

Invitation-Only Onboarding

New users cannot self-register into an existing organisation. They must be explicitly invited by an Org Admin. This prevents unauthorised account creation within customer environments.

Internal Access

SMEDTEC Ltd personnel do not have routine access to customer data. Administrative database access is restricted to named personnel and requires justification. There is no "support backdoor" into customer organisations.

Role Read Access Write Access Admin Access
Viewer Full None None
Member Full Full None
Admin Full Full Full
SMEDTEC Ltd None (routine) None (routine) Break-glass only
Section 5

Encryption

At Rest

All data stored in our managed PostgreSQL databases is encrypted at rest using AES-256. This is managed at the infrastructure level by our cloud provider on AWS.

In Transit

All communications between clients and the platform use TLS 1.2+. Certificate management is handled by our managed edge network.

File Storage

Documents uploaded to the platform (vault files, registration certificates) are stored in managed object storage with server-side encryption. Pre-signed URLs are used for time-limited access.

Sensitive Credentials

Any regulatory portal credentials stored in the platform are encrypted at the application layer using pgcrypto before storage, in addition to the infrastructure-level encryption at rest.

Section 6

Data Protection

SMEDTEC Ltd is registered as a Data Controller and Data Processor under UK GDPR. We maintain a Data Processing Agreement (DPA) that governs the processing of personal data on behalf of customers.

Data Residency

Customer data is stored in EU/UK data centres by default. SMEDTEC Ltd does not transfer customer data outside of the UK/EEA without appropriate safeguards in place.

Data Retention

Customer data is retained for the duration of the subscription. Upon termination, customers have a 30-day window to export their data. Following the export window, data is deleted from production systems within 30 days and from backups within 90 days.

Personal Data in the Platform

SMEDTEC OS processes limited personal data — primarily user names, email addresses, and activity logs for audit purposes. The platform is not designed or intended to store patient data, clinical trial data, or special category personal data under GDPR.

The full Data Processing Agreement is available at smedtec.co.uk/dpa.

Section 7

Availability & Recovery

Uptime

SMEDTEC OS targets 99.9% uptime for the application layer. Underlying infrastructure uptime commitments are governed by our cloud provider's SLA. Planned maintenance is communicated with advance notice.

Backups

Database backups are performed continuously by our managed database provider with point-in-time recovery available. Backup retention periods align with the provider's standard managed database policy. SMEDTEC Ltd additionally performs periodic logical backups of customer data.

Disaster Recovery

In the event of a significant infrastructure failure, SMEDTEC OS can be restored from backup to a point-in-time state. Recovery objectives are reviewed as part of our ongoing security programme.

Section 8

Sub-processors

SMEDTEC OS relies on a small number of carefully selected sub-processors. Each is subject to data processing agreements and assessed against our security requirements.

Sub-processor Role Data Processed Location
Managed Cloud Backend Provider Database, Auth, Storage All platform data EU / UK
Anthropic AI features (Claude API) Query content only — no persistent storage US (API calls)
Vercel / CDN Application hosting & delivery Request metadata only EU edge nodes

AI features: Content submitted to AI-powered features is processed by Anthropic's API on a zero-retention basis for inference — it is not used to train models and is not stored by Anthropic beyond the duration of the API call. Customers may disable AI features within their organisation settings.

Named sub-processor list: the table above describes the categories of sub-processor relied on by the platform. The current named sub-processor list (including legal entity, registered address, and contact for data protection enquiries) is provided to customers under the Data Processing Agreement and made available to prospective customers under NDA on request.

Section 9

Compliance Roadmap

SMEDTEC Ltd is actively pursuing formal security certification. Our compliance roadmap is as follows:

Milestone Status Target
Platform Validation Statement (SMEDTEC-VAL-001) Complete February 2026
Data Processing Agreement (SMEDTEC-DPA-001) Complete February 2026
Security Overview (SMEDTEC-SEC-001) Complete March 2026
ISO 27001 Gap Analysis In Planning H2 2026
Penetration Testing (Initial) In Planning H2 2026
ISO 27001 Certification Roadmap 2027

Customers with enterprise procurement requirements who need evidence of certification sooner than our roadmap permits are encouraged to contact us to discuss our current security controls in detail. We are committed to transparency and will make available our validation documentation, DPA, and this security overview as a starting point for due diligence conversations.

Section 10

Contact

For security enquiries, vulnerability disclosures, or requests for the extended Security Information Pack, please contact us directly.

SMEDTEC Ltd — Security & Trust

For general security questions and due diligence requests:

[email protected]

We aim to respond to all security enquiries within 2 business days. For urgent matters or confirmed security incidents, please mark your subject line [SECURITY] for prioritised handling.