Trust & Compliance
Security Overview
Last updated: 22 June 2026
StibaOS is built for Indian pharmaceutical MSMEs operating under Schedule M, CDSCO, and WHO GMP. Security is not a feature added later — it is the foundation. This document explains how we protect Customer Data, signatures, and audit trails.
This overview is illustrative. Detailed control mappings (control IDs, evidence, penetration test summaries) are shared with prospective tenants under NDA during evaluation.
1. Infrastructure & Data Residency
- Region: Cloud deployments run on AWS in the
ap-south-1(Mumbai) region by default. On-premise deployments keep data inside the Tenant’s network entirely. - Isolation: Each tenant’s data is logically isolated by tenant ID and row-level security. Cross-tenant access is technically prevented at the database query layer.
- Backups: Encrypted backups every 24 hours, retained for 30 days (production) and 90 days (audit trail). Restore drills are run quarterly.
- Network: All external traffic terminates at a WAF + TLS 1.2+ load balancer. Internal services communicate over a private VPC; no production database is reachable from the public internet.
2. Encryption
- In transit: TLS 1.2+ (TLS 1.3 preferred) for all HTTP traffic. HSTS enabled. Internal service-to-service traffic is also encrypted.
- At rest: AES-256 encryption for databases, object storage, and backups. Keys are managed in AWS KMS with separate CMKs per environment.
- Application secrets: Database credentials, API keys, and signing keys are stored in AWS Secrets Manager and rotated every 90 days.
- Audit trail integrity: Audit trail records are cryptographically chained (SHA-256 hash of the prior record). Tampering or deletion is detectable on verification.
3. Access Control
- Authentication: Email + password (bcrypt-hashed) and optional MFA (TOTP). SAML SSO is available for enterprise tenants.
- Role-based access: Each Tenant assigns roles (Plant Head, QA Head, Production Supervisor, QC Analyst, Operator, Inspector) with least-privilege permissions. Role definitions follow Schedule M responsibility separation.
- Elevation: No StibaOS staff member has standing access to Customer Data. Break-glass access requires (a) explicit ticket approval, (b) time-boxed grant, (c) full session recording, and (d) post-access review.
- Production access logs: Every StibaOS engineer action in production systems is logged and reviewed quarterly.
4. 21 CFR Part 11 Alignment
The Platform implements the technical and procedural controls expected under 21 CFR Part 11:
- §11.10 Controls for closed systems: validated access, audit trail, sequencing, device checks, operational checks, authority checks.
- §11.50 Signature manifestations: every signed record displays signer name, date, time, and meaning of signature.
- §11.70 Signature & record linking: signatures are cryptographically bound to the record they apply to. Removal of a signature invalidates the record.
- §11.200 Electronic signatures: two distinct components (password + MFA) for non-authoritative signatures; binding to identity is verified by Tenant administrator before enabling.
- §11.300 Controls for identification: credential uniqueness, password complexity, periodic expiry, deactivation after failed attempts.
5. Schedule M 2024 Alignment
- Self-Inspection (§12): inspection-readiness module surfaces gaps against all 8 live Schedule M sections with scored evidence.
- Change Control (§3.7): change records require impact assessment, approval workflow, and traceability to affected documents and batches.
- Deviation & CAPA (§3.5, §3.6): deviations link to root cause, CAPA, effectiveness check, and closure evidence. Audit trail spans the full lifecycle.
- Documentation (§3.4): eDMS enforces version control, approval workflow, periodic review, and retention per Schedule M.
- Training (§3.3): role-based training plans with competency assessment, evidence of completion, and impact analysis on role change.
6. Other Regulatory Posture
- WHO GMP: quality system module maps to WHO TRS 1033 (Annex 2) good practices for pharmaceutical quality control.
- CDSCO: regulatory module supports CTD-style submission traceability for new drug approvals and post-approval variations.
- DPDP Act, 2023: data subject rights, breach notification (72h to tenant, to Data Protection Board where required), and data residency defaulted to India.
- ISO 27001 (planned): information security management system aligned. Certification target within 12 months of commercial rollout.
7. Application Security
- Secure SDLC: code reviews required for all merges. Dependency vulnerabilities scanned continuously (npm audit + Snyk-style scanning). Critical CVEs patched within 7 days.
- Input validation: server-side Zod validation on every API endpoint. SQL injection prevented via parameterized queries.
- CSRF: same-site cookies + signed CSRF tokens for state-changing requests.
- Rate limiting: per-IP and per-user rate limits on auth endpoints and write APIs.
- Session management: short-lived JWTs with refresh tokens, configurable idle timeout, forced re-auth for sensitive actions (e-signature, role change).
8. Vulnerability Disclosure & Penetration Testing
We engage independent third parties for annual penetration testing covering OWASP, auth bypass, tenant isolation, and audit trail integrity. Summary reports are available to prospective tenants under NDA.
Responsible disclosure: if you identify a security issue, please email security@stibaos.com with details. We acknowledge within 24 hours, provide an initial assessment within 72 hours, and remediate critical issues within 7 days. We do not pursue legal action against good-faith reporters.
9. Incident Response
- Detection: centralized logging, anomaly detection on auth and audit-trail integrity, alerting on suspicious admin activity.
- Containment: automated revocation of compromised credentials, IP blocking, and tenant-level freeze where required by regulators.
- Notification: affected tenants notified within 72 hours of confirmed breach, with nature, scope, and remediation steps.
- Post-incident: root-cause analysis shared with affected tenants within 14 days.
10. Personnel & Sub-processors
- All StibaOS engineers and operations staff sign confidentiality agreements and complete annual security and GMP awareness training.
- Background verification is conducted for personnel with access to production systems.
- Sub-processors are contractually bound to equivalent security obligations. Current list available on request and in our Privacy Policy.
11. Compliance Reporting
Tenants can request (a) audit trail integrity reports, (b) access review summaries, (c) sub-processor lists, and (d) uptime SLA reports via their account manager. Reports are delivered within 10 business days.
12. Contact
Security inquiries, penetration test requests, or vulnerability reports: security@stibaos.com.
Questions about this document? Email legal@stibaos.com or write to us at the registered address listed in your agreement.