Vitruvian Shield
Compliance · Security · Procurement

Trust Portal

Everything procurement, security, and compliance teams need to evaluate Vitruvian Shield, in one place.

Compliance status

Current alignment status against the frameworks relevant to clinical research software in our target markets.

ALCOA++

Compliant

Data integrity principles for clinical trial data — Attributable, Legible, Contemporaneous, Original, Accurate, plus the second-tier Complete, Consistent, Enduring, Available.

EU GDPR

Compliant

General Data Protection Regulation — Article 9 special-category data handling for clinical health data, DPIA framework, data subject rights workflows.

ISO 27001

In progress

Information security management system. Currently in audit preparation.

ISO 13485

In progress

Medical devices quality management system. Currently in audit preparation.

ICH E6(R3) GCP

Planned

Good Clinical Practice guideline revision R3 — readiness work underway, full alignment scheduled.

FDA 21 CFR Part 11

Planned

FDA electronic records and electronic signatures requirements. Platform validation work in scope; submission-ready package planned.

EU MDR

Planned

Medical Devices Regulation 2017/745. Classification analysis and conformity assessment route planned with notified body.

Document Library

Download what's already published, or request what isn't through the inline form. Requests are reviewed within two business days.

Data Processing Agreement (DPA) template

GDPR Article 28 compliant template for use between Vitruvian Shield and customer controllers.

Available on Request

GDPR DPIA template

Data Protection Impact Assessment template prefilled with platform-specific data flows and risk categorisation.

Available on Request

Platform Validation Summary — 21 CFR Part 11 readiness

Computer system validation summary covering electronic records, audit trails, electronic signatures, and the open-system controls applicable to a SaaS platform.

Available on Request

Audit Trail Technical Specification

Detailed specification of the immutable audit trail, event taxonomy, retention policy, and customer-export endpoints.

Available on Request

Vendor Security Questionnaire (pre-filled response)

Pre-filled vendor security questionnaire covering organisational security, access control, cryptography, incident response, business continuity, and sub-processor management.

Available on Request

Sub-processors and data residency

Third parties processing data on behalf of Vitruvian Shield, with their purpose, processing location, and security certifications.

Sub-processorPurposeProcessing locationsCertifications
Vercel Inc.Web application hosting (marketing site) and edge delivery
USEU
SOC 2 Type II, ISO 27001
Resend (Drift Net Inc.)Transactional email delivery for marketing forms
US
SOC 2 Type II
Google Analytics (Google LLC)Anonymised website traffic analytics. No clinical platform data.
USEU
ISO 27001, ISO 27017, ISO 27018

Sub-processor changes are notified to customers in advance. Clinical platform data is hosted in the EU by default; ask about regional residency options at procurement time.

Security practices

How Vitruvian Shield protects clinical data and platform access.

Access to platform data follows least-privilege principles. Every customer-side action is authenticated, authorised against a role and project scope, and recorded in an immutable audit trail. Administrative access to production systems is restricted to a named operations team, gated by multi-factor authentication and logged independently.

Clinical data is encrypted at rest with AES-256 and in transit with TLS 1.2 or above, with HSTS enabled. Encryption keys are managed by the cloud provider's key management service and rotated on the provider's schedule, with operator access policies enforced at the key layer rather than the application layer.

Application dependencies are tracked in a continuously updated Software Bill of Materials. Security advisories against direct and transitive dependencies are triaged within one business day for critical vulnerabilities, with patches applied through the standard release pipeline. The SBOM is available to customers on request via the Document Library.

Incident response follows a documented runbook covering detection, triage, containment, eradication, recovery, and post-incident review. Customers affected by an incident are notified within the windows mandated by the applicable regulation (24 hours for many GDPR cases).

Penetration testing and vulnerability disclosure

Independent security testing and a published path for researchers to report issues responsibly.

Most recent independent test

Pending Publication

External web application and API surface, with grey-box methodology against the staging environment.

Responsible disclosure

Security researchers who believe they have found a vulnerability in Vitruvian Shield are encouraged to report it through the contact below. Reports are acknowledged within 72 hours and triaged within five business days. We do not pursue legal action against researchers who follow our disclosure policy.

security@vitruvianshield.com

Audit and certification roadmap

Target sequence and current status for the certifications under preparation. Target dates appear here once formally committed with the auditor or notified body.

ISO 27001

Target date to be confirmed

In progress

ISO 13485

Target date to be confirmed

In progress

ICH E6(R3) GCP

Target date to be confirmed

Planned

FDA 21 CFR Part 11

Target date to be confirmed

Planned

EU MDR

Target date to be confirmed

Planned

Contact a Compliance Officer

For framework-specific questions, sub-processor due-diligence requests, or anything not covered above.