Terms

USER AGREEMENT

Effective Date May 17th, 2025 

RAPAhub is a Software-as-a-Service platform provided by Pattern of USA Inc. for regulatory affairs professionals in the life sciences, food, agriculture, and veterinary sectors, as well as legal, graphic design, IT specialists, and medical and pharmaceutical professionals. It serves as a voluntary Regulatory Affairs Partners Association hub, acting as both a knowledge database and a service marketplace connecting various users (such as manufacturers, regulatory experts, agencies, and startups). This “USER AGREEMENT Terms and Conditions” document (these “Terms“) is a legally binding agreement between you (the User) and Management Company of USA Inc. (the operator of RAPAhub) governing your use of the RAPAhub platform. By accessing or using the website RAPAhub.com (the Site) or any services provided by RAPAhub (collectively, the Service), you confirm that you are at least 18 years old and agree to be bound by these Terms. If you do not agree to all of these Terms, you must not use the platform or any RAPAhub services.

Terms and Conditions of RAPAhub

1. Definitions

For the purpose of these Terms, the following capitalized terms have the meanings given below*:

• RAPAhub (the Platform): The online platform and services available at RAPAhub.com, operated by Pattern of USA Inc., through which Users may interact, share information, and enter into service arrangements.
• Pattern of USA Inc. (the Management Company, or Company): Pattern of USA Inc., the U.S.-based company that owns and manages RAPAhub. References to we, us, or our refer to Pattern of USA Inc. and its affiliates, including RAPAhub.
• User: Any person or entity who accesses or uses the Platform in any capacity. This includes Clients, Experts, and any other participants, such as agencies or organizations using the Platform. Users join RAPAhub in an individual capacity (see Section 3 on Accounts and Nodes).
• Client: A User (such as an individual, manufacturer, startup, or other organization) that seeks or purchases regulatory affairs services or expertise through the Platform.
• Expert (or Executor): A User (such as an independent regulatory professional, consultant, or agency) that offers and provides regulatory affairs services or expertise through the Platform. (For convenience, Experts may also be referred to as Service Providers or Executors in these Terms.)
• Service Contract: The contractual arrangement formed between a Client and an Expert when they agree on the provision of specific services or deliverables via the Platform. A Service Contract may include agreed Key Performance Indicators, milestones, timelines, and payment terms, as facilitated by RAPAhub (see Section 6).
• RAPAcoin: A digital reward or loyalty token offered by RAPAhub to Users for participation or successful transactions on the Platform. RAPAcoins have no cash value unless and until RAPAhub, in its discretion, permits redemption or use for specific benefits. RAPAcoins may be subject to vesting or other conditions, and any unvested (and, in certain cases, vested) RAPAcoins may be forfeited as described in these Terms (e.g., for violations of Section 7 or Section 12).
• Node: A profile or page on the Platform representing an organization, company, or institutional entity, which is created and managed by an individual User. Nodes allow Users to associate with or represent their employer or organization on the Platform while maintaining their personal User account. (See Section 3b regarding ownership continuity of Nodes in case of job changes.)
• Content: Any text, data, information, files, images, graphics, projects, offers, reports, roadmaps, news, comments, or other materials that a User creates, uploads, posts, or contributes on the Platform. User Content refers to Content contributed by Users. RAPAhub Content refers to Content created by or for RAPAhub (including collective knowledge databases, compilations, analytics, and any content generated as part of the Platform’s services).
• Confidential Information: Any non-public or proprietary information disclosed by one party to another in the context of using the Platform or a Service Contract, which is either designated as confidential or would reasonably be understood to be confidential given the nature of the information and the circumstances of disclosure. (See Section 8 on Non-Disclosure.)
• Sanctioned Country: Any country or region that is subject to comprehensive economic sanctions or embargoes under U.S. law (for example, Cuba, Iran, North Korea, Syria, Russia, and the Crimea/Donetsk/Luhansk regions of Ukraine are under U.S. sanctions). Users in or ordinarily resident in Sanctioned Countries, or who are otherwise prohibited by U.S. Office of Foreign Assets Control (OFAC) regulations, are not permitted to use the Platform (see Section 4c).

*(Additional capitalized terms may be defined elsewhere in these Terms or in the context of their use.)

2. Acceptance of Terms and Updates

2a. Legal Agreement: By registering for a RAPAhub account or otherwise using the Platform, you signify your acceptance of and agreement to these Terms, as well as to any other policies or agreements expressly incorporated by reference (such as our Privacy Policy). If you are using the Platform on behalf of a company or other legal entity, you represent that you have the authority to bind that entity to these Terms, and “you” and “your” will refer to both you as an individual and that entity.

2b. Most Recent Terms Binding: The official version of the USER AGREEMENT Terms and Conditions is the version published on the RAPAhub website (RAPAhub.com) with the most recent effective date. This version supersedes all earlier agreements and versions. Continued use of the Platform after any changes to these Terms constitutes your acceptance of the updated Terms. It is your responsibility to review the Terms periodically. If you do not agree with a change, you must stop using the Service. Notwithstanding the date you joined or first agreed to the Terms, the latest posted Terms are binding on you for any continued or new use of the Platform.

2c. Modifications: RAPAhub reserves the right to modify or update these Terms at any time. We will provide notice of material changes by posting the updated Terms on our Site (and updating the “Effective Date” if applicable) and/or by sending you a notification via email or the Platform messaging system. Your continued use of the Service after such update constitutes acceptance of the revised Terms. If you do not agree to a modification, you must cease using the Platform.

3. User Accounts and Nodes

3a. Individual Registration: To access certain features of the Platform, you are required to create a User account. Each account must be registered to a single natural person (individual), and you may be asked to provide accurate, current, and complete information during registration (including your real name, email, contact details, professional qualifications, etc.). You agree to keep your account information updated. You must maintain the confidentiality of your login credentials and are responsible for all activities that occur under your account. You may not share your account with others or use another person’s account. If you suspect any unauthorized use of your account, you must notify RAPAhub immediately.

3b. Nodes (Organizational Profiles): While accounts are individual, RAPAhub allows Users to create or administer Nodes to represent companies, employers, or organizations. Nodes are designed for ownership continuity: if a User who administers a Node leaves the organization or changes employment, the Node (and any associated profile or content for that organization) can be transferred to or managed by another authorized User, as approved by RAPAhub. Conversely, the departing User retains their personal account and professional history on the Platform, which remains with them as an individual. By creating or managing a Node, you represent and warrant that you have the rights or authority to represent that organization and to act on its behalf. The organization’s presence on RAPAhub via a Node is subject to these Terms, and the organization (through its authorized agents) is considered a User for purposes of compliance.

3c. Free to Join: Setting up a User account and basic profile on RAPAhub is free of charge. RAPAhub does not charge any upfront fees for creating an account or a Node. However, transaction-based fees and commissions apply as described in Section 5, and certain premium services or subscriptions might carry fees as described on the Site.

3d. Account Termination: You may close your account at any time if you no longer wish to use the Platform, subject to the provisions of Section 12 (Termination) below. RAPAhub also reserves the right to suspend or terminate accounts as described in Section 12. Even after an account is closed, these Terms (and any updated Terms) will still apply to prior usage of the Platform and specific provisions that by their nature survive termination (such as intellectual property rights, confidentiality, dispute resolution, etc.) shall remain in effect.

4. Use of the Platform and User Obligations

4a. Service Description: RAPAhub.com provides a platform that offers a Regulatory Affairs knowledge base and a professional marketplace for life science and related industries. Through RAPAhub, Clients can obtain an overview of regulatory requirements and connect with local professionals or industry players offering regulatory solutions for life science products and services, as described on our Site. The Platform includes features such as searchable databases of regulatory experts and organizations, project posting and bidding tools, communication interfaces, content libraries (e.g., regulatory news, roadmaps, reports), and an escrow-based payment system for services. RAPAhub itself does not provide consulting or regulatory services; rather, it facilitates connections and transactions between Users (Clients and Experts).

4b. Platform Only – No Employment: RAPAhub is a neutral venue that enables Clients and Experts to meet and do business. The Company is not an employer of Experts, nor are we a party to the Service Contracts between Users. Users acknowledge that no employment, joint venture, partnership, or agency relationship exists between RAPAhub and any User as a result of this Agreement or the use of the Platform. Experts engaged through the Platform operate as independent contractors or service providers to their Clients, not as employees of RAPAhub or Management Company. RAPAhub does not direct or control the work of Experts or the advice/services provided, and RAPAhub does not set work hours, work locations, or salary for any Expert. RAPAhub is not responsible for any employment obligations, such as paying wages, payroll taxes, workers’ compensation, insurance, or benefits, for any work performed by Experts for Clients. It is the responsibility of Clients and Experts to manage their own working relationship in compliance with applicable laws.

4c. Compliance with Laws (Including Sanctions): You agree to use the Platform in compliance with all applicable laws and regulations. This includes U.S. export control and sanctions laws. You represent and warrant that:

• You are not located in, a resident of, or physically present in any Sanctioned Country, nor are you on any U.S. government list of prohibited or restricted parties (such as the Specially Designated Nationals list).
• You will not use the RAPAhub Platform to conduct or facilitate any transaction that is prohibited by sanctions, export controls, or other laws.
• RAPAhub may restrict access to the Platform from certain countries or regions if required by law. Use of the Platform is void where prohibited by applicable laws. We reserve the right to terminate or suspend any account that violates this subsection (for example, if a User is found to be in a Sanctioned Country or engaging with sanctioned entities), in addition to other remedies (see Section 12).

4d. Appropriate Use and Conduct: You agree not to misuse the Platform or Service. Misuse includes, but is not limited to:

• Using the Platform for any unlawful, fraudulent, or malicious purpose or to further any illegal activity.
• Impersonating any person or entity, or falsely stating or misrepresenting your identity or affiliations.
• Posting or transmitting any content that is unlawful, defamatory, harassing, abusive, threatening, harmful, obscene, or otherwise objectionable.
• Uploading or distributing viruses, malware, worms, or any other harmful code that could damage the Platform or any User’s software or equipment.
• Attempting to gain unauthorized access to any portion of the Platform, other User accounts, or any systems or networks connected to the Platform (e.g., hacking, password mining).
• Interfering with or disrupting the integrity or performance of the Platform, including launching any systematic attack (such as a denial-of-service attack) or using any robot, spider, scraper, or other automated means to access the Platform for any purpose without our express written permission.
• Harvesting or collecting information about other Users without their consent.
• Engaging in any activity that violates any professional code of conduct or regulatory standards applicable to your field (especially relevant for regulatory affairs professionals).

RAPAhub reserves the right to investigate and take appropriate action (which may include account termination, legal action, and cooperation with law enforcement) if you violate this Section or any other provision of these Terms.

4e. Accuracy of Information: You are responsible for any information, data, or content you provide on the Platform. You agree to provide true, accurate, and complete information whenever prompted (such as profile information, project descriptions, qualifications, credentials, etc.) and to refrain from posting misleading or false information. RAPAhub does not independently verify all information posted by Users and is not liable for any false or misleading information; however, if we discover or receive credible notice that information you provided is incorrect or fraudulent, we may remove such information and/or suspend your account.

4f. Platform Tools: RAPAhub may provide communication tools (messaging systems, forums, video conferencing) and transactional tools (proposal submissions, project management dashboards, escrow payment system) for Users to use in connection with the Service. You agree to use these tools only for their intended purposes related to the Platform’s services. You must not abuse the tools (for example, spamming other Users with unsolicited messages, or using the project posting system for advertising unrelated services).

4g. Privacy: You acknowledge and agree that RAPAhub’s collection, use, and disclosure of your personal information is governed by our Privacy Policy (available on our website and incorporated herein by reference). The Privacy Policy explains how we handle your personal data and protect your privacy when you use our Service. By using the Platform, you consent to the collection and use of information as outlined in the Privacy Policy.

5. Fees, Commission, and Payment Methods

5a. Service Fees and Commission: RAPAhub’s marketplace operates on a commission-based model. While creating an account and posting opportunities is free, RAPAhub charges a commission fee on paid transactions (service contracts) facilitated through the Platform. The commission is generally ten percent (10%) of the total payment made by a Client to RAPAhub and from RAPAhub to an Expert for a given project or service (unless a different rate is specified for a particular subscription plan or promotion). This commission may be deducted from the payments released to the Expert or added on top of the Client’s payment, as specified by RAPAhub’s fee schedule. All commission fees are earned by RAPAhub upon the successful completion of a payable outcome (e.g., a completed milestone or project) and are non-refundable except as expressly provided in these Terms or required by law.

5b. Payment Methods: RAPAhub supports several payment methods for Clients to fund projects and for Experts to withdraw earnings. Acceptable payment methods include, for example, bank transfers, credit or debit cards, and PayPal. The availability of certain payment options may depend on the location and is subject to change. By providing payment information, you represent that you are authorized to use the payment method and you authorize RAPAhub or its payment processor to charge the fees and amounts described for the services or escrow funding. Clients are responsible for ensuring that their selected payment method has sufficient funds or credit available at the time of a transaction.

5c. Escrow Payments: RAPAhub may operate an escrow system for payments between Clients and Experts. In such cases, a third-party licensed escrow or payment agent (which may be an affiliate of RAPAhub) will hold funds on behalf of the Client and Expert until release conditions are met (see Section 6 on Service Contracts). By using the Platform’s escrow or payment features, Users agree to the applicable escrow terms and instructions, which will be provided or referenced when you engage in an escrow transaction. RAPAhub is not a bank, and any escrow funds or payments are not insured by the FDIC; however, escrow funds are held in a segregated account by the payment agent per regulatory requirements.

5d. Subscription Fees (if applicable): RAPAhub may offer optional paid subscription plans or premium services for Users (for example, enhanced profile visibility, additional analytics, or enterprise features). Any such subscriptions and their fees will be described on the Site or in a separate agreement or addendum. Subscription fees, if charged, will be billed as described (e.g., monthly or annually) and are generally non-refundable once paid, except as required by law or explicitly stated otherwise. RAPAhub reserves the right to change subscription fees or introduce new fees with reasonable notice to Users.

5e. Taxes: Users are responsible for paying any applicable taxes (including but not limited to VAT, sales tax, service tax, GST, or income taxes) that may be levied in connection with their use of the Platform. The commission fees charged by RAPAhub do not include any taxes; if any taxes are required by law to be collected on those fees, RAPAhub may add such taxes to the fees or otherwise collect them as required. Experts are solely responsible for determining and fulfilling their tax obligations arising from the income received via the Platform. RAPAhub is not responsible for withholding or paying any income tax, payroll tax, or social security contributions on behalf of Experts. However, RAPAhub reserves the right, where legally required, to report payments to Experts to tax authorities or to deduct or withhold taxes (for example, under U.S. Internal Revenue Service rules for certain payments to foreign persons, or similar regulations in other jurisdictions).

5f. Currency: By default, all transactions on RAPAhub are processed in U.S. Dollars (USD), unless otherwise stated or agreed by the parties and supported by the Platform. If currency conversion is required, it will be done at an exchange rate and/or with fees determined by our payment processor or your bank, and RAPAhub is not responsible for the exchange rates applied.

5g. No Circumvention of Fees: You agree not to take any action that would circumvent the payment of fees or commission to RAPAhub. Avoiding or reducing the Platform’s fees by conducting transactions outside the Platform that were initiated on RAPAhub is a serious breach of these Terms (see Section 7 on Non-Circumvention for details and consequences).

6. Service Contracts Between Users (Master Service Agreement Terms)

When a Client and an Expert agree to collaborate on a project or service through RAPAhub, they are entering into a Service Contract directly with each other, under the following default terms (which serve as a built-in Master Service Agreement between Client and Expert, unless they agree otherwise in writing through the Platform):

6a. Formation of Contract: A Service Contract is formed when a Client accepts an Expert’s proposal or quote, or when both parties explicitly agree via the Platform’s interface to proceed with a project (for example, by clicking “Accept” on a proposal, or signing an electronic work order). The Service Contract includes the terms of the proposal (or other agreed scope of work), these Terms, and any additional terms mutually agreed upon in writing on the Platform (such as a separate Non-Disclosure Agreement or specific project addendum, if applicable). RAPAhub is not a party to this contract but acts as a facilitator and escrow agent as described here.

6b. Scope and KPIs: The Client and Expert should clearly define the scope of work, deliverables, and any Key Performance Indicators (KPIs) or milestones that will be used to measure completion or success of the work. This can be done in the project description, proposal, or an attached document via the Platform. Both parties are responsible for ensuring that the agreed scope and KPIs are documented. The Expert shall use reasonable skill and diligence in performing the services and shall deliver any agreed work product or results in accordance with the agreed KPIs or standards.

6c. Escrow Funding and Payment Releases: The Client agrees to fund the agreed-upon fee into the Platform’s escrow system before the Expert begins work or before each milestone (as required by the Platform’s workflow). RAPAhub (through its escrow agent) will hold the funds until the Expert completes the work (or milestone) and the Client accepts the deliverables. When the Client confirms satisfaction with the delivered work (or is deemed to have accepted as per an approval time frame set by Platform policy), the escrow funds for that phase will be released to the Expert, minus any RAPAhub commission. If the Service Contract is structured in phases or milestones, this process repeats for each milestone. Refunds from escrow to the Client are permitted only in accordance with subsection (d) below.

6d. Acceptance and Refunds: The Client should review deliverables promptly upon receipt. If the work meets the agreed criteria/KPIs and any agreed documentation or evidence of completion is provided, the Client should mark the milestone or project as accepted, which authorizes release of payment to the Expert. If the Client believes the work does not meet the agreed specifications or KPIs, the Client must notify the Expert (and/or RAPAhub through provided dispute channels) within a reasonable time (within 24 hours of delivery or within a specific timeframe set by RAPAhub’s guidelines), providing details of the deficiencies. The Expert will then have the opportunity to correct or complete the work. If an Expert fails to deliver a portion of the work or does not remedy the deficiencies within a reasonable timeframe, that phase of the project may be considered incomplete. In such cases, the Client may be entitled to a refund of the escrow funds for the incomplete phase or deliverables. Refunds are only issued for work that was not completed or accepted; fees for any completed and accepted milestones are non-refundable. If a dispute arises regarding whether work was completed satisfactorily, RAPAhub may step in to facilitate a resolution as described in subsection (f).

6e. Documentation of Completion: Experts are encouraged to provide clear documentation or evidence when delivering work (for example, reports, screenshots, regulatory submission confirmation, etc.) to demonstrate that KPIs or milestones have been achieved. Clients should base their acceptance or requests for revision on these documented deliverables. Both parties agree to maintain copies of important project communications and documents on the Platform to ensure there is a record in case of disputes.

6f. Dispute Resolution Between Client and Expert: In the event of a dispute under a Service Contract (for example, disagreement about whether deliverables meet the requirements, or if either party claims a breach of the agreement), the parties should first attempt in good faith to resolve the issue between themselves using the Platform’s messaging or negotiation tools. If they cannot reach a mutually agreeable resolution, they may escalate the matter to RAPAhub by contacting customer support or using any dispute resolution feature provided. RAPAhub may, at its discretion, assist in mediating the dispute. As a neutral facilitator, RAPAhub has the right (but not the obligation) to review the communications and materials on the Platform related to the project and propose a fair resolution. This could include recommending a partial refund, additional time for corrections, or another compromise. In certain cases, RAPAhub (through its escrow agent) may make a final determination on the release of escrow funds if the parties cannot agree, especially if there is clear evidence of one side fulfilling or not fulfilling their obligations. Both Client and Expert agree to abide by RAPAhub’s decision on escrow fund release in such a case, unless they pursue an alternate legal remedy outside the Platform (as permitted under Section 13, after exhausting the Platform’s dispute process). Important: RAPAhub’s involvement in dispute resolution is intended to guide the parties to settlement; it does not make RAPAhub a party to the Service Contract, and RAPAhub assumes no liability for the outcome. The parties retain the right to pursue legal recourse against each other independently, subject to the dispute resolution clauses of these Terms (Section 13), but not against RAPAhub (per Sections 10 and 11).

6g. Relationship of Client and Expert: Both Clients and Experts agree that their Service Contract is a contract for services between two independent parties. The Expert is performing services as an independent contractor for the Client, not as an employee or agent. The Expert is solely responsible for determining the manner and means of performing the work, and for any employees or subcontractors they engage (with Client’s consent if required). The Expert is responsible for all business or professional registrations, licenses, and permits required to perform the services, and for compliance with all laws (including, if applicable, laws requiring payment of worker compensation, social security, disability, or other contributions). Nothing in the Service Contract or on the Platform creates an employment relationship between the Expert and the Client, or between the Expert and RAPAhub/Management Company.

6h. Intellectual Property in Deliverables: Unless otherwise expressly agreed between the Client and Expert in writing, any work product, deliverable, or intellectual property created by the Expert as part of a Service Contract is deemed a “work made for hire” for the Client. If by operation of law the work product might not be considered a work made for hire, the Expert agrees to and hereby does assign to the Client all rights, title, and interest in and to the work product upon the Expert’s receipt of full payment for the project. The Expert further agrees to cooperate with the Client and take any actions reasonably necessary to transfer or confirm ownership of intellectual property rights to the Client. Conversely, the Client agrees that until full payment is made for the project, the Expert retains all intellectual property rights in the work product. The Expert also retains ownership of their background knowledge, tools, and know-how used to perform the work (unless agreed otherwise), but the Expert grants the Client a broad license to use anything incorporated into the deliverables that is not exclusively developed for the Client. Both parties agree to execute any necessary documents to effectuate the ownership transfer of IP in deliverables, if requested. (This provision does not apply to any Content that Users contribute to the RAPAhub knowledge database or public areas, which is covered by Section 9b.)

6i. No Warranty of Outcomes: Under the Service Contract, the Expert will make good-faith efforts to achieve the Client’s desired outcomes (e.g., regulatory approvals, compliance strategies). However, neither the Expert nor RAPAhub guarantees that any particular result will be achieved (such as regulatory agency approval of a product), as these outcomes depend on many external factors. The Service Contract is for the provision of qualified effort and deliverables, not an assurance of a specific business result.

6j. Master Agreement Nature: This Section 6 is intended to serve as a master set of terms governing the relationship between Clients and Experts. Clients and Experts may agree to additional terms provided they do not conflict with these Terms or with RAPAhub’s policies, and any such additional terms should be documented via the Platform’s communication tools for clarity. In case of a direct conflict between Section 6 and any expressly agreed written terms between a Client and Expert, RAPAhub will default to enforcing these Terms as the baseline, but the parties remain free to honor any stricter or more specific obligations between themselves (e.g., if they sign a separate confidentiality agreement or non-compete specific to their project).

7. Non-Circumvention and Platform Exclusivity

RAPAhub provides a marketplace that is sustained by the commission on transactions and the engagement of Users through the Platform. To protect the integrity of the marketplace and RAPAhub’s business model (including the vesting of RAPAcoins as rewards), you agree to the following non-circumvention provisions:

7a. Exclusive Communication: Users (Clients and Experts) who first connect via RAPAhub must conduct all substantive communications regarding potential or ongoing projects through the Platform. This means you should use RAPAhub’s messaging, discussion boards, or video call features for discussing project requirements, clarifications, deliverables, and feedback. You must not solicit or share direct contact information (such as personal email, phone number, Skype/Zoom ID, etc.) with another User for the purpose of bypassing the Platform, unless explicitly permitted by RAPAhub management in writing. (For example, if a particular regulatory project legitimately requires off-platform communication tools or site visits, RAPAhub may grant permission in writing and impose conditions to ensure the commission is still accounted for.)

7b. Exclusive Payment Handling: All payments for services originating through RAPAhub must be made through the Platform’s payment system. Clients shall not pay Experts, and Experts shall not request or accept payment, by any means outside the Platform, for any work initially identified, scoped, or agreed upon through RAPAhub. Prohibited payment methods outside the Platform include, but are not limited to, direct bank transfers (unless facilitated as a funding method via the Platform), cash, checks, cryptocurrency transfers outside the official RAPAcoin system, or any third-party payment processor not integrated with RAPAhub.

7c. Duration of Non-Circumvention Obligation: The obligations in 7a and 7b apply during the time you have an active RAPAhub account and for a period of 36 months thereafter with respect to any other User you engaged with through RAPAhub. In other words, if you connect with a particular Client or Expert via RAPAhub, you agree not to circumvent the Platform to work with that person outside RAPAhub for at least two years from your last interaction on the Platform with that person, without paying the required commission to RAPAhub. (Note: This does not apply if you had a pre-existing relationship with the User outside RAPAhub prior to using the Platform, as evidenced by prior communications or contracts)

7d. Prohibited Circumvention Activities: By way of illustration, and not limitation, you agree that you will not:

• Offer, solicit, or accept any offer to contract, hire, pay, or receive payment outside of RAPAhub from any User you identified or met through the Platform, for work that could be conducted through RAPAhub.
• Conceal or misrepresent the value of transactions conducted with another User met on the Platform (for example, reporting a lower payment amount on the Platform than actually agreed, in order to reduce fees).
• Refer or introduce any User you met on RAPAhub to a third-party service or platform for the purpose of transacting outside RAPAhub.
• Share any contact information in a public or private message with the intent of conducting off-platform communications or payments in violation of this Section.

7e. Notification and Cooperation: If another User suggests or attempts any action that would involve communicating or paying outside the Platform (in violation of this Section), you agree to notify RAPAhub immediately (you can contact us at our support email or use an in-platform reporting tool if available). RAPAhub may investigate and take action against Users attempting to circumvent these rules.

7f. Permitted Exceptions: In rare cases, a Client or Expert may wish to opt out of the Platform’s commission structure in order to continue an off-platform relationship. RAPAhub may allow this if the User pays a buyout or conversion fee to RAPAhub, which compensates for the lost commission. The specifics of such a fee and process must be obtained from RAPAhub and agreed in writing. Unless and until such fee is paid and written approval is given, Users remain bound by the non-circumvention obligations.

7g. Consequences of Breach: You acknowledge that a violation of any provision of this Section 7 is a material breach of these Terms. If you circumvent or attempt to circumvent RAPAhub’s Platform for communications or payments:

• Your account may be immediately suspended or terminated (see Section 12) without entitlement to any restoration or refunds of any kind.
• You will forfeit all RAPAcoins accumulated in your account (vested or unvested) without any compensation, and you will lose any benefits or status associated with those RAPAcoins.
• RAPAhub reserves the right to charge you the 100x equivalent of the commission fees that were avoided due to the breach. For example, if you conducted a $10,000 project off-platform that should have incurred a 10% commission, RAPAhub may demand $100,000 as liquidated damages for the lost fee (this is in addition to any conversion fee if RAPAhub still allows you to remain active).
• RAPAhub may take legal action to enforce this non-circumvention clause and seek injunctive relief and damages. You agree that the damage to RAPAhub from circumvention is difficult to quantify but significant, and a liquidated damages amount equal to the avoided commission is a reasonable pre-estimate of such damage and not a penalty.

By using the Platform, you explicitly acknowledge and agree that maintaining the integrity of communications and transactions on the Platform is fundamental to RAPAhub’s business. These non-circumvention provisions are fair and necessary to protect RAPAhub’s legitimate interests, and you agree to be bound by them.

8. Confidentiality (Non-Disclosure)

8a. Mutual Confidentiality Obligations: Users may receive access to Confidential Information of other parties through the Platform or in the course of a project. You agree that you will not, at any time during the use of the Platform or thereafter, directly or indirectly disclose or use any Confidential Information that you obtain through the Platform, except as necessary to perform your obligations in a Service Contract or as permitted by the disclosing party.Confidential Information should be used solely for the purpose of the relevant project or transaction for which it was disclosed and not for any other purpose.

8b. Definition of Confidential Information: As defined in Section 1, Confidential Information includes any non-public information disclosed by one party to another that is identified as confidential or would reasonably be understood to be confidential given its nature. This may include, without limitation: business plans, technical data, research, product plans, designs, formulas, manufacturing processes, marketing strategies, financial information, client or customer lists, personal data, regulatory submission documents, and any other proprietary information. Confidential Information does not include information that: (i) becomes publicly available without breach of any obligation owed to the discloser; (ii) was already known to the receiver of the information prior to disclosure on the Platform, as evidenced by written records; (iii) is received from a third party who is not under an obligation of confidentiality; or (iv) is independently developed by the receiver without use of the discloser’s information.

8c. Platform Confidentiality: You also agree to treat any non-public aspects of the Platform, RAPAhub’s software, algorithms, or any proprietary data provided by RAPAhub as Confidential Information of RAPAhub. This includes any information about beta features or usage data provided to you. You will not disclose such information to any third party without Management Company’s prior written consent.

8d. NDA for Projects: While these Terms provide a general confidentiality obligation, Clients and Experts may decide to sign a more specific Non-Disclosure Agreement (NDA) for a particular project, especially if highly sensitive information (e.g., unpublished patent data, trade secrets) is involved. RAPAhub may offer a standard NDA form that Users can execute electronically. Any such NDA is between the Client and Expert, and is in addition to (and does not replace or weaken) the confidentiality obligations in these Terms. In case of any inconsistency between these Terms and a separately executed NDA between two Users, the NDA will govern the handling of Confidential Information between those parties, but it shall not diminish RAPAhub’s rights or protections under these Terms.

8e. Use and Protection of Confidential Info: The receiving party of Confidential Information agrees to take reasonable security measures (at least as protective as the measures it uses for its own confidential information of a similar nature) to prevent unauthorized access, use, or disclosure of the Confidential Information. Only those persons who need to know the information for the permitted purpose (and who are bound by confidentiality obligations at least as strict) may access the Confidential Information. If you are required by law or court order to disclose Confidential Information, you shall (to the extent legally permitted) give prompt notice to the disclosing party to allow them to seek a protective order or other appropriate remedy.

8f. Return or Destruction: Upon the conclusion of a project or at any time upon request of the disclosing party, the receiving party shall return or destroy (and certify destruction of) all Confidential Information of the other party that is in its possession, except where retention is required by law or standard business archival practices (in which case the confidentiality obligations continue to apply to such retained information).

8g. Confidentiality of Client Materials and Data: Experts especially acknowledge that Clients may provide them with sensitive materials (for example, draft regulatory filings, chemical formulas, clinical data, etc.) to enable the Expert to perform the service. Such materials are Confidential Information of the Client and the Expert shall not use them for any purpose outside the Service Contract, nor share them with any third party (except possibly approved subcontractors or colleagues bound by confidentiality and only on a need-to-know basis, with Client’s consent).

8h. Confidentiality of Expert Deliverables: Similarly, unless the Client and Expert agree otherwise, any work product or report delivered by an Expert should be treated as Confidential Information of the Client (at least until such time as the Client makes it public or it enters the public domain through no fault of the Expert). The Client should not disclose any confidential deliverables publicly in a way that harms the Expert’s legitimate proprietary interests either, without permission (for example, if an Expert provided a proprietary analysis method as part of the deliverable).

8i. Platform Use of Aggregated Data: As stated in Section 9, RAPAhub may use aggregated, anonymized data derived from usage of the Platform. This typically would not include any personal or project-specific Confidential Information. RAPAhub will not disclose project-specific confidential details to other Users or third parties except as needed to provide the services (for example, giving an escrow agent information to process a payment, or if legally compelled).

8j. Survivability: The confidentiality obligations in this Section 8 survive any termination of these Terms or of any account, and continue for so long as the information remains confidential (except that once information becomes public through no breach, or after a period of 5 years from disclosure, the obligations may lapse, whichever occurs first, provided that trade secrets shall be protected indefinitely or for as long as applicable law requires).

9. Intellectual Property Rights and Content

9a. RAPAhub Intellectual Property: The Platform (including the website design, layout, software, code, databases, and collective content) and all materials provided by RAPAhub are protected by intellectual property laws. RAPAhub and Management Company  (or their licensors) retain all right, title, and interest in the Platform and all RAPAhub Content, including trademarks, logos, service marks, trade names, and branding associated with “RAPAhub” and Management Company. You may not use RAPAhub’s name or logos (including the RAPAhub globe logo) except as expressly allowed by RAPAhub. We grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Platform for your personal or internal business use, in accordance with these Terms. All rights not expressly granted to you are reserved by RAPAhub. You agree not to copy, reproduce, modify, create derivative works from, distribute, or publicly display any portion of the Platform or RAPAhub Content without our prior written consent, except as enabled by the Platform’s intended functionality (for example, downloading a PDF report that is made available to you).

9b. User Content and Contributions: RAPAhub may allow Users to contribute Content such as forum posts, Q&A responses, industry news, regulatory roadmaps, analysis reports, profiles, feedback, etc. By submitting or posting any User Content on the Platform, you hereby grant RAPAhub a perpetual, worldwide, royalty-free, irrevocable, sub-licensable license to use, copy, modify, publish, translate, create derivative works from, distribute, and display such Content (in whole or part) in any media. Furthermore, to the extent permissible by law, you assign to RAPAhub all rights, title, and interest in any Content that you create specifically for RAPAhub’s knowledge database, news section, or any collaborative project initiated by RAPAhub. This means that any content created for RAPAhub’s platform or at the request of RAPAhub (such as contributions to a RAPAhub-managed regulatory database, articles written for a RAPAhub publication, or data you compile for the Platform’s use) becomes the intellectual property of RAPAhub upon creation. RAPAhub will own all rights in such content and may edit, reformat, excerpt, remove, or otherwise use it at our sole discretion, without notice and without any compensation to you (apart from any agreed fee or reward at the time of contribution). You waive any “moral rights” or rights of attribution in this content, to the extent permitted by law.

9c. Responsibility for User Content: You are solely responsible for the Content you post. You represent and warrant that you have the necessary rights to post or share each element of Content that you submit and that doing so will not violate any third-party’s rights (including intellectual property, privacy, or publicity rights) or any laws. You further represent that any opinions or statements expressed by you as User Content are genuinely held (if they purport to be factual or evaluative) and that any factual claims are, to the best of your knowledge, true. RAPAhub is not responsible for User Content and does not endorse any opinion contained in User Content. We reserve the right (but have no obligation) to review, monitor, and moderate User Content. We may remove or alter any User Content in our discretion, for example, if we believe it violates these Terms or any law, or is otherwise objectionable. However, we do not guarantee that all inappropriate Content will be removed. Users should report content they believe violates any rules.

9d. Feedback and Suggestions: If you provide RAPAhub with any ideas, suggestions, or feedback about the Platform or services (“Feedback”), you acknowledge that such Feedback is given voluntarily. You further acknowledge and agree that RAPAhub shall have the right to use, implement, profit from, and otherwise exploit any Feedback in any way, without additional permission or compensation to you. You hereby assign all rights in the Feedback to RAPAhub and agree to assist us in documenting or perfecting such rights if necessary.

9e. Third-Party Intellectual Property: Users must not upload or share content that infringes the intellectual property rights of others. This includes unauthorized use of copyrighted text or images, sharing trade secrets that you have no right to disclose, or misusing a third party’s trademark in a confusing manner. RAPAhub respects intellectual property rights and will respond to notices of infringement in accordance with applicable law (such as the Digital Millennium Copyright Act (DMCA) for copyright claims in the U.S.). If you believe any content on the Platform infringes your intellectual property, please notify us with detailed information so we can investigate and remove or disable the content if appropriate.

9f. Use of Aggregate Data: RAPAhub may collect and use aggregated, anonymized data regarding platform usage and performance (for example, general statistics about project types, average completion times, industry trends gleaned from aggregated project data) for the purposes of improving the Platform, generating industry insights, or marketing. This aggregated data will not identify individual Users or reveal any Confidential Information. By using the Platform, you consent to this collection and use of aggregate data.

9g. No License to Trademarks: Nothing in these Terms grants any User a license to use any RAPAhub, Management Company, or other User’s trademarks or logos, except that Users may truthfully state (verbally or in resumes, etc.) that they are registered on or have used the RAPAhub platform. Any misuse of trademarks on the Platform (such as unauthorized use of a company’s logo by a User) should be reported and will be addressed.

10. Non-Competition and Non-Solicitation

In consideration of the access to the Platform and the opportunities it provides, you agree to certain non-competition and non-solicitation commitments to protect RAPAhub’s and other Users’ legitimate interests:

10a. Non-Competition with RAPAhub: You agree that during your use of the Platform and for a period of one (1) year after any termination or suspension of your account, you will not directly develop or launch a platform or service that competes with the core business of RAPAhub (namely, an online regulatory affairs professional networking, knowledge-sharing, and service marketplace) by using or misusing any Confidential Information or trade secrets of RAPAhub. While general learning and experience gained as a user of the Platform is not restricted, you specifically agree not to copy or replicate proprietary features of RAPAhub or to induce RAPAhub Users to migrate to a new competing platform that you are associated with. This clause is not intended to prevent you from working in the regulatory affairs field or engaging in lawful commerce, but rather to prevent unfair competition that exploits RAPAhub’s confidential methods or user base.

10b. Non-Solicitation of Employees/Contractors: If RAPAhub employs staff or engages contractors to operate its business, you agree that you will not solicit for employment or contract any current employee or core contractor of Management Company (the Company) who you became aware of through your use of the Platform, without the Company’s prior written consent, for at least one (1) year after your last interaction with that employee/contractor via the Platform. This does not apply to general job postings or engagements that are not targeted at such individuals.

10c. Non-Solicitation of Users Outside Platform: You agree that you will not solicit any active User of RAPAhub to cease using the Platform or to engage with a competitor of RAPAhub. This means, for example, you should not contact other Users with mass messaging promoting a different marketplace or invite them to transfer their projects to another service. Additionally, aside from the scope of a specific Service Contract you are engaged in, you should not solicit business from a Client or Expert you met on RAPAhub for new projects outside of RAPAhub (unrelated to the Platform), if your motive is to bypass the Platform or diminish the relationship that User has with RAPAhub. (This does not restrict normal marketing or business development that is not specifically aimed at breaking a User away from RAPAhub.)

10d. Reasonableness of Restrictions: You acknowledge that the restrictions in this Section 10 are reasonable in scope and duration given the nature of RAPAhub’s business and the global marketplace of online platforms. They are intended to protect RAPAhub’s confidential information, goodwill, and investments in developing the Platform and user network. However, if any court or tribunal of competent jurisdiction finds any portion of this Section 10 unenforceable, the remainder shall still be enforced to the maximum extent permissible, and the period or scope of the restriction may be reduced by the court to what it deems reasonable and enforceable.

10e. Remedies: You acknowledge that a breach of this Section 10 may cause irreparable harm to RAPAhub for which monetary damages may be an inadequate remedy. In the event of such a breach (or threatened breach), RAPAhub is entitled to seek injunctive relief (without the need to post a bond) in addition to any other rights and remedies it may have at law or in equity. Additionally, engaging in the prohibited competitive or soliciting behavior will be considered a material breach of these Terms, giving RAPAhub the right to terminate your account immediately.

This Section does not limit any separate obligations you may have under a CIIAA (Confidential Information and Invention Assignment Agreement) or any employment/contractor agreement if you become directly affiliated with Management Company. In such a case, those separate agreements may impose additional non-compete or non-solicit obligations on you (for example, if you were hired as an employee of the Company). Section 10 here is focused on Users in their capacity as platform participants.

11. Disclaimers of Warranties

11a. “As Is” and “As Available”: The RAPAhub Platform and all services provided by RAPAhub are offered on an “as is” and “as available” basis. Use of the service is at your own risk. To the fullest extent permitted by law, RAPAhub and Management Company disclaim all warranties, express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement. We do not guarantee that the Platform will meet your specific requirements or expectations, or that it will achieve any particular results.

11b. No Guarantee of Outcomes: RAPAhub makes no warranty regarding the results that may be obtained from use of the Platform, or the accuracy or reliability of any content or information provided by Users on the Platform. In particular, while RAPAhub strives to present up-to-date regulatory information and knowledgeable Experts, RAPAhub does not warrant or ensure that any advice, recommendations, or regulatory strategies obtained through the Platform will be successful or error-free. Any reliance on information or services obtained through RAPAhub is at your own discretion and risk.

11c. Platform Availability: RAPAhub does not warrant that the Platform will be uninterrupted, timely, secure, or free from errors, bugs, viruses or other harmful components. We do not guarantee that defects in the operation or functionality of the Platform will be corrected immediately or at all. Occasional downtime for maintenance or factors beyond our control (such as internet disturbances) may occur. You acknowledge that data transmission over the internet can never be guaranteed to be 100% secure, and we cannot ensure the security of information you transmit to us while in transit.

11d. No Warranty for Third-Party Services: The Platform may integrate or allow the use of third-party services (for example, payment processors, identity verification providers, or communication tools). RAPAhub makes no warranty and assumes no liability for services provided by third parties. Your use of third-party services may be subject to additional terms and conditions of those third parties, and any disputes or issues with those services should be addressed to the respective third party.

11e. No Creation of Warranty: No advice or information, whether oral or written, obtained by you from RAPAhub or through the Platform, shall create any warranty not expressly stated in these Terms. Users may provide testimonials or success stories, but individual results will vary and are not guaranteed by RAPAhub.

11f. Jurisdictional Limitations: Some jurisdictions do not allow the disclaimer of certain warranties. If you are in such a jurisdiction, some of the disclaimers in this Section 11 may not apply to you, but only to the extent such disclaimers are expressly disallowed. In such a case, the rest of the disclaimers still apply, and our warranties are limited to the maximum extent permitted by applicable law.

12. Limitation of Liability and Release

12a. No Indirect Damages: To the maximum extent permitted by law, in no event shall RAPAhub, Management Company of USA Inc., or any of their founders, owners, shareholders, directors, officers, managers, employees, affiliates, agents, or administrators (collectively, the “RAPAhub Parties“) be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages, or any loss of profits, revenue, business, goodwill, data, or other intangible losses, arising out of or related to your use of (or inability to use) the Platform or services, regardless of whether such damages are based on contract, tort (including negligence), warranty, strict liability, or otherwise, and even if a RAPAhub Party has been advised of the possibility of such damages. This limitation on liability includes, without limitation, any damages arising from: the conduct or content of any User or third party on the Platform; use of or reliance on any content or information obtained through the Platform; unauthorized access to or alteration of your data or transmissions; or any other matter relating to the services.

12b. Liability Cap: To the maximum extent permitted by law, the total aggregate liability of the RAPAhub Parties for any and all claims arising out of or relating to these Terms or the use of the Platform shall not exceed the greater of: (i) the total amount of fees (commission or otherwise) that you paid to RAPAhub in the 12 months prior to the event giving rise to the liability; or (ii) USD $1,000.00. If you have not paid any fees to RAPAhub in the 12 months preceding the claim, RAPAhub’s liability will be capped at $100.00. This limitation applies cumulatively to all claims, and multiple claims will not enlarge the cap.

12c. Small Claims Limitation: All disputes brought by Users against RAPAhub are subject to the forum and damage limitations in Section 13(b). In particular, if you, as a User, pursue a claim against any RAPAhub Party, you are limited to small claims court as described in Section 13, meaning your potential recovery cannot exceed the jurisdictional maximum of that court, excluding court costs and attorneys’ fees. The liability cap in subsection (b) is not an admission that any claim of that size would be valid, but a maximum should any liability would be found.

12d. Release of Liability (Waiver): You hereby release and forever discharge the RAPAhub Parties from any and all claims, demands, damages, losses, rights, and actions of any kind (including personal injuries, death, and property damage) that are either directly or indirectly related to or arise from: (i) interactions or dealings with other Users (including any disputes with other Users, or any User’s acts or omissions); (ii) your use of any third-party site, services, or products linked through the Platform; and (iii) any act or omission of a User in providing services contracted through the Platform. RAPAhub merely facilitates connections and is not responsible for the actions of Users. This is a general release of all claims related to your use of the Platform, and you waive any rights you may have under any state or federal law that would otherwise limit the effect of such a release (e.g., you waive any benefits of California Civil Code §1542 or any analogous law, which states that general releases do not extend to claims the creditor does not know or suspect to exist in their favor at the time of release).

12e. Exceptions: The limitations and release in this Section 12 do not purport to limit liability or alter rights that cannot be excluded under applicable law. For example, some jurisdictions do not allow exclusion of liability for death or personal injury caused by a party’s negligence, or for fraud or gross negligence. In such jurisdictions, each RAPAhub Party’s liability is limited to the least amount permitted by law. Additionally, the foregoing limitations shall not apply to any liability arising from a willful misconduct or fraudulent misrepresentation by a RAPAhub Party.

12f. No Double Recovery: If for any reason the exclusion of certain damages in subsection (a) is held unenforceable, then the RAPAhub Parties’ liability for such damages is limited to the smallest amount allowed by law, and in no event aggregate liability shall exceed the amount in subsection (b) or the small claims limit in subsection (c), whichever is lowest applicable. You agree that the limitations of liability and waivers herein will apply even if any limited remedy fails of its essential purpose.

13. Governing Law and Dispute Resolution

13a. Governing Law: These Terms and any dispute arising out of or related to them or the Service will be governed by and interpreted in accordance with the laws of the State of Florida and, to the extent applicable, the federal laws of the United States (including U.S. copyright and trademark laws), without regard to conflict of law principles that would result in the application of the laws of any other jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply to these Terms.

13b. Venue and Forum for Disputes with RAPAhub: All disputes or claims between you (as a User) and RAPAhub/Management Company that arise out of or relate to these Terms or the use of the Platform shall be exclusively brought in the courts of Miami-Dade County, Florida. If such a dispute is within the monetary jurisdiction of the small claims court in Miami-Dade County, you must file your claim in that small claims court, and your recovery is limited to the maximum amount allowable in small claims (as noted in Section 12). You agree that this requirement is part of the bargained-for consideration of these Terms and that it limits the forum and damages for any claims you might have against the RAPAhub Parties. In any such action, each party will bear its own attorneys’ fees and costs, except that if any claim is filed by you in a forum or manner inconsistent with this Section, you agree to pay our costs and attorneys’ fees incurred in enforcing this provision.

13c. RAPAhub’s Right to Sue in Any Forum: Notwithstanding the above, RAPAhub or Management Company retains the right to enforce its rights (including intellectual property rights and the provisions of Sections 7 and 10) and to pursue any claims against Users in any court or jurisdiction of competent authority. This includes the right to seek injunctive relief or damages in courts outside of Florida, or in federal court, without any limitation on damages or forum. For clarity: while you are limited to small claims in Miami-Dade for claims against us, we are not so limited in pursuing claims against you.

13d. Personal Jurisdiction and Venue: You consent and submit to the personal jurisdiction of the state courts in Miami-Dade County, Florida and the U.S. federal court for the Southern District of Florida for purposes of any legal action by you against RAPAhub, and you waive any objections to the laying of venue in those courts. If we bring an action against you outside of Florida (per subsection c), you agree to submit to the jurisdiction of the chosen court for that action.

13e. Waiver of Jury Trial and Class Actions: To the fullest extent permitted by law, the parties expressly waive any right to a trial by jury in any action, proceeding, or counterclaim arising out of or related to these Terms or the Platform. Additionally, all disputes shall be resolved on an individual basis only. You waive any right to participate in a class, collective, or representative action against RAPAhub or Management Company. You also agree not to join or consolidate claims with claims of any other person. If at any point a court deems that the class action waiver in this subsection is unenforceable with respect to a particular claim, then (subject to your small claims rights above) that claim shall be severed and proceed in a court of competent jurisdiction, and the remainder of the claims shall continue in small claims or other court as provided above.

13f. Mediation Option: In the interest of resolving disputes efficiently, the parties may mutually agree to engage in mediation prior to litigating any claim. Mediation would be non-binding and confidential, using a neutral mediator in Florida or virtually. This is not required by these Terms, but RAPAhub is open to attempting good-faith mediation for disputes with Users where appropriate.

13g. Time Limit to Bring Claims: You agree that any claim or cause of action you have arising out of or related to your use of the Platform or these Terms must be filed within one (1) year after such claim or cause of action arose, or be forever barred. (This does not apply to RAPAhub’s claims against Users.)

14. Indemnification

You agree to indemnify, defend, and hold harmless RAPAhub, Management Company of USA Inc., and their respective affiliates, and each of their directors, officers, employees, representatives, agents, predecessors, successors, and assigns (the “Indemnified Parties”), from and against any and all claims, liabilities, losses, damages, expenses, and costs(including reasonable attorneys’ fees and court costs) arising out of or related to:

• Your use of the Platform or services (including any Service Contracts you enter with other Users),
• Your Content or any content you post or submit,
• Your breach or alleged breach of these Terms or of any representations, warranties, or obligations herein,
• Your violation of any law or regulation or the rights of any third party (for example, infringement of intellectual property or violation of privacy/data protection laws), or
• Any contract or other relationship between you and any other User. For instance, if another User (Client or Expert) sues RAPAhub due to a dispute with you (claiming we are liable as a broker or that we should have done something about a situation), you will indemnify the Indemnified Parties for all costs and liabilities incurred as a result of that claim.

The Indemnified Party will provide you with prompt notice of any such claim, but any failure to notify you will not relieve you of your indemnification obligations except to the extent that the delay materially prejudices your ability to defend the claim. You may assume the defense of a claim by counsel reasonably acceptable to the Indemnified Parties, and we will cooperate with your defense. We reserve the right, at our option, to assume exclusive defense and control of any matter subject to indemnification by you, but doing so will not excuse your indemnity obligations. You agree not to settle any claim without the prior written consent of the relevant Indemnified Parties, if such settlement would impose any obligation on or admission of liability by the Indemnified Parties.

15. Termination and Suspension

15a. By User: You have the right to stop using the Platform at any time. You may close your RAPAhub account through the account settings or by contacting us. Termination of your account will be effective upon our processing of your request. If you have any ongoing Service Contracts at the time of account closure, you must resolve any outstanding obligations (such as delivering work or paying amounts due) before the account is fully closed. Even after you deactivate or delete your account, certain provisions of these Terms will remain in effect (see Section 16e on Survival).

15b. By RAPAhub (for Convenience): RAPAhub reserves the right to suspend or terminate your access to the Platform (or certain features of the Platform) at any time for any reason or no specific reason, with or without notice. If we terminate your account without cause (not due to any wrongdoing on your part), we will, at your request, refund any prepaid fees for subscription services that were unused as of termination (if applicable), and release any escrow funds according to the appropriate party (Client or Expert) after resolving any active disputes.

15c. By RAPAhub (for Cause): We may immediately suspend, deactivate, or terminate your account (and/or the accounts of any affiliates or proxies we believe you control) for cause if we have reason to believe that: (i) you have violated these Terms or any other policy incorporated herein; (ii) you have provided false or misleading information or engaged in fraudulent or illegal activities; (iii) you are infringing or misappropriating any intellectual property or other rights of RAPAhub or others; (iv) your use of the Platform poses a security risk or may cause harm to other Users or the public; or (v) you have become ineligible to use the Platform under applicable law (for example, you become a resident of a Sanctioned Country, or are listed on a restricted parties list). In cases of termination for cause, we may give you notice of the action taken, but we are not required to provide prior warning.

15d. Effects of Suspension/Termination: Upon suspension or termination of your account:

• You must immediately cease using the Platform and not attempt to create a new account without our permission.
• Any licenses or rights granted to you under these Terms will terminate (except for your rights in your own intellectual property or any perpetual licenses you granted to us which by nature survive).
• We may revoke access to any of your Content on the Platform, but we may retain copies for archive or legal compliance.
• We may inform other Users with whom you were engaged in projects of your termination (for example, to caution them or to facilitate wrapping up a contract via another means).
• If you have any funds held in escrow, RAPAhub will handle them in accordance with the escrow instructions and any applicable dispute process (for instance, returning funds to a Client if work was not delivered, or paying an Expert for work completed).
• If termination was due to your breach, you will not be entitled to any refund of fees or any compensation for unused services, and any accumulated RAPAcoins or platform rewards in your account will be forfeited. You acknowledge that forfeiture of RAPAcoins (and any other platform-specific benefits) is a reasonable consequence of termination for cause, and no refund or compensation is due for any such forfeited items.

15e. Loss of Data: We are not obligated to provide you with copies of your data or Content following suspension or termination of your account, especially if we terminate for your breach. It is your responsibility to maintain backup copies of your own Content and transaction records (outside of confidential info of others). However, registered Users may, on written request, be given a chance to retrieve their own User Content (that is not confidential to others) from their account before deletion, at our discretion.

15f. Violations of Law and Sanctions: If your account is terminated or suspended due to a violation of sanctions laws or export controls (Section 4c) or due to non-circumvention violations (Section 7), such termination is considered for cause. In such event, in addition to account closure, you also forfeit any right to use the Platform in the future and any RAPAcoins or other platform credits are void. We may also report the incident to relevant authorities if appropriate. You will not receive any refund for any membership fees or other payments you may have made to RAPAhub if your account is terminated for cause.

15g. Reinstatement: If your account is terminated or suspended and you believe it was a mistake or you have remedied the issue, you may contact RAPAhub to request reinstatement. RAPAhub is under no obligation to reinstate accounts and will do so only in its sole discretion after a review. Under certain circumstances, RAPAhub may allow a User to create a new account (for example, if a prior suspension was lifted or if it was determined you were not at fault). However, creating new accounts to bypass a termination without explicit permission is a violation of these Terms.

15h. Survival: Termination of your account or access does not terminate any Service Contracts you have with other Users that are ongoing; however, those might be impacted if you can no longer use the Platform to communicate or transfer funds. The parties to a Service Contract may need to make alternative arrangements if possible, but RAPAhub disclaims liability for any disruption caused by an account termination for cause. Sections that by their nature are meant to survive termination (such as, but not limited to, Sections 8, 9, 10, 11, 12, 13, 14, 15f, and 16) shall survive the termination of these Terms and remain in effect.

16. Miscellaneous Provisions

16a. Entire Agreement: These Terms (including any documents incorporated by reference, such as the Privacy Policy, and any additional terms provided for specific services or features) constitute the entire agreement between you and RAPAhub, or Management Company with respect to the subject matter hereof, and supersede any prior or contemporaneous understandings, agreements, negotiations, representations, and warranties, both written and oral, regarding such subject matter. You acknowledge that you have not relied on any statement, promise, or representation not expressly stated in these Terms.

16b. Amendment and Waiver: Except as stated in Section 2c (our right to modify these Terms by posting updates), no amendment or modification of these Terms will be binding unless in writing and signed by an authorized representative of Management Company. A waiver by RAPAhub of any right or provision under these Terms must be in writing and signed by our authorized representative. No waiver of any term shall be deemed a further or continuing waiver of that term or any other term. RAPAhub’s failure to enforce any provision of these Terms does not constitute a waiver of that provision or of any other provision.

16c. Severability: If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, then that provision will be enforced to the maximum extent permissible, and the remaining provisions of these Terms will remain in full force and effect. The invalid provision shall be deemed modified to the least degree necessary to remedy the invalidity while retaining as much as possible of the intent of the original provision. If such modification is not possible, the provision shall be severed and the rest of the Terms shall remain in effect.

16d. Assignment: You may not assign or transfer these Terms, or any rights or obligations herein, in whole or in part, without our prior written consent. Any attempted assignment in violation of this provision will be null and void. RAPAhub (Management Company of USA Inc.) may freely assign or transfer these Terms (for example, in the event of a merger, acquisition, sale of assets, or by operation of law) without your consent and without notice. These Terms will bind and inure to the benefit of the parties, their successors, and permitted assigns.

16e. Survival: All provisions of these Terms which by their nature should survive termination of this Agreement (including, but not limited to, confidentiality obligations, intellectual property rights, non-circumvention, disclaimers of warranty, limitations of liability, dispute resolution, and indemnification) shall survive any termination or expiration of this Agreement and remain in full force and effect.

16f. No Third-Party Beneficiaries: Except as expressly provided in these Terms, no person or entity who is not a party to this Agreement shall have any right to enforce any term of this Agreement. However, the RAPAhub Parties (defined in Section 12) who are not signing parties are intended third-party beneficiaries of the liability protections (Section 12) and indemnification (Section 14) provisions, and they may enforce those rights directly against Users as if they were parties to this Agreement.

16g. Relationship of Parties: Nothing in these Terms shall be construed as making either party the partner, joint venturer, agent, legal representative, employer, franchisee, or franchiseor of the other. You and RAPAhub are independent contractors, and neither has any authority to bind the other in any respect. Users are also independent of RAPAhub; RAPAhub does not direct or control Users’ work or services except as expressly provided in these Terms.

16h. Notices: RAPAhub may provide notices to you via the email address associated with your account, through your account dashboard, via platform notifications, or through other reasonable means. You are responsible for ensuring that your contact information is up-to-date. Notices sent by email will be deemed received 24 hours after the email is sent, unless the sending party is notified that the address is invalid. Notices posted in your account or delivered via platform pop-up are deemed received upon your next login and viewing of the notice. If you need to send legal notices to us, you may do so at the current business address of Management Company listed on our website (Attn: Legal Department), or via email to any designated legal notice email we provide (if any).

16i. Headings and Interpretation: Section headings and captions in these Terms are for convenience only and have no legal or contractual effect. “Including” (and similar terms) shall be construed as “including without limitation.” Words in the singular include the plural and vice versa. Any reference to “days” means calendar days unless otherwise specified. If these Terms are translated into a language other than English and there is any ambiguity or conflict, the English version shall govern.

16j. Logos and Branding: The RAPAhub name and logo are trademarks of Management Company. You agree not to use RAPAhub’s logos or names without our permission except as allowed by these Terms. Conversely, RAPAhub may use your company or brand name and logo to identify you as a User in marketing materials or on the Site (for example, listing you as a professional on RAPAhub or highlighting successful projects), unless you have expressly withdrawn such permission in writing.

16k. Force Majeure: RAPAhub shall not be liable for any delay or failure to perform resulting from causes outside its reasonable control, such as acts of God, war, terrorism, riots, embargoes, acts of civil or military authorities, pandemics, fire, floods, accidents, strikes, or shortages of transportation, energy, labor, or materials. In such an event, RAPAhub will use reasonable efforts to resume services as soon as practicable.

16l. Communications and Opt-Out: You agree that RAPAhub can contact you and send you communications (including marketing messages, newsletters, and updates) via the Platform, email, or other contact information you provide. If you prefer not to receive certain marketing communications, you can opt out by following the unsubscribe instructions in those emails or adjusting your account preferences. However, you may not opt out of critical service or legal notices (which are not marketing in nature).

16m. Further Assurances: You agree to execute any documents and take any actions necessary to effectuate the purposes of these Terms (for example, signing documents to assign intellectual property rights under Section 6h if required).

16n. Counterparts and Electronic Acceptance: These Terms may be agreed to online or by electronic acceptance, which is effective as a signed writing. The User’s act of clicking “I agree” or similarly indicating acceptance of these Terms, or actually using the Platform, constitutes your electronic signature to the Agreement and your consent to enter into agreements with us electronically.

16o. Adherence to Quality Management System and Standards, and Private & Corporate Policies: All RAPAhub Users, Clients, and Executors agree to strictly adhere to the Quality Management System (QMS), corporate policies, and operational standards published and maintained by RAPAhub and its management company, as made available on the RAPAhub website. This includes mandatory compliance with relevant Standard Operating Procedures (SOPs), Corrective and Preventive Actions (CAPAs), training requirements, and internal audit processes. By engaging with the RAPAhub platform, each User acknowledges and accepts that they are required to comply with the following frameworks and standards, as applicable to their role and the services they provide or receive:

• ISO 9001:2015 – Quality Management Systems (QMS)
• ISO/IEC 27001:2013 – Information Security Management Systems (ISMS)
• ISO/IEC 27018:2019 – Protection of Personal Data in the Cloud
• ISO 22301:2019 – Business Continuity Management Systems (BCMS)
• ISO/IEC 17021-1:2015 – Conformity Assessment for Certification Bodies
• ISO/IEC 25012:2008 – Data Quality Model for Software Products
• ISO 14001:2015 – Environmental Management Systems (EMS)
• ISO 45001:2018 – Occupational Health and Safety Management Systems (OH&S)
• ISO 37001:2016 – Anti-Bribery Management Systems (ABMS)
• ISO 26000:2010 – Social Responsibility Guidelines
• EU GDPR – General Data Protection Regulation (EU 2016/679)
• California CCPA – California Consumer Privacy Act
• FDA 21 CFR Part 11 – Electronic Records and Signatures Regulation

These standards represent a baseline for all professional and technical conduct on RAPAhub. The management company reserves the right to introduce additional standards or update required practices at any time without prior notice to ensure ongoing compliance with evolving international, federal, or industry-specific requirements.

Failure to adhere to these requirements may result in suspension or termination of access, loss of RAPAcoin benefits, and other remedial actions as deemed appropriate by RAPAhub’s management company.

17. Privacy Policy

17a. Information We Collect

We collect the following categories of information when you use RAPAhub:
– Full name, contact information (email, phone, address)
– Profile details (education, work history, expertise)
– Uploaded content (resumes, files, services)
– Payment and billing information
– Communications through the Platform

Automatically collected:
– IP address, device/browser details
– Log data and usage patterns
– Cookies and tracking technologies

Third-party sources:
– Identity verification
– Payment processors
– Social media (if linked)

17b. How We Use Your Information

– To register and manage your account
– Provide services and enable user interactions
– Process transactions
– Personalize and improve the platform
– Enforce Terms and Conditions
– Comply with legal obligations
– Send service communications and newsletters

17c. Sharing of Information

We do not sell your personal information.
We may share data with:
– Other users (project-specific only)
– Third-party service providers
– Legal authorities as required
– Affiliates/successors (e.g., mergers)
All parties are contractually bound to data protection.

17d. Your Rights and Choices

You may have the right to:
– Access, correct, or delete your data
– Restrict or object to processing
– Withdraw consent
– Request data portability

Contact info@RAPAhub.com to exercise your rights.

17c. Data Retention

We retain data:
– As long as your account is active
– As needed to meet legal obligations
– To resolve disputes and enforce rights
– Inactive accounts may be deleted after 24 months.

17e. Data Security

We use:
– Encryption and secure storage
– Role-based access controls
– Regular vulnerability assessments
However, no system is completely secure. You must keep your login secure.

17f. Cookies and Tracking

Cookies are used for:
– Session management
– Usage analysis
– User experience optimization
– Marketing (with consent)

You can disable cookies via browser settings.

17g. Children’s Privacy

RAPAhub is not intended for children under 18.
We do not knowingly collect data from minors.
Please contact us if a minor’s data was shared.

17h. International Transfers

Data may be stored or processed in the U.S. or other countries.
By using RAPAhub, you consent to such transfers.

17i. Changes to This Policy

We may revise this policy periodically.
Updates will be posted with a new ‘Effective Date’.
Continued use implies acceptance of changes.

17j. Contact Us

Management Company of USA Inc.
Attn: Privacy Team
420 Lexington Ave, Suite 300
New York, NY, 10170
Email: info@RAPAhub.com

17k. GDPR and CCPA Compliance

Under GDPR (EU/EEA):
– Legal bases for processing include consent, contract, and legal obligations.
– You have the right to data access, correction, deletion, portability, objection, and restriction.
– You can lodge a complaint with your local data protection authority.

Under CCPA (California):
– California residents have the right to know, delete, and opt out of the sale of personal data.
– We do not sell your data.
– You may designate an authorized agent to act on your behalf.
– No discrimination for exercising privacy rights.

By using the RAPAhub Platform, you acknowledge that you have read, understood, and agree to be bound by these Terms and Conditions. If you have any questions or need clarification on any aspect of these Terms, please contact us through the Site’s support channels or at the contact information provided on RAPAhub.com before continuing to use the Platform.

Effective Date: These Terms are effective as of the date of the last update posted on the Site. (If no date is shown here, then these Terms are effective as of the date you agree or as of the date indicated by RAPAhub’s records for your acceptance.)

RAPAhub Quality Management System (QMS) Manual

Table of Contents

Introduction and Preamble

Referenced Standards and Regulations

• ISO & Regulatory Standards Overview with Official References
• Global and U.S. Regulatory Frameworks

1. ISO 9001:2015 – Quality Management System Requirements
2. ISO/IEC 27001:2022 – Information Security Management
3. ISO/IEC 27018:2019 – Protection of Personal Data in Cloud Computing
4. ISO 22301:2019 – Business Continuity Management
5. ISO/IEC 17021-1:2015 – Audit and Certification of Management Systems
6. ISO/IEC 25012:2008 – Data Quality Management
7. ISO 14001:2015 – Environmental Management
8. ISO 45001:2018 – Occupational Health and Safety
9. ISO 37001:2016 – Anti-Bribery Management
10. ISO 26000:2010 – Social Responsibility
11. GDPR and Data Privacy Compliance
12. CCPA Compliance (California Consumer Privacy Act)
13. FDA 21 CFR Part 11 – Electronic Records and Signatures Compliance

Standard Operating Procedures (SOPs)

• SOP: Document Control and Record Management
• SOP: Corrective and Preventive Action (CAPA)
• SOP: Data Security and Privacy (Information Security & GDPR Controls)
• SOP: Internal Audits
• SOP: External Expert Oversight and “Expert Health” Audits
• SOP: Client Communication and Satisfaction Management

Internal Audit Schedule (Twice-Yearly Program)

Expert Health Internal Audit Guidelines

List of Standard Operating Procedures (SOPs)

Key Policy Documents

Company Integrated Management System Policies

• Quality Policy Statement (QP-2025)
• Information Security Policy (ISP-2025)
• Privacy Policy/Notice (GDPR & CCPA Compliance)
• Code of Conduct and Ethics Policy (CCE-2025)
• Environmental Policy (ENV-2025)
• Occupational Health & Safety Policy (OHSP-2025)
• Business Continuity Policy (BCP-2025)

Reference Materials and Standards Links

QMS Validity and Revision Control

• Approval

Introduction and Preamble

Welcome to the Company’s Quality Management System (QMS) Manual. This internal compliance manual is designed for use by all Company staff and associated external experts. It provides a comprehensive framework of policies, processes, and procedures to ensure that the Company’s services meet the highest standards of quality, security, and regulatory compliance. The QMS integrates multiple internationally recognized standards and regulations to guide our operations and decision-making, ensuring we consistently deliver value to clients while maintaining legal and ethical integrity.

Purpose and Scope: The QMS Manual outlines how the Company manages quality, information security, data privacy, business continuity, and other compliance obligations. It defines the responsibilities of leadership, employees, and external experts in maintaining the system. The scope of this manual covers all aspects of the Company’s SaaS marketplace for international regulatory affairs services, including platform development and maintenance, expert onboarding and service delivery, client interactions, and internal operational processes. All personnel (internal staff and contracted external experts) are expected to understand and follow the policies and procedures in this manual.

Integrated Standards Approach: This QMS is aligned with a range of international standards and regulations (listed in the next section) covering quality management, information security, cloud privacy, business continuity, environmental and social responsibility, occupational health and safety, anti-bribery, and data protection laws. By integrating these frameworks into one comprehensive system, the Company ensures a consistent, audit-ready approach to compliance and risk management across all areas of operation. The manual is organized with sections corresponding to each relevant standard or regulation, detailing how the Company meets each requirement. For internal ease of use, the Company is referred to simply as “the Company” throughout this manual (no external branding is used).

Audience: This manual is intended for internal use by Company employees and by external experts offering services via the Company’s platform. It serves as both a reference for day-to-day compliance and a training resource for new team members. External regulatory auditors or clients may also review this manual as evidence of the Company’s robust management systems. Every user of this manual is responsible for reading and adhering to the policies herein, and for seeking guidance from the Quality Assurance (QA) Officer or management if clarification is needed.

Maintenance of the QMS: The QMS is a living system. It will be reviewed and updated regularly (at least annually, or more frequently if required) to adapt to changes in standards, regulations, or Company processes. Changes to this manual are controlled via the Document Control procedure (see SOP for Document Control) to ensure that only the latest approved version is in use. The Company’s leadership is fully committed to the implementation and continual improvement of the QMS. Management provides the necessary resources and fosters a quality culture in which the importance of meeting customer and compliance requirements is understood by all. The QMS’s effectiveness is monitored through internal audits, management reviews, and continuous improvement mechanisms like CAPA (Corrective and Preventive Action) to ensure ongoing suitability and effectiveness.

By following this manual, the Company and its experts will ensure consistent quality services, secure and lawful handling of information, and resilience against risks – thereby maintaining client trust and meeting all applicable obligations. The sections below summarize each referenced standard/regulation and detail the Company’s compliance measures. All staff and experts should familiarize themselves with these sections to understand how their roles contribute to overall compliance.

Referenced Standards and Regulations

The Company’s QMS is aligned with the following key standards and regulations. Each item is listed with a brief description and a direct reference link for further reading:

ISO & Regulatory Standards Overview with Official References

ISO 9001:2015 – Quality Management Systems (QMS)
International standard specifying requirements for quality management systems. ISO 9001 focuses on consistently meeting customer requirements and enhancing satisfaction through effective process management and continuous improvement.
🔗 ISO 9001:2015 at ISO.org
https://www.iso.org/standard/62085.html 

ISO/IEC 27001:2013 – Information Security Management Systems (ISMS)
Specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS to protect data confidentiality, integrity, and availability.
🔗 ISO/IEC 27001:2013 at ISO.org
https://www.iso.org/standard/54534.html 

ISO/IEC 27018:2019 – Protection of Personal Data in the Cloud
Code of practice for protecting personally identifiable information (PII) in public cloud services. It provides cloud-specific controls and guidelines (as an extension of ISO 27002) to ensure privacy of personal data handled by cloud service providers.
🔗 ISO/IEC 27018:2019 at ISO.org
https://www.iso.org/standard/76559.html 

ISO 22301:2019 – Business Continuity Management Systems (BCMS)
Specifies requirements to plan, establish, implement, operate, monitor, review, and improve a documented management system to prepare for, respond to, and recover from disruptive incidents, ensuring organizational resilience.
🔗 ISO 22301:2019 at ISO.org
https://www.iso.org/standard/75106.html 

ISO/IEC 17021-1:2015 – Conformity Assessment (Audit & Certification Bodies)
Defines requirements for bodies providing audit and certification of management systems. Ensures certification bodies operate with competence, consistency, and impartiality.
🔗 ISO/IEC 17021-1:2015 at ISO.org
https://www.iso.org/standard/61651.html 

ISO/IEC 25012:2008 – Software Product Quality Requirements (Data Quality Model)
Defines a general data quality model for data in information systems. Outlines 15 data quality characteristics including Accuracy, Completeness, Consistency, Credibility, and Accessibility.
🔗 ISO/IEC 25012:2008 at ISO.org
https://www.iso.org/standard/35736.html 

ISO 14001:2015 – Environmental Management Systems (EMS)
Specifies requirements for effective environmental management systems, focusing on compliance with environmental laws, pollution prevention, and continual improvement.
🔗 ISO 14001:2015 at ISO.org
https://www.iso.org/standard/60857.html 

ISO 45001:2018 – Occupational Health and Safety Management Systems (OH&S)
Specifies requirements to provide safe and healthy workplaces by preventing work-related injury and illness.
🔗 ISO 45001:2018 at ISO.org
https://www.iso.org/standard/63787.html 

ISO 37001:2016 – Anti-Bribery Management Systems (ABMS)
Specifies requirements and provides guidance for establishing, implementing, maintaining, and improving an anti-bribery compliance program to prevent, detect, and respond to bribery.
🔗 ISO 37001:2016 at ISO.org
https://www.iso.org/standard/65034.html 

ISO 26000:2010 – Social Responsibility Guidelines
Provides guidance on social responsibility. It helps organizations address their impact on society, employees, customers, and the environment.
🔗 ISO 26000:2010 at ISO.org
https://www.iso.org/standard/42546.html 

Global and U.S. Regulatory Frameworks

EU GDPR – General Data Protection Regulation (EU 2016/679)
Comprehensive EU regulation on data protection and privacy. Enhances control over personal data, imposes processing requirements, data subject rights, and cross-border transfer safeguards.
🔗 EU GDPR Full Text (Official)
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

California CCPA – California Consumer Privacy Act
A California state law enhancing consumer privacy rights. Grants rights to access, delete, and opt out of the sale of personal data, and requires businesses to implement reasonable security procedures.
🔗 California CCPA Official Law Text
https://oag.ca.gov/privacy/ccpa 

FDA 21 CFR Part 11 – Electronic Records and Signatures
Defines the criteria under which electronic records and signatures are considered trustworthy, reliable, and equivalent to paper records. Applies to FDA-regulated industries and mandates validation, access control, audit trails, and secure signatures.
🔗 21 CFR Part 11 Full Text at ECFR.gov
https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11 

For quick reference, hyperlinks to the standards/regulations are provided above. Staff and experts are encouraged to refer to the full texts or authoritative summaries of these documents for deeper understanding. The Company’s policies and procedures have been developed in alignment with the requirements and best practices from these sources.

The remainder of this manual is organized by each of the above standards and regulations, detailing how the Company’s QMS addresses their specific clauses or principles. Following those sections, comprehensive Standard Operating Procedures (SOPs) and supporting tools are provided. Finally, an internal audit schedule and additional reference materials are included to ensure the QMS is effectively implemented, maintained, and continually improved.

ISO 9001:2015 – Quality Management System Requirements

Overview: ISO 9001:2015 is the foundation of our QMS, providing a process-oriented approach to documenting and delivering quality services that meet customer and regulatory requirements. The Company has implemented all clauses of ISO 9001, structured under the High-Level Structure (Annex SL) common to modern ISO standards. Key elements include understanding our organizational context, leadership commitment, risk-based thinking in planning, resource management, operational controls for service delivery, performance evaluation, and continual improvement. Below, each major clause of ISO 9001 is addressed:

1. Context of the Organization (Clause 4)

The Company has evaluated both internal and external issues that are relevant to our purpose and affect our ability to achieve intended outcomes of the QMS. This includes understanding the regulatory consulting industry, the needs and expectations of interested parties (such as clients, external experts, regulators, and partners), and the scope of our QMS. Scope: The scope statement of our QMS (documented separately in the Quality Policy document) covers “Provision of a SaaS marketplace platform and related services for international regulatory affairs by the Company.” We consider relevant statutory and regulatory requirements (like GDPR, FDA regulations, etc.) as part of our context analysis.

We maintain a Stakeholder and Context Register that identifies key stakeholders (e.g., clients needing compliant regulatory affairs services, external experts using the platform, industry regulators, shareholders) and their requirements. Regular business reviews are conducted to update this context analysis. Changes in the business environment (for example, new data protection laws or changes in technology) are evaluated for their impact on the QMS.

2. Leadership (Clause 5)

Top management (the Company’s CEO and leadership team) demonstrates commitment to the QMS by establishing a clear Quality Policy and Objectives and by ensuring these are aligned with the Company’s strategic direction. The Quality Policy (a separate one-page statement approved by the CEO) emphasizes our commitment to customer satisfaction, compliance, continuous improvement, and ethical practices. This policy is communicated to all staff and external experts and is available on our internal portal.

Organizational Roles & Responsibilities: The Company’s organizational structure supports the QMS with defined roles, including a Quality Assurance (QA) Officer responsible for QMS coordination and an Information Security Officer(for ISMS oversight, may be combined role in our size of organization). Department heads (or equivalents, such as the CTO for platform development, the Operations Manager for expert and client management) are responsible for quality in their areas. All personnel are empowered to contribute to the QMS: for example, any employee or expert can raise improvement suggestions or report issues.

Top management holds quarterly Management Review Meetings to review QMS performance (Clause 9.3). In these meetings, they review audit results, customer feedback, process performance, nonconformities/CAPA status, risk status, opportunities for improvement, and resource needs. Actions from management reviews are documented and followed up to ensure continual improvement.

Leadership also ensures a culture of quality and integrity: we have a Code of Conduct (aligned with ISO 37001 and ISO 26000 principles) which is communicated and acknowledged by all staff and experts, emphasizing ethical behavior, client focus, and compliance.

3. Planning (Clause 6)

The Company applies a risk-based thinking approach in planning our QMS. We maintain a Risk and Opportunity Register. Key risks (e.g., risk of data breach, risk of expert deliverable not meeting quality, risk of platform downtime) and opportunities (e.g., using new technology to improve service, expanding services to new markets) are identified, analyzed for severity/likelihood, and addressed with appropriate risk treatment plans. This addresses ISO 9001’s requirements for actions to address risks and opportunities (6.1) and is integrated with risk assessments from ISO 27001 (information security risks) and ISO 22301 (business continuity risks).

Quality objectives (Clause 6.2) are established annually at relevant functions and levels. Examples of 2025 Quality Objectives might include: “Achieve >95% client satisfaction ratings each quarter,” “Onboard 100% of new experts using the approved qualification process,” “Zero critical data security incidents,” etc. Each objective is SMART (Specific, Measurable, Achievable, Relevant, Time-bound) and has an owner. Progress is monitored monthly by management.

For changes to the QMS (Clause 6.3), we have a planned change management process. Significant changes (e.g., adopting a new compliance tool, updating a procedure) are evaluated for potential impacts and require approval by the QA Officer and relevant management. Changes are documented via our Document Control SOP to ensure traceability of revisions.

4. Support (Clause 7)

This section covers the resources, people, infrastructure, and documented information needed for an effective QMS:

• Resources (7.1): The Company ensures that necessary resources are available. This includes competent personnel (internal staff and contracted experts), appropriate IT infrastructure (secure cloud hosting, backup systems), and work environment (for our largely remote workforce, this includes providing communication and collaboration tools, and guidelines for a safe home-office setup in line with ISO 45001 principles). We also account for supporting services – for example, selecting reliable cloud service providers that meet security and privacy standards.
• Competence (7.2): All personnel performing work that affects quality (including external experts) must be competent on the basis of education, training, and experience. The Company maintains Job Role Descriptions for staff and Qualification Criteria for external experts. We verify qualifications (e.g., degrees, certifications) of regulatory experts during onboarding (see SOP on External Expert Oversight). Training programs are in place: new employees receive QMS orientation and role-specific training (including privacy and security training for GDPR/CCPA, etc.). We keep training records. Competency and training needs are reviewed annually and when roles change.
• Awareness (7.3): The Company ensures everyone is aware of the QMS policies and their personal contribution. Key messages (like the Quality Policy, security reminders, anti-bribery pledge) are periodically communicated via emails and town-hall meetings. External experts are provided a summary of relevant policies (e.g., code of conduct, data protection guidelines) when they join. All must understand the importance of compliance with the QMS and consequences of deviations.
• Communication (7.4): We have established internal communication channels for QMS matters. For instance, there is a dedicated QMS section on our intranet where updates and documents are posted. Regular meetings (weekly team meetings, monthly quality focus meetings) facilitate dialogue on quality issues. Important communications (like changes to procedures or urgent notices, e.g. a new GDPR requirement) are sent to all staff and experts via email and require acknowledgment. External communication: We have processes for communicating with clients and regulatory bodies – ensuring accurate and timely information (this is detailed in the Client Communication SOP). Any official external communications about compliance (e.g., responding to a client’s supplier audit questionnaire) are handled by the QA Officer or designated management.
• Documented Information (7.5): The Company’s QMS documentation includes this manual, policies, SOPs, work instructions, forms, records, and electronic data records. All QMS documents are controlled under the Document Control SOP (see SOP section). Each document has an identifier, version number, author, approver, and revision history. Documents are stored in a central Document Management System (DMS) with access control. Only authorized personnel can create or modify documents, and approvals (by process owners or QA) are required before release. Obsolete documents are withdrawn from use (but archived if needed for reference). Records – such as training records, audit reports, CAPA records, client contracts – are maintained as objective evidence of compliance. Records are stored securely (often digitally) with defined retention times (in compliance with legal and client requirements). The Document Control SOP ensures that both internally created documents and external documents (like standards or client specifications) are identified and controlled.

5. Operation (Clause 8)

Operational planning and control is critical since the Company’s “product” is the service connecting clients with regulatory affairs experts and managing related projects. Key operational processes are defined, and where appropriate, detailed by SOPs or work instructions:

• 8.1 Operational Planning & Control: The Company plans its services to ensure consistency with QMS requirements. For each client project or marketplace transaction, we ensure requirements are understood and we operate under controlled conditions. This includes using standard workflows in the platform and checklists to guide project execution. Changes in operations (like a change in client requirements or substitution of an expert) are managed in a controlled manner, evaluating any risks from the change.
• 8.2 Requirements for Products and Services: When a client approaches the Company for regulatory affairs support (via the marketplace posting or a direct request), we have clear processes for determining requirements. Client Communication SOP outlines how we gather client needs (scope of regulatory project, timelines, compliance needs such as Part 11 or specific country regs). We ensure that all requirements (including implied or statutory/regulatory requirements for the given service) are captured and agreed before accepting the work. If the client provides a regulatory procedures request, the Company (through its platform or project manager) reviews it for clarity. Any ambiguous requirements are resolved with the client before work begins. Once requirements are confirmed, they are documented in a formal agreement or project plan.

We also maintain a proposal and contract review process: no client project is accepted without a review to confirm we can meet the requirements. If we cannot meet any requirement, we communicate openly and either negotiate an adjustment or refrain from committing. Client orders (or project agreements) and any changes to requirements get formally approved by both parties (recorded via the platform or signed agreement).

• 8.3 Design and Development of Services: In our context, the “design” could refer to developing new service offerings or significant tailoring of an approach for a complex client project. When the Company develops new service workflows or platform features, we follow a mini design-control process: capturing inputs (client/regulatory needs), performing planning, reviewing and verifying the design (e.g., testing new platform functionality), and validating that it meets user needs before full release. For regulatory affairs service methodology, we rely on expert knowledge and regulatory guidelines as design inputs. We document any new procedures and have them reviewed by senior regulatory experts before use. (If not applicable, some aspects of design control may be limited, since many services are executed by experts according to external regulatory guidelines rather than internal product design.)
• 8.4 Control of Externally Provided Processes, Products, and Services: The Company uses external providers in two main ways: (a) the external regulatory experts themselves are independent contractors providing services to clients via our platform, and (b) other suppliers such as IT infrastructure providers (cloud hosting, SaaS tools) and support services. We treat external experts essentially as “outsourced processes” or suppliers in QMS terms. Thus, we have a robust External Expert Oversight SOP (detailed later) which covers qualification, contracting, performance monitoring, and auditing of experts. Each expert must sign an agreement to comply with our quality and security standards (including confidentiality and data protection clauses). We verify credentials and experience during onboarding. The performance of experts is monitored through client feedback and periodic audits (“Expert Health” audits as described in the SOP). Poor performance or non-compliance leads to retraining, suspension or removal from the platform.

For other suppliers (like cloud service provider for data hosting, or any subcontractors), the Company has a Supplier Management process: we define criteria for selection (e.g., data center providers must have ISO 27001 or similar certifications, critical software tools must meet security requirements). We maintain an Approved Supplier List. Prior to onboarding a new supplier, we assess risks (for critical services, conduct due diligence questionnaires or require certifications). Supplier performance is periodically reviewed (at least annually, or per service level agreements). We ensure contracts with suppliers include necessary provisions (e.g., data protection agreements for any sub-processors in compliance with GDPR). Any outsourced process that can affect service quality (like if we outsource a part of a regulatory procedure to a local partner) is controlled by specifying requirements clearly and monitoring outputs.

• 8.5 Service Provision and Delivery: The core operation is matching clients with qualified experts and ensuring the promised regulatory affairs service is delivered successfully. We have controlled conditions for service delivery, including:
  • Use of the Company platform to manage communications, document exchange, and project tracking (ensuring a single source of truth and audit trail).
  • Standard operating procedures for common services (where applicable) or checklists for specific regulatory tasks that experts must follow (if provided).
  • Monitoring of project timelines and milestones by the Company’s project coordinators to ensure deadlines and quality expectations are met.
  • Clear definition of responsibilities in each project (the client, the expert, and the Company’s oversight role).

During service execution, any identification and traceability needs are addressed: for example, documents produced by experts (regulatory submissions, reports) are labeled with identifiers and version control. We maintain traceability of which expert worked on which project and any review/approval steps.

We also care for property belonging to customers (8.5.3) – typically this could include confidential regulatory documents or data that clients share. Such data is treated securely: access is limited to the assigned expert and necessary Company staff, and it’s stored in encrypted form on our platform. If clients provide physical materials (less likely in our scenario, but e.g., reference samples or equipment for testing in a regulatory context), procedures ensure their proper handling and return.

Preservation of outputs (8.5.4) in our context means protecting the integrity of service outputs like reports or submission dossiers. We use secure file management and backups to preserve electronic records. The platform ensures version control and backup of all delivered files. If hard copies are needed, we have handling procedures (though we strive for digital).

• 8.6 Release of Products and Services: Before final delivery to a client, the Company ensures that the service output has been verified to meet requirements. For example, if an expert prepares a regulatory submission dossier, the Company may perform an internal quality check (where feasible) or ensure the expert has completed their own checklist. Critical projects might involve a peer review by a second expert or the Company’s internal regulatory specialist to double-check compliance. We have a policy that no deliverable is forwarded to a client without at least one form of review/approval. Evidence of conformity (like a completed review checklist or client acceptance test) is maintained as a record. The Client Communication SOP also covers obtaining formal client sign-off on delivered work when applicable.
• 8.7 Control of Nonconforming Outputs: If something goes wrong – e.g., a delivered service or work product fails to meet requirements or has errors – the Company has a process to control and correct nonconformities. When a nonconformance is identified (by a client complaint, internal review, or audit finding), we:
  • Contain the issue: e.g., halt delivery if not yet sent, or immediately inform the client of the issue if already delivered, and agree on remedial steps.
  • Segregate or tag non-conforming items if physical (in services, this translates to marking a document as superseded, etc., so it’s not mistakenly used).
  • Determine and execute correction: e.g., the expert revises the document to correct errors, or a different expert is assigned to fix the issue, at no cost to the client.
  • Obtain client acceptance of the corrected output.
  • Record the nonconformance in our CAPA system (if significant). Even minor issues are logged as appropriate, at least in a nonconformance log, to analyze later.

If the nonconformance cannot be fully corrected (rare, but e.g., a regulatory deadline missed due to our fault), we would evaluate with the client possible compensations or alternative approaches, and management is involved in deciding how to handle the impact. Nonconformance records are inputs to the CAPA process – we analyze root causes and initiate corrective/preventive actions (see CAPA section) to avoid recurrence.

6. Performance Evaluation (Clause 9)

Monitoring and measuring our processes and outcomes is vital to confirm that the QMS is effective and to identify opportunities for improvement:

• Customer Satisfaction (9.1.2): The Company actively monitors client satisfaction. After each project or service delivery, clients are requested to complete a feedback survey (or at least a rating on key parameters such as quality of work, timeliness, communication). We track these ratings and comments. Additionally, we monitor other indicators of satisfaction, like repeat business, client testimonials, or any formal complaints. A Complaints and Feedback Log is maintained. All complaints are treated seriously – see CAPA for how we investigate and address them. Periodically (e.g., quarterly), the QA Officer analyzes feedback trends and reports to management. Our quality objective is to maintain high satisfaction levels (e.g., >95% positive feedback) and quickly resolve any client issues.
• Internal Audit (9.2): The Company conducts regular internal audits of the QMS to ensure that it conforms to ISO 9001 and other integrated standards, and that it is effectively implemented. Internal audits are performed twice a year as per our Internal Audit Schedule (see section “Internal Audit Schedule” below for details and dates). Audits cover all departments and key processes on a rotational basis, including audits of external expert processes (see “Expert Health Internal Audit” in the External Expert Oversight SOP). Trained internal auditors (who are independent of the areas they audit to ensure impartiality) carry out the audits. We use an Internal Audit Checklistaligned with ISO 9001 and other applicable standards to guide the auditing process. Findings are documented in Internal Audit Reports, which categorize any nonconformities or observations. For each finding, the audited area owner must propose and implement corrective actions (routed into the CAPA system). The QA Officer tracks the closure and effectiveness of these actions. Results of audits are reported in management review meetings. (Note: Our internal audit process aligns with ISO 19011 guidelines for auditing and leverages the principles of ISO 17021-1 to maintain rigor and objectivity).
• Monitoring, Measurement, Analysis, Evaluation (9.1.1 & 9.1.3): Apart from audits and customer feedback, the Company has defined various Key Performance Indicators (KPIs) for processes. Examples: platform uptime percentage (relevant to service continuity), number of expert non-compliance incidents, average project turnaround time, training completion rates, etc. We have a Metrics Dashboard updated monthly. We ensure that monitoring methods are appropriate – for instance, using automated tools to measure system performance, and manual checks for process compliance. Data from these measurements are analyzed to evaluate if processes are in control and objectives are being met. We also compare against previous periods for trends. Significant evaluation results (e.g., an upward trend in late project deliveries) trigger management attention and potentially a CAPA to investigate.
• Management Review (9.3): As mentioned under Leadership, top management reviews the entire QMS at least once every six months (and in practice, key aspects are reviewed quarterly). The Management Review Agendaincludes all required inputs: audit results, customer feedback, process performance data, status of risks and opportunities, nonconformities and CAPA status, follow-up actions from prior reviews, changes that could affect the QMS (e.g., new laws like an update to GDPR, or strategic changes), and recommendations for improvement. Outputs of the review include decisions and actions related to resource needs, opportunities to improve, any need for changes to the QMS, and goals for the next period. The meeting is minuted, and action items are tracked to completion.

7. Improvement (Clause 10)

The Company is committed to continual improvement of the QMS and its performance:

• 10.1 General Improvement: We foster a culture where employees and experts can suggest improvements. We have a Continuous Improvement Log for capturing ideas, which are reviewed by the QA Officer and relevant managers. Some improvements are incremental (e.g., updating a template for clarity) and some are breakthrough (e.g., implementing a new module in the platform to automate a process). We prioritize and implement feasible improvements, documenting changes via the Document Control process.
• Nonconformity and Corrective Action (10.2): When nonconformities occur, whether identified via customer complaint, internal audit, or any other means, the Company reacts promptly to control and correct the issue (as described in 8.7). Additionally, we take steps to address the root cause to prevent recurrence. This is the core of our CAPA (Corrective and Preventive Action) Procedure (detailed in its own SOP). In summary, our CAPA process involves:
  • Logging the issue in the CAPA Register and assessing its scope/impact.
  • Investigating the root cause using appropriate techniques (5 Whys, Fishbone diagrams, etc.) by a responsible team.
  • Identifying corrective actions (to eliminate the cause of the nonconformity) and preventive actions (to eliminate causes of potential nonconformities, if a proactive opportunity or to prevent recurrence elsewhere).
  • Implementing those actions with agreed deadlines and responsible persons.
  • Verifying the effectiveness of actions after implementation (e.g., did the corrective action actually resolve the problem? We might do follow-up audits or monitor the process for a period).
  • Properly documenting the entire process (the problem, root cause analysis, action plans, completion dates, verification evidence).
• The CAPA system is crucial for continuous improvement and is given high priority by management. Trending of CAPAs is done (e.g., how many open vs closed, common causes) to identify systemic issues.
• Preventive Action: Although ISO 9001:2015 uses risk-based thinking instead of a separate preventive action clause, the Company still explicitly encourages looking for preventive actions. This can overlap with risk management – when we identify a high-risk scenario (say, potential for a new regulation to impact us), we proactively take actions (like training staff or updating a process) before any nonconformance occurs. These proactive improvements are documented either in the risk register or CAPA system as appropriate.
• Continual Improvement (10.3): All the above elements feed into continual improvement. The QA Officer compiles an Annual QMS Report summarizing QMS performance, improvements made, and outstanding issues. This helps plan the next cycle of improvements. The Company strives not just to correct issues, but to refine and optimize processes continuously – for example, streamlining workflows to increase efficiency or adopting new best practices as standards evolve. We also stay current with updates to the standards themselves; for instance, if ISO 9001 gets amended or ISO 27001:2022 (newer version) controls are updated, we evaluate and incorporate relevant changes to keep the QMS state-of-the-art.

In conclusion, through adherence to ISO 9001:2015, the Company ensures a robust quality management foundation upon which the other specific standards and requirements are built. Next, we detail those other standards (ISO 27001, ISO 27018, etc.) and how our integrated management system addresses their specific requirements.

ISO/IEC 27001:2022 – Information Security Management

ISO/IEC 27001 is the backbone of our Information Security Management System (ISMS). It provides a systematic approach to protecting sensitive information (including client data, personal data, and intellectual property on our platform) through risk management and a set of security controls. The Company’s ISMS is integrated with the QMS, meaning security considerations are woven into processes company-wide. Key aspects of our ISO 27001 compliance include:

ISMS Scope and Policy

Scope: The scope of the ISMS covers all information assets and processes related to the Company’s SaaS platform and supporting operations. This includes customer data stored on the platform, personal data of users, communications, development and maintenance of the software, and physical/virtual infrastructure used. The scope is documented in the ISMS Scope Statement and generally overlaps with the QMS scope, with an emphasis on information and systems.

Information Security Policy: The Company has an Information Security Policy (approved by top management) that states our commitment to safeguarding information in terms of confidentiality, integrity, and availability. It outlines high-level responsibilities and principles (like least privilege access, compliance with applicable laws such as GDPR, and continuous improvement of security). This policy is communicated to all employees and relevant external parties (experts and any suppliers with access to our data). It is reviewed annually.

Organizational Security Roles: We have assigned a role of Information Security Officer (ISO) (this might be our CTO or a dedicated security manager, depending on company size) who oversees ISMS implementation. Additionally, specific roles like System Administrator, DevOps Engineer, and Data Protection Officer (DPO) have security-related responsibilities in their job descriptions. An ISMS Team or Committee may meet periodically to discuss security issues, though given our size, this might be the same as the IT team plus QA.

Risk Assessment and Risk Treatment (ISO 27001 Clauses 6 and 8)

We follow ISO 27001’s risk management process:

• Asset Inventory: We maintain an inventory of information assets – including hardware, software, databases, critical documents, and intangibles like reputation. Each asset has an owner.
• Risk Assessment: Using an ISO 27001-compliant methodology, we identify threats and vulnerabilities for each asset, evaluate existing controls, and determine risk levels (considering impact and likelihood). For example, a risk: “Unauthorized access to client regulatory files on the platform.” Threats could be hackers or misuse by insiders; vulnerabilities might be weak passwords if not controlled.
• Risk Treatment: For each identified risk, we decide to mitigate, transfer, accept, or avoid. We then apply controls from ISO 27001 Annex A as needed to mitigate risks to an acceptable level. A Risk Treatment Plan documents which controls are chosen and the residual risk after implementation. For the example risk, controls might include strong user authentication, access control policies (Annex A.9), and encryption (Annex A.10).
• We also address opportunities (positive risks) in the security context, like adopting new technology that could enhance security (e.g., moving to a cloud provider with better built-in security).
• Statement of Applicability (SoA): We have a document mapping the Annex A 2022 controls (114 controls across 14 domains in ISO/IEC 27001:2022) to our implementation status. If any control is not applicable (for instance, A.11 Physical Security might not fully apply if we have no office, but we still address physical security of home offices and data centers), we justify it in the SoA. Most controls are applicable given our cloud operations; for example:
  • A.5 Information Security Policies – we have those in place.
  • A.6 Organization of Information Security – roles and contact with authorities are defined.
  • A.7 Human Resource Security – background checks for staff, security training, NDA agreements.
  • A.8 Asset Management – asset inventory and acceptable use policies.
  • A.9 Access Control – user access management procedures, the least privilege principle.
  • A.10 Cryptography – we enforce HTTPS, encryption of data at rest in databases, etc.
  • A.11 Physical and Environmental Security – our servers are in a secure cloud data center (AWS/Azure, etc.), which has certifications; for any local assets, we advise secure storage and screen locking, etc.
  • A.12 Operations Security – change management for IT, malware protection, regular backups.
  • A.13 Communications Security – network security controls like firewalls, secure configuration.
  • A.14 System Acquisition, Development, Maintenance – secure coding practices, code reviews, vulnerability scanning in development.
  • A.15 Supplier Security – assessments and contracts as discussed earlier.
  • A.16 Information Security Incident Management – see below.
  • A.17 Business Continuity – ties with ISO 22301, see separate section.
  • A.18 Compliance – ensure legal, regulatory, security compliance including privacy laws.
• Risk Register: We maintain an active risk register that is updated with new risks or changes (at least reviewed annually and whenever significant changes occur, such as new systems or major incidents). The risk assessment results feed into selecting controls and investments (like deciding to implement multi-factor authentication because the risk of password compromise was high).

Information Security Controls Implementation

Key controls the Company has implemented (in line with ISO 27001 Annex A) include:

• Access Control: We enforce strong access controls for both the Company’s internal systems and the SaaS platform:
  • Unique user IDs for every employee, expert, and client user. No shared accounts.
  • Password policy requiring strong passwords and periodic changes. (We plan to implement multi-factor authentication for all privileged access and perhaps for all users where feasible).
  • Role-based access: Users only see data for which they are authorized. For example, an external expert can only access the projects they are assigned to; clients only see their own project data; internal staff have access based on need (principle of least privilege).
  • Access provisioning and de-provisioning: New staff or experts get access only after necessary approvals and training. When someone leaves or an expert contract ends, access is revoked immediately. We maintain an Access Control SOP detailing this.
  • Regular access reviews: Every quarter, the IT administrator and QA Officer review user accounts and permissions to ensure they are current.
• Cryptography: All web traffic on the platform is encrypted via TLS (HTTPS). Sensitive personal data and documents stored in the database or file storage are encrypted at rest. For example, we encrypt identification numbers or any sensitive client provided data in our database. Encryption keys are managed securely (with key rotation policies in place and keys stored in a secure key management service).
• Physical Security: We use reputable cloud hosting providers with certified data centers (ISO 27001 certified, SOC 2, etc.). Those data centers handle physical security (guards, surveillance, controlled entry). For our minimal office operations (if any) or employee home offices: we enforce basic physical security guidelines – like locking screens, using encryption on laptops, keeping devices safe, and proper disposal of sensitive printouts (though we are largely paperless).
• Operations Security:
  • We maintain up-to-date anti-malware protection on all company-managed devices. Developers and staff use antivirus and endpoint protection solutions.
  • Patching: Servers and software dependencies are regularly updated with security patches. We have a schedule (e.g., at least monthly patch cycle, and critical patches as soon as possible).
  • Logging and Monitoring: System logs (access logs, application logs) are collected and monitored. We have automated alerts for certain events (e.g., multiple failed login attempts trigger an alert or lockout, suspicious network traffic triggers an alert).
  • Change Management: Changes to the platform (code changes, config changes) follow a change management process including testing in staging, peer code reviews, and documented approval before production deployment. We try to separate duties such that the person who writes code isn’t the sole decider to deploy it. All changes are logged.
  • Backups: Regular backups of critical data (client documents, database content) are performed (daily incremental and weekly full backups, for instance). Backups are encrypted and stored off-site (e.g., in a different region of the cloud). Backup restoration is tested periodically to ensure data can be recovered (this overlaps with business continuity).
• Communications Security:
  • We secure our internal and external network communications. The platform servers are behind firewalls that only allow necessary traffic. Administrative remote access is via secure VPN or SSH with key authentication and restricted to admin IPs.
  • Data transfers: When sending sensitive data to clients or receiving from clients outside the platform, we use secure methods (preferably always through the platform; if email is needed for some reason, we’d use encryption or secure file share).
  • We have guidelines for employees on using only approved communication channels for work information (to avoid e.g. using personal email for client data).
• Supplier Security: (A.15) As noted, we evaluate and impose security requirements on critical suppliers (cloud providers, any subcontractors). Data processing agreements are in place with any sub-processor handling personal data, to satisfy GDPR article 28 requirements.
• Incident Management (A.16): See next subsection on how we manage incidents.
• Business Continuity (A.17): We align with ISO 22301 – covered in its own section below.
• Compliance (A.18): We track legal requirements. For instance, GDPR and CCPA requirements are integrated into our processes (see sections on privacy). We ensure user consent and data subject rights processes are in place. We also ensure any sector-specific regulations for clients (like FDA Part 11) are supported by our platform features.

We maintain appropriate documented procedures or guidelines for many of these controls (like an Access Control Policy, an Acceptable Use Policy for employees, Secure Development Guidelines for our dev team, etc.). All staff and experts must also sign a confidentiality agreement to protect client data.

Information Security Incident Management

Despite robust controls, incidents may occur (e.g., suspected data breach, malware infection, unauthorized access attempt). The Company has an Incident Response Plan (IRP):

• Users are instructed to report any security incident or weakness immediately to the Information Security Officer or via a dedicated incident reporting email.
• We classify incidents by severity. Our plan defines actions for different types of incidents (loss of laptop, hacking attempt, virus detection, etc.).
• An Incident Response Team (which can be ad-hoc, consisting of IT staff, security officer, and relevant managers) is convened for significant incidents.
• Steps of incident handling include: record the incident in the Incident Log, contain the incident (e.g., isolate affected systems, revoke compromised credentials), eradicate (remove malware, fix vulnerabilities), recover (restore systems from backups if needed, resume services), and communicate as required.
• Communication: If a data breach involves personal data, we have obligations under GDPR to notify the supervisory authority within 72 hours and potentially the affected individuals, unless the breach is unlikely to result in risk to rights. Our plan covers this notification procedure (the DPO assists with regulatory notifications). Similarly, clients would be informed promptly of any incidents affecting their data.
• After resolution, we perform a post-incident review: analyze root causes and identify improvements (this links to CAPA to prevent reoccurrence).
• Incident response procedures are tested (at least with tabletop exercises annually, or as part of business continuity tests) to ensure team readiness.
• We also maintain cyber insurance (if applicable) and have contacts with external experts (like cybersecurity consultants) we can call on if needed for forensic analysis.

All incidents, even minor ones, are documented. Lessons learned from incidents feed into updating the risk assessment and reinforcing controls.

ISMS Maintenance and Continuous Improvement

The ISMS is not a one-time setup; it’s continuously monitored and improved:

• Internal ISMS Audits: As part of our internal audit program, we include audits of the information security controls (some audits may specifically focus on ISO 27001 compliance). This ensures we identify any gaps or control failures.
• Management Review for ISMS: The management review described in the QMS section also encompasses ISMS performance. Specifically, we review results of risk assessments, status of security objectives (like any target we set for incident reduction), results of audits, effectiveness of controls, and any new threats or vulnerabilities that emerged.
• Metrics: We track security metrics, such as number of incidents, average time to resolve incidents, percentage of staff with updated security training, etc., as part of performance evaluation.
• Compliance Checks: We periodically check compliance with legal requirements (GDPR/CCPA audit, software license compliance, etc.) and with our own policies (e.g., quarterly user access reviews as mentioned, or checking system configurations against benchmarks).

By adhering to ISO 27001, the Company ensures a structured and effective approach to safeguarding all information assets, which is critical given the sensitive nature of regulatory affairs data and personal data processed on our platform. Next, we will cover ISO 27018, which adds specific focus on personal data protection in the cloud, complementing our ISMS.

ISO/IEC 27018:2019 – Protection of Personal Data in Cloud Computing

ISO/IEC 27018 is an extension of the 27001/27002 framework, focusing on controls and guidelines specifically for protecting Personally Identifiable Information (PII) in cloud services. As the Company operates a cloud-based platform that processes personal data (of clients, experts, and potentially their customers in regulatory submissions), compliance with ISO 27018 demonstrates our commitment to cloud privacy best practices. Key measures aligned with ISO 27018 include:

• Purpose and Consent: We only process personal data for explicit, specified purposes in line with what users expect. Our Privacy Notice (available to all platform users) clearly states what personal data we collect (e.g., names, contact info, qualifications for experts, etc.) and for what purposes (e.g., to facilitate connections between clients and experts, for platform account management, for legal compliance like KYC). We obtain user consent where required – for instance, marketing communications require opt-in consent. We do not use personal data for secondary purposes like advertising or marketing without consent, in line with ISO 27018’s principle of not using data for purposes unrelated to the cloud service.
• Control and Ownership of Data: We acknowledge that our customers (and users) are the owners of their personal data. We act as a data processor for client-provided personal data. As such, we implement mechanisms to allow clients control over their data:
  • Clients can export their project data upon request.
  • Data deletion: If a client leaves the platform, we have procedures to delete or return their personal data (except any we must retain by law). For example, an expert can delete their profile or a client can request account deletion, and we will erase personal data as appropriate, consistent with GDPR’s right to erasure.
  • We do not mine or profile personal data stored, except as necessary for providing the service (like searching for experts by skill, which users expect).
  • Any data we keep for our purposes (like usage logs) is handled per privacy law (minimized and anonymized where feasible).
• Transparency: ISO 27018 emphasizes transparency to cloud customers. We are transparent about where data is stored (our data hosting region), which sub-processors we use, and how we handle government or third-party requests for data. Our policies state that:
  • We will notify clients of any legally binding request for disclosure of their personal data by law enforcement, unless prohibited by law. (E.g., if a government subpoena arrives, we try to redirect it to the client or at least notify them, per ISO 27018 guidelines).
  • We publish a list of major sub-processors (e.g., our cloud infrastructure provider, email service provider) in our privacy documentation, so clients know who might process data.
  • Our terms include commitments to cooperate with clients in fulfilling their obligations (like assisting with data subject access requests, see GDPR section).
• Cloud-specific Security Controls: Building on ISO 27001 controls, we ensure multitenant cloud considerations:
  • Segregation: We logically segregate each client’s data from others. Our platform’s architecture enforces tenant isolation so that one client cannot access another’s information. Similarly, expert profiles and client projects are separated by access controls.
  • Administration of cloud environments: Administrative access to the cloud environment is limited to a few authorized engineers. We use secure admin consoles with MFA and logging for cloud management (AWS/Azure).
  • Backup and Restore for PII: We ensure that personal data in backups is equally protected. If a client requests deletion of personal data, we have a process to also remove it from active systems and ensure it will be purged from backups within a defined period or excluded from restoration if needed.
  • Retention: We define retention periods for personal data. We do not retain personal data longer than necessary. (For example, if an expert leaves, we remove their personal data after, say, 1 year unless needed for legal reasons; client project data might be retained for X years for legal archiving or as agreed, but deleted after that).
• Incident Notification: In case of any breach involving personal data, beyond our internal incident response, we commit to notify affected clients without undue delay (within the timeframe required by GDPR and as per any contractual obligation). We include this in our customer agreements as well.
• Privacy by Design and Default: When developing our platform or new features, we incorporate privacy considerations from the start. For example, default settings on the platform are privacy-friendly (profiles of experts only show necessary info, personal contact details are not visible until appropriate, etc.). We also carry out Data Protection Impact Assessments (DPIA) for any high-risk processing (e.g., if we were to introduce a new module that uses personal data in novel ways, we’d assess its privacy impact).
• Training and Awareness: Employees and experts handling personal data are given specific training on data protection and privacy requirements, including ISO 27018 principles and relevant laws (GDPR/CCPA). They understand their duty to maintain confidentiality and privacy.
• Contractual Commitments: We incorporate ISO 27018-aligned clauses in our contracts with clients (as part of our Data Processing Agreement) and with any sub-processors. These include commitments to:
  • Only process personal data on documented instructions of the controller (client).
  • Ensure anyone processing data is under confidentiality obligation.
  • Assist the controller in meeting GDPR obligations (like enabling subject rights, assisting with breach notifications, etc.).
  • Delete or return personal data at contract termination.
  • Submit to audits (some clients may have the right to audit us or see our third-party audit reports).
• Independent Validation: While not required, the Company is considering obtaining certification or independent assessment against ISO 27018 to boost customer trust. In any case, we undergo periodic external audits for security (for example, as part of ISO 27001 certification or client security assessments) which cover these cloud privacy controls as well.

By adhering to ISO 27018, the Company ensures that in addition to general security, the privacy of personal data in our cloud service is given special attention and protection, building trust with all users that their data is safe and handled properly.

ISO 22301:2019 – Business Continuity Management

The Company recognizes that maintaining uninterrupted service to clients and protecting critical operations is essential, especially as a cloud service provider for regulatory activities (where downtime or data loss could have significant consequences). ISO 22301 provides a framework for our Business Continuity Management System (BCMS). Key components of our BCMS include:

• Business Continuity Policy and Objectives: We have an approved Business Continuity Policy stating the Company’s commitment to continue critical services during and after disruptive incidents (like IT outages, cyberattacks, natural disasters affecting our operations, etc.). Objectives include defined recovery time targets for our platform and critical processes (e.g., restore platform functionality within 4 hours of a major outage; ensure no more than X hours of data loss by having frequent backups, etc.). These objectives are aligned with client expectations (for instance, clients need our platform for project communications, so downtime should be minimized).
• Business Impact Analysis (BIA): The Company conducted a BIA to identify and prioritize critical activities and resources. For example:
  • The SaaS platform availability is identified as critical (impact of downtime: clients and experts cannot work, deadlines missed, reputational damage).
  • Communication channels (email, support tickets) are critical for customer support.
  • Key records like project data and expert databases are vital to preserve.
• The BIA assesses consequences of different disruption scenarios and determines acceptable downtime (Recovery Time Objective, RTO) and acceptable data loss (Recovery Point Objective, RPO) for each. For instance, RPO for database might be 1 hour (meaning we backup at least hourly to not lose more than 1 hour of data).
• Risk Assessment (for BCMS): In conjunction with BIA, we analyze risks that could lead to business interruptions:
  • IT infrastructure risks: server failures, cloud region outage, cybersecurity incidents (e.g., ransomware).
  • Utility outages: internet service disruption for our main office or key personnel.
  • People unavailability: e.g., pandemic or key staff incapacitation.
  • External events: regulatory changes or political issues affecting a region we operate in.
• Many of these risks overlap with the ISMS risk assessment. We treat them with continuity in mind – e.g., risk of cloud outage mitigated by multi-region failover, risk of key developer unavailability mitigated by cross-training.
• Business Continuity Strategies and Solutions: Based on the above analysis, we have put in place measures to ensure continuity:
  • Data Backup and Recovery: (As also noted in ISO 27001 section) Regular backups are performed and stored off-site. We have a strategy to restore from backups in a timely manner. We document restoration procedures and have verified that restoration from backups can meet our RPO/RTO.
  • Redundancy: Where feasible, we use redundant systems. For example, our cloud deployment uses multiple availability zones so that if one data center goes down, the others can take over. We maintain redundant copies of critical components (like two instances of application servers behind a load balancer). Similarly, critical employee tools (like critical files or credentials) are accessible to backups or alternate personnel.
  • Alternate Communication Channels: If our primary communication (the platform or company email) is down, we have an alternate method to reach employees and customers (such as a phone tree or an emergency email/SMS service). We keep an updated emergency contact list.
  • Continuity of Expertise: Because our business depends on experts, continuity means if an expert becomes unavailable mid-project (due to illness or other issues), we have processes to quickly assign a backup expert. We keep track of project statuses such that another expert or an internal staff member can pick up if needed.
  • Office/Location Contingency: If we had a main office and it becomes inaccessible (e.g., due to a natural disaster), our workforce can operate remotely (indeed we largely do). We ensure employees have the necessary equipment to work from home or alternate location. If a particular region’s experts are impacted by an event, we attempt to redistribute work to others not affected.
• Incident Response vs. Business Continuity: We differentiate immediate incident response (firefighting) from broader continuity activation. For a major incident, once initial response (like incident management or disaster declaration) happens, we then shift to continuity mode: e.g., initiating our Disaster Recovery Plan to recover IT services. Our DR Plan is a subset of BCMS focusing on IT systems. For instance, if our primary cloud region has a prolonged outage, our DR plan may involve spinning up the environment in a secondary region using infrastructure-as-code and restoring data from backups. We have this documented and some infrastructure pre-provisioned for quick failover.
• BCMS Procedures and Documentation: We have a Business Continuity Plan (BCP) document which outlines step-by-step what to do in various scenarios (cyberattack, server outage, etc.). It includes who decides to invoke the BCP (typically the CEO or a Crisis Manager role), how to communicate internally and externally in a crisis, and the specific recovery procedures. We also have call trees, responsibility matrices, and resource requirements listed in the BCP. This plan is accessible even if our main systems are down (e.g., key personnel have offline copies).
• Testing and Exercises: To ensure the BCMS is effective, we conduct periodic tests:
  • At least annually, we do a simulation or tabletop exercise of a major disruption (like “platform goes down due to DB failure”). The team goes through the motions of recovering from backups or switching to a backup system. We document the time taken and any issues discovered.
  • We also test communication drills (e.g., attempt to contact all employees via alternate means to verify our contact info is up to date).
  • Results of tests are reviewed in management review; lessons lead to improvements in the plans or training.
• BCMS Review and Improvement: The BCMS is part of our internal audit scope as well. We audit the BCP maintenance, check if our BIA and risk assessments are current, and ensure training has been done. After real incidents or tests, we update our strategies accordingly. Management review includes BCMS performance (e.g., were there any downtime incidents, did we meet our recovery objectives, etc.).
• Coordination with interested parties: We consider external dependencies and partners in our BCMS. For example, our cloud provider’s SLAs are factored into our continuity planning. We also communicate our continuity capabilities to clients upon request (some clients want assurance that we can continue operations – we might share a summary of our BCP or uptime records). If a major incident occurred that impacts clients, we have a communication plan to keep clients informed about service status and expected restoration time.

By implementing ISO 22301’s practices, the Company enhances its resilience. Clients can trust that our services will be reliable and that we’re prepared to handle crises without undue disruption to their projects.

ISO/IEC 17021-1:2015 – Audit and Certification of Management Systems

While ISO/IEC 17021-1 is a standard for certification bodies rather than for service companies, the Company’s QMS aligns with its principles to ensure we are audit-ready and manage our internal audit program effectively. Here’s how we embrace relevant aspects of ISO 17021-1:

• Competence of Auditors: Our internal auditors are trained and qualified to perform audits of our management system. We ensure they have knowledge of the standards (ISO 9001, ISO 27001, etc.), understanding of audit principles, and the skills to interview, sample records, and evaluate evidence. If internal resources lack some competence (for example, auditing technical IT controls), we provide training or engage an external auditor/consultant to assist. This mirrors ISO 17021-1’s focus on auditor competence for certification bodies, applied proportionally to our internal context.
• Impartiality: We maintain impartiality in our internal audits by avoiding conflicts of interest. Auditors do not audit their own work or departments. For example, the IT Manager would not audit the ISMS that he himself operates; instead, the QA Officer or an external auditor would do it. Top management supports this by allowing auditors the freedom to report findings honestly, without interference. This ensures audit findings are trustworthy.
• Consistency and Rigor: We develop our internal audit procedures with guidance from ISO 19011 and 17021-1 to ensure each audit is carried out systematically. We use checklists and audit plans to cover relevant requirements and processes. Over time, we strive to ensure consistency (e.g., two different auditors would approach an audit with similar diligence). We also calibrate our understanding of nonconformity grading (major vs minor, etc.) in the internal context, to maintain fairness and focus on what’s important.
• Audit Program Management: The internal audit schedule (twice yearly) is planned to cover all relevant areas in a 12-month cycle. We also include surprise spot-checks or short-notice audits occasionally for areas that need frequent verification (especially in information security). If any major changes occur (like implementing a new process or after a significant incident), we may schedule an additional audit to verify the change. This dynamic approach ensures our audit program remains effective and aligned to risk.
• Addressing Findings: There is a formal mechanism for handling audit findings – similar to how a certification body expects corrective actions. When internal auditors raise a nonconformity, management is required to undertake root cause analysis and implement corrective action by a deadline. The QA Officer verifies these actions, essentially ‘closing’ the audit finding only when satisfied. This process is documented and tracked, demonstrating to any external party that we treat internal audit results seriously – just as we would have to respond to certification audit findings.
• Readiness for Certification Audits: Because we plan to possibly certify our QMS/ISMS, we manage our system in a way that any accredited certification body auditing us (who themselves adhere to 17021-1) would find our system in order. We maintain all necessary documented information and records neatly. We have a Certification Plan on when to engage a certifying body for ISO 9001/27001 etc. and ensure no conflicts – e.g., we might use a certification body that is accredited by a 17021 authority (like UKAS or ANAB). When that time comes, we will ensure our internal audit was done shortly before, and any issues resolved, to smooth the certification process.
• Management System Certification Awareness: We understand that ISO 9001 certification must be renewed at intervals (usually every 3 years with surveillance in between)en.wikipedia.org. So our QMS includes planning for these cycles, budgeting time and resources for external audits, and keeping improvement active so we don’t fall behind between audits.

In summary, by internalizing the expectations of ISO 17021-1, the Company ensures that our management system is robust, credible, and can stand up to external scrutiny. This gives confidence to top management and clients alike that our QMS/ISMS isn’t just a paper exercise, but is effectively implemented and continuously verified.

ISO/IEC 25012:2008 – Data Quality Management

The quality of data is crucial in our platform – whether it’s regulatory information, user profiles, or transaction records. ISO/IEC 25012 provides a model for data quality which the Company uses to define and evaluate the quality of data managed in our systems. We address the key data quality characteristics as follows:

• Accuracy: Data should correctly represent reality or a verifiable source. The Company ensures accuracy by validation checks and reviews. For example, when an external expert enters their qualifications into their profile, we may verify against uploaded certificates or external databases. Regulatory procedure information on the platform (like descriptions of services) is reviewed by our internal team for accuracy against official regulatory guidelines. Any data migrations or calculations in the system are tested to ensure no errors. We also encourage clients and experts to report any inaccuracies they notice; corrections are promptly made and tracked.
• Completeness: All required data attributes are present. Our system enforces mandatory fields where needed (e.g., an expert profile must have certain key fields filled out before it’s considered complete). We track completeness of records: for instance, a client project entry should have all sections populated (scope, deadlines, attachments, etc.). In cases where data is optional but later needed, the process flows prompt the user to provide it at the right time (ensuring nothing essential is missing when moving to the next stage of a workflow).
• Consistency: Data is consistent within itself and across the system. We ensure that if the same data element is stored in multiple places, it’s synchronized. For example, if an expert’s contact info is in their profile and also in an active project record, updates to one reflect in the other. We use a single source of truth for key data to avoid discrepancies. Business rules are in place to enforce allowed value ranges and formats (ensuring consistency of units, date formats, nomenclature, etc.). We also ensure referential integrity in our database (e.g., no project references a non-existent client).
• Credibility (Reliability): This refers to the trustworthiness of the data source. Users need to trust that data on our platform comes from credible origins. We bolster credibility by verifying data sources: e.g., expert credentials verification as mentioned improves trust in their profile data. We maintain logs and audit trails for who created or changed data and when, adding accountability. Data provided by the Company (like regulatory guidelines or templates we share) is obtained from authoritative sources (official regulatory agencies) and updated regularly, with references where appropriate. Thus, users can rely on the content.
• Currentness (Timeliness): Data should be up-to-date. The Company sets policies for how quickly data is updated after changes. For example, if an expert gains a new certification or a regulation changes, we strive to update that info immediately or as soon as verified. We implement automatic expirations or review prompts for data that can go stale – e.g., we might mark an expert’s certification as needing re-validation after a year, or ensure that regulatory content is reviewed quarterly. Our platform shows timestamps on critical data entries (like “last updated” dates) so users are aware of data currency. Backups and archived data are clearly separated from live data to avoid using outdated information inadvertently.
• Accessibility & Availability: Data quality also means users can get the data when needed. We ensure that our data is accessible to authorized users through an intuitive interface and search functionality. Permissions are configured so that the right people can access the right data without unnecessary barriers (while still protecting unauthorized access). In terms of availability (system uptime), our continuity and IT measures ensure the data can be accessed with minimal downtime (per our continuity objectives). If there are large datasets or reports, we provide suitable tools to retrieve them (like export functions) to ensure usability of data.
• Compliance (as a quality characteristic): Particularly for personal data, quality includes compliance with regulations. We ensure data is labeled and handled in compliance (e.g., marking personal data fields so that we can apply privacy rules to them such as not exposing or deleting upon request). Also, data quality means data usage complies with any constraints – for instance, we won’t use client-provided regulatory documents beyond their intended context.
• System-Dependent Qualities: ISO 25012 divides some qualities as system-dependent:
  • Availability: Already noted – we ensure systems are reliable so data is available.
  • Portability: We ensure data can be ported – e.g., if a client wants their data exported to move elsewhere, we can provide it in a usable format (CSV, Excel, etc.). This also relates to GDPR’s data portability right.
  • Recoverability: Data can be restored after an incident (ties to backups).
  • Integrity: No unauthorized alteration – overlapping with security; we use checksums or application logic to ensure data isn’t corrupted. For example, file uploads have integrity checks.
• Data Quality Assurance Process: The Company has integrated data quality checks into processes. When data is entered or imported, we perform validation (format checks, mandatory fields, logical checks). Periodically, we run scripts or reports to find anomalies (e.g., missing values where there shouldn’t be, duplicates of entries that should be unique like duplicate user accounts or two experts with same license number, etc.). If found, we clean the data or initiate a data cleansing project. We keep meta-data about data quality issues and their resolution.
• User Responsibility for Data Quality: We also communicate to users (clients and experts) their role in maintaining data quality. For example, experts are expected to keep their profile information up-to-date; clients should review and confirm the accuracy of any data in deliverables. The platform provides easy ways to update information and encourages confirmation (like summary pages to review before final submission).
• Continuous Improvement in Data Quality: Data quality metrics (like percentage of complete profiles, number of data errors caught) are tracked. If we see frequent issues (e.g., many experts inputting a phone number in an incorrect format), we improve the input validation or instructions. Data quality is also considered in our internal audits and any management review concerned with information management.

By aligning with ISO 25012’s data quality model, the Company ensures that the information within our system is reliable and meets the needs of those relying on it – which is crucial in the context of regulatory compliance services, where decisions made on incorrect or outdated data can have serious consequences.

ISO 14001:2015 – Environmental Management

Although the Company’s operations are primarily digital and service-oriented (with a relatively small environmental footprint compared to manufacturing industries), we are committed to environmental responsibility in line with ISO 14001 principles and ISO 26000’s environmental aspects. Key points of our Environmental Management approach include:

• Environmental Policy: The Company has an Environmental Policy (approved by management) that states our commitment to minimize environmental impacts, comply with relevant environmental legislation, and continually improve our environmental performance. This policy is communicated to all staff and made available publicly (e.g., on our website or upon request, since we want to be transparent about our stance even if we don’t seek formal ISO 14001 certification yet).
• Identification of Environmental Aspects: We have evaluated how our activities impact the environment. Being a SaaS provider, our significant aspects might include:
  • Energy consumption (primarily from data center usage and office equipment).
  • Electronic waste (from hardware we use and eventually dispose of).
  • Commuting/travel (though minimal if we have a remote workforce, but business travel for meetings or conferences can contribute to carbon footprint).
  • Paper use (we aim for paperless operations, but any printing has an impact).
  • Indirectly, supply chain impacts (like the environmental practices of our cloud provider or other suppliers).
• We maintain an Environmental Aspects Register where these aspects are listed along with their potential impacts (e.g., carbon emissions from energy use, resource consumption from hardware).
• Compliance Obligations: We ensure compliance with applicable environmental laws and regulations, although in our context these may be limited (e.g., local laws on electronic waste disposal or energy use regulations if any). We also consider voluntary commitments like supporting international climate initiatives or industry best practices.
• Environmental Objectives and Targets: Based on significance, we set some objectives. For example:
  • Reduce office (or home office) energy use by X% by encouraging power-saving settings and switching off equipment when not in use.
  • Ensure 100% proper recycling of all end-of-life IT equipment.
  • Carbon-offset all business travel and perhaps even our data center electricity consumption to achieve a net-zero carbon operation for those sources.
  • Increase use of environmentally friendly materials (like using recycled paper if printing is needed, etc.).
• These objectives have action plans and responsible owners. For instance, to offset data center energy, we might purchase renewable energy credits (if not already done by our provider, many cloud providers have sustainability commitments that we leverage).
• Operational Controls: We implement simple but effective controls:
  • All employees are educated on energy conservation (e.g., enabling laptop power management, avoiding unnecessary printing).
  • We have a Green IT practice: we choose energy-efficient equipment (monitors, servers) and cloud configurations. Our cloud deployment is right-sized to avoid waste (auto-scaling down when load is low to not waste computing power).
  • If we have a physical office, we implement recycling bins for paper, plastic, and e-waste bins for batteries or electronics. We use energy-efficient lighting and HVAC settings.
  • For remote workers, we encourage best practices like proper equipment disposal and possibly assist them in that.
  • Company travel policies include using virtual meetings by default to avoid travel, and if travel is necessary, using economy class and direct flights (which reduce per-capita emissions), etc., as well as offsetting emissions.
  • We consider the environmental performance of suppliers: e.g., we favor cloud providers and vendors with strong environmental commitments (like AWS’s goal for 100% renewable energy or similar from Azure/Google Cloud).
• Emergency Preparedness (Environmental): Not highly relevant given we don’t handle hazardous substances, but we consider scenarios like a server battery backup leak or fire in office – we have appropriate safety measures (fire extinguishers, proper battery disposal). Essentially, our risk of environmental incidents is low, but we still plan for any small incidents (like safe clean-up of a spilled chemical in cleaning supplies, etc.).
• Monitoring and Evaluation: We track metrics like:
  • Electricity usage (if we have separate meter or from cloud usage approximations).
  • Number of hardware items recycled vs sent to landfill.
  • CO2 emissions from travel (we can calculate from flights taken).
  • Paper consumption.
  • We might do an annual carbon footprint calculation to understand our impact.
  • We review these in management review or sustainability reviews to see if we meet objectives (e.g., did we reduce energy usage? Did we offset X tons of CO2?).
• Awareness and Training: Employees are informed about the Company’s environmental goals and how they can help. This might be part of onboarding or periodic training. We also encourage suggestions from employees for green initiatives.
• Continuous Improvement: We periodically (at least annually) review our environmental aspects and performance. If new aspects arise (say we open a data center ourselves or expand offices), we will incorporate them. We adjust objectives to drive further improvement or to address any areas where we fell short. We also celebrate and communicate improvements (for example, if we achieved carbon neutrality for the year, we share that success).

Even though our environmental impact is modest, by following ISO 14001’s framework we ensure we are doing our part to operate sustainably and responsibly. This contributes to the broader social responsibility profile of the Company and meets expectations of stakeholders who value sustainability.

ISO 45001:2018 – Occupational Health and Safety

The health and safety of our employees and contractors (including external experts when they are on assignments that involve physical presence, though much of the work is remote) is a priority for the Company. We align with ISO 45001 to provide a safe and healthy work environment:

• OH&S Policy: The Company’s Occupational Health & Safety Policy declares our commitment to providing safe working conditions, preventing injury and ill health, and fulfilling legal OH&S requirements. We aim for zero work-related incidents. This policy is communicated to all staff. Though our work is mainly desk-based, we still address relevant risks (ergonomics, mental well-being, work-life balance, etc.) as well as any site-related safety for any physical meetings or events.
• Hazard Identification and Risk Assessment: We conduct assessments of the work environment:
  • Ergonomics: Employees working at computers for long hours face risks of musculoskeletal disorders or eye strain. We assess home office setups or our office setup for ergonomics. We provide guidelines on proper chair, desk height, screen position, etc. We may offer subsidies or equipment (ergonomic chairs, laptop stands, external keyboards) to ensure comfortable setups.
  • Stress and Mental Health: High workloads or tight regulatory deadlines can cause stress. We recognize this as a health aspect. We encourage reasonable work hours, have an open door policy for discussing workload issues, and provide resources (maybe an Employee Assistance Program or counseling hotline) for mental well-being.
  • General Workplace Safety: If we have an office, we assess slips, trips, electrical safety, fire safety, etc. Ensure cables are managed, fire alarms/extinguishers are present, first aid kit available, and emergency exits are known. For home offices, we provide guidance (like keeping a tidy workspace, not overloading sockets).
  • Travel Safety: If employees or experts travel to client sites or conferences, we have guidelines for safe travel, including any necessary health precautions (especially in different countries or if visiting industrial sites).
  • Covid-19 or Health Epidemics: We include protocols for any public health issues (e.g., encourage remote work, provide PPE or guidelines if physical meeting is needed, etc.) as part of risk assessment in recent times.
• We document identified hazards and evaluate risk (likelihood and severity). For any significant risks, we plan control measures.
• Legal Requirements: We comply with relevant occupational safety laws. For example, if in a jurisdiction requiring workplace safety committees or reporting of incidents, we adhere to those. We keep informed of regulations like OSHA (if in US) or other local H&S laws. Although office environments are low-risk, there may be requirements around display screen equipment assessments, etc., that we fulfill.
• OH&S Objectives: We set some simple targets: e.g., conduct an ergonomic self-assessment for 100% of employees annually; provide at least one training on health (like a workshop on stretching or stress management) per year; maintain zero lost-time injuries (an injury causing missed work days) – this is realistic for our environment but we still track any incidents like slips or repetitive strain complaints.
• Participation and Consultation: We involve employees in safety matters. Even if not formally required by law due to small size, we welcome safety suggestions and have a representative (could be the HR manager or a voluntarily chosen safety champion) who employees can approach with H&S concerns. External experts, while not working in our office, are encouraged to practice safe work habits too and inform us if any work-related health issue arises from tasks we assign.
• Operational Controls for OH&S:
  • We provide training to staff on safe workstation setup, taking breaks to avoid strain, maintaining work-life balance. Also training on emergency procedures (like what to do in a fire, who to call for medical emergency).
  • We have incident reporting for OH&S: if anyone has an accident or a near-miss (even minor, like a stumble or an electrical shock from equipment), they should report it. We investigate and fix root causes (even as simple as adding a floor mat if someone slipped on a wet floor).
  • If we organize any in-person events (like a team offsite or training day), we plan those with safety in mind (choose safe venues, check for any allergies or health concerns for catering, etc.).
  • Emergency preparedness: For an office, we have evacuation plans, drills (if applicable), first aid trained personnel. For remote employees, we provide guidance on what to do in various emergencies (like if an employee is in an area with an earthquake risk, general advice).
• Performance Monitoring: We keep records of any H&S incidents or complaints (fortunately likely few). We might do periodic surveys about workplace comfort and stress levels. Sickness absence rates can be a metric (though many factors affect that, we see if work-related issues might contribute).
• We ensure any corrective actions from incidents (e.g., after someone reports wrist pain, we might provide a better keyboard or insist on breaks) are implemented.
• Continual Improvement in OH&S: Through the management review or periodic H&S review, we evaluate if our controls are effective and if there are new issues to address (for instance, a trend of employees working very long hours could prompt us to take action on workload management to prevent burnout). We update our risk assessment yearly. We also follow developments (like new guidance on blue light from screens affecting sleep, etc.) to update our practices.

By caring for occupational health and safety, the Company not only complies with moral and legal obligations but also fosters a healthier, more productive workforce. This in turn supports quality and consistency in the services we provide (healthy employees and experts are able to deliver better results).

ISO 37001:2016 – Anti-Bribery Management

Integrity is paramount in regulatory affairs. The Company has a zero-tolerance policy for bribery and corruption, in alignment with ISO 37001’s framework for an Anti-Bribery Management System (ABMS):

• Anti-Bribery Policy: The Company’s Code of Conduct and a specific Anti-Bribery Policy clearly state that employees, external experts, and anyone acting on our behalf are strictly prohibited from offering, promising, giving, or accepting bribes of any kind. This applies to dealings with government officials (relevant since regulatory affairs often involve government agencies) as well as private sector clients and partners. The policy outlines examples of prohibited conduct (e.g., kickbacks for awarding contracts, lavish gifts to influence decisions, facilitation payments, etc., unless a facilitation payment is officially permitted and unavoidable by local law – which we generally disallow anyway).
• Compliance Management and Leadership Commitment: Top management is committed to ethical business practices. We assign a Compliance Officer or make the QA Officer responsible for anti-bribery compliance oversight. They have sufficient authority and independence to oversee ABMS. Top management regularly communicates the importance of anti-bribery compliance and leads by example (tone at the top). Any hint of unethical behavior is addressed immediately to show commitment.
• Risk Assessment (Bribery Risk): We assess bribery risks periodically. Considerations:
  • Interactions with government regulators (since our experts might deal with agencies for product approvals) – risk: an expert or employee might be tempted or asked to pay a facilitation fee to speed up approval. Mitigation: we train that this is not allowed and we have strict procedures for such interactions; we might also choose to avoid using any intermediary that suggests bribery.
  • Hiring of external experts – risk: conflict of interest or bribery in selecting an expert. Mitigation: selection based on merit via transparent platform processes; no one employee can unilaterally hire a relative without disclosure.
  • Clients – risk: a client offers a kickback to a staff member to secure a lower fee or priority service. Mitigation: two-person oversight on pricing decisions; gifts policy (we limit value of gifts employees can accept, e.g., small token items under $50 are okay, anything beyond must be declared and often refused).
  • Third-party agents or consultants (if we use any in different countries) – risk: they might engage in bribery. Mitigation: due diligence on third parties, include anti-bribery clauses in contracts, and possibly get certifications or representations of their compliance.
  • Procurement (our own suppliers) – though we have few, ensure no bribes in supplier selection.
• Due Diligence: We perform due diligence on prospective business associates, such as:
  • External experts: beyond checking qualifications, we ask them to disclose any conflicts of interest or any history of legal violations. They must agree to our Code of Conduct.
  • Major clients or partners: If entering large contracts, we might verify the integrity of the organization (screening against sanction lists, etc.) to avoid complicity in any corrupt scheme.
  • Suppliers: Evaluate if they have any red flags of corruption, especially if they operate in high-risk countries or sectors.
• This due diligence process helps us avoid partnering with individuals or entities with a reputation or record of corrupt practices.
• Controls and Procedures: We implement several anti-bribery controls:
  • Financial Controls: All financial transactions are recorded transparently. Any commissions or discounts offered have to be properly documented and justified. Expense reports are reviewed – any hospitality or gift expenses claimed by staff are scrutinized against our gift & entertainment policy (which sets modest limits and approval requirements).
  • Separation of Duties: No single individual has end-to-end control over high-risk processes. For example, for any payments: one person requests, another approves. For engagement of experts or awarding subcontracts: a committee or at least two persons are involved.
  • Approval for Gifts/Donations: Employees and experts are instructed that giving or receiving gifts related to our business beyond a nominal value requires approval from Compliance Officer. We keep a Gifts Register for transparency. Charitable donations on behalf of the Company are allowed only through a formal process to ensure they are not a guise for bribery.
  • Reporting Mechanisms: We have established a confidential whistleblowing channel. Employees or external parties can report any suspicion of bribery or unethical behavior anonymously (or with identity protected) without fear of retaliation. The process for this is in the policy (e.g., an independent email or a third-party hotline).
• Training and Awareness: All employees (and we also extend training to external experts, at least in simplified form or via a code briefing) receive anti-bribery training. This covers recognizing situations that could be bribery, how to say no and report if they encounter solicitation of a bribe, etc. New hires get this training and everyone refreshes at least annually. Key personnel in higher risk roles (e.g., anyone who interacts with regulators or manages finances) might receive more detailed training including scenario role-plays.
• Monitoring and Review: The Compliance Officer monitors compliance – e.g., periodically auditing accounts for any suspicious payments, ensuring gift registers are up to date, and checking that required due diligences were done. They report to top management on ABMS performance. We also consider having internal audit include checks on anti-bribery controls effectiveness.
• Response to Incidents: If a bribery incident or allegation occurs, we have a procedure:
  • Investigate promptly and impartially (possibly engage external legal counsel depending on severity).
  • Take appropriate disciplinary action if internal (which could mean termination of employment or contract for any individual involved).
  • If laws were violated, we will cooperate with law enforcement authorities as required.
  • Communicate results and corrective actions, and review our controls to prevent future incidents.
• We also protect whistleblowers and ensure no retaliation as mentioned.
• Continuous Improvement: We update the bribery risk assessment and controls if new risks emerge (for example, expanding to a region with higher corruption index may require stronger measures or local consultants vetted carefully). We also keep updated on anti-bribery laws (like UK Bribery Act, US FCPA, etc., if applicable) to ensure our program meets those extraterritorial requirements as needed.

By following ISO 37001’s guidance, the Company fosters a culture of integrity and can confidently demonstrate to clients and regulators that we have robust measures to prevent and detect corruption in any aspect of our operations. This not only avoids legal penalties but also protects our reputation and that of our clients.

ISO 26000:2010 – Social Responsibility

ISO 26000 provides guidance on corporate social responsibility (CSR), which the Company embraces as part of our ethos. While not a certifiable standard, it influences our values and policies. Key areas of social responsibility and how we address them:

• Organizational Governance: We incorporate accountability, transparency, ethical conduct, and respect for stakeholder interests in our governance. For example, we have clear governance structures (as described in QMS leadership) that ensure decisions are made ethically and in consideration of impacts on all stakeholders (customers, experts, employees, community, environment). We produce internal reports on our CSR activities and performance, and we are transparent about our practices (sharing aspects of our QMS/CSR with clients or the public as appropriate).
• Human Rights: Even as a small company, we commit to respecting human rights. We ensure non-discrimination and equal opportunity in hiring and in how we treat employees and experts. We have policies against harassment and bullying. We also consider human rights in our supply chain – for instance, we avoid doing business with organizations known for labor exploitation. If we were involved in any projects with potential human rights implications, we’d carefully assess them (though unlikely in our regulatory consultancy context). We also support privacy as a human right through our strong data protection measures (linking to GDPR compliance).
• Labor Practices: In line with both ISO 26000 and labor laws, we provide fair labor conditions:
  • Fair wages and benefits within our capacity.
  • Reasonable working hours and respecting work-life balance (no excessive overtime culture).
  • A safe work environment (as detailed in ISO 45001 section).
  • Opportunities for training and career development for staff.
  • Freedom of association: while we may not have formal unions due to size, we respect employees’ rights to form or join such if desired.
  • For external experts (who are independent contractors), we strive for fairness and clarity in our contracts, including timely payment and respect for their intellectual contributions.
• Environment: As described under ISO 14001, we aim to reduce our environmental footprint, which is part of being socially responsible to the planet.
• Fair Operating Practices: This overlaps with anti-bribery (ISO 37001) – conducting business with integrity, fair competition, no bribery, respecting property rights. We also adhere to fair marketing practices – we represent our services truthfully and do not mislead clients. We protect intellectual property of our software and respect IP of others (no unauthorized use of others’ materials). If we engage with industry groups or lobby in regulatory contexts, we do so ethically and transparently.
• Consumer Issues: Though we are B2B, our clients are like consumers of our service. We ensure:
  • Service quality and safety: Our platform and services are designed to meet high quality and security standards, protecting client data (safety in terms of data protection).
  • Transparent communication: We give clear information about what our service includes, pricing, and terms. We have a process for addressing client complaints effectively (client communication SOP).
  • Client support: We assist clients in using the platform, provide helpdesk support for any issues. If a client is not satisfied, we work to make it right, within reason.
  • Data privacy: As thoroughly addressed under GDPR/CCPA – we handle client personal data responsibly.
  • We do not engage in any practices that could harm clients, and we take responsibility if our service causes an error (e.g., professional indemnity, though not explicitly mentioned, we likely carry insurance for errors & omissions to protect clients).
• Community Involvement and Development: We strive to be a positive presence in the community:
  • We may support professional communities such as Regulatory Affairs Professionals societies (perhaps contributing knowledge or sponsoring events).
  • We encourage employees to participate in community service or STEM mentoring, and may allow some paid time for volunteerism aligned with our values.
  • If our business grows, we might institute scholarship or internship programs for aspiring regulatory professionals, fostering development in our field.
  • We are mindful of the impact we have on the local economy and society – primarily by providing good employment opportunities and by facilitating compliance in healthcare or other regulated industries, indirectly benefiting society by helping safe and effective products reach markets (a broader view of our service’s social value).
• Ethical Behavior and Value Chain: We promote ethics not only internally but also expect ethical behavior from our partners and in our value chain. This means our procurement, expert onboarding, and client selection consider ethical criteria. We avoid doing business that could contribute to socially harmful activities. For example, if we had a potential project that involves something ethically controversial, we would evaluate it carefully in line with our values and possibly decline if it conflicts with our commitment to social responsibility.
• Transparency and Communication on CSR: While not mandated, we are open about our CSR efforts. We may include a section on our website or a report about what we’re doing for environment, labor, etc., to inform stakeholders and show our commitment (provided this is done sincerely and not just as PR).

In essence, ISO 26000’s guidance helps ensure that the Company’s operations not only comply with regulations but also contribute positively to society and minimize any negative impacts. It aligns with our long-term vision of being a responsible and respected player in the regulatory consulting field.

GDPR and Data Privacy Compliance

As noted earlier, compliance with the EU General Data Protection Regulation (GDPR) is a major component of our data protection efforts. Here we consolidate and elaborate how we fulfill GDPR requirements (and similarly for other jurisdictions’ privacy laws):

• Lawful Bases for Processing: We identify and document the legal basis for all personal data processing:
  • For most of our operations, the basis is contract (e.g., processing expert and client data to deliver the services they signed up for) or legitimate interest (running and improving our platform, preventing fraud, etc.), or consent where we rely on it (such as for optional marketing emails).
  • We keep records of processing activities (ROPA) that include purposes, data categories, subjects, recipients, retention schedules, and bases, as required by Article 30 GDPR.
• Data Subject Rights: We have procedures to uphold rights of individuals (whether they are clients, experts, or any individuals whose data we handle):
  • Right of Access (Subject Access Requests): If someone asks what data we have on them, we verify their identity and then provide a complete report within the 1-month timeframe. We have a template and process to gather data from all systems. Our Data Security/Privacy SOP covers how to handle such requests.
  • Right to Rectification: Users can edit their basic personal data on the platform themselves (self-service). If they request a correction that they cannot do, we have support personnel handle it promptly.
  • Right to Erasure: Also known as right to be forgotten. A user (client or expert) can request account deletion. Our process will remove personal data from our active systems and then handle backups and third parties. We also ensure to communicate this to any third-party processors who have the data. If complete erasure is not possible due to legal reasons (e.g., we need to keep invoice records for tax), we inform the individual and securely archive that data out of operational use.
  • Right to Restrict Processing: If a dispute about data accuracy or usage arises, we can flag the data in our system to restrict its processing (e.g., temporarily deactivate an account but not delete until resolved).
  • Right to Data Portability: For data that the user provided, we can export it in a structured, commonly used format. For instance, an expert can download their profile details and client reviews; a client can export project records.
  • Right to Object: We honor objections to certain processing. If someone objects to direct marketing, we immediately stop sending them marketing (and we have opt-out links on emails for this). If an individual’s data is being processed under legitimate interest and they object and we have no compelling reason to override, we cease that processing for that person.
  • Automated Decision-Making: We currently do not make any legally significant decisions purely by algorithms (no profiling that would produce significant effects). If we ever introduce such features, we will ensure GDPR compliance (like providing information and opt-out options).
• We maintain a Data Subject Rights Request Log to track all requests and ensure timely handling.
• Privacy Notices: We have a clear Privacy Policy that fulfills GDPR Articles 13/14 information duties. It describes what data we collect, for what purposes, who we share it with (e.g., “we share your data with external experts you choose to engage, cloud service providers who host our data, etc.”), how long we keep it, rights of individuals, and contact info including how to reach our Data Protection Officer if applicable. For EU users, it includes details like our EU representative if needed and the right to lodge a complaint with a supervisory authority.
• Data Protection Officer (DPO): If required (e.g., if our core activities involve large scale processing of sensitive data or systematic monitoring – likely not, but to be safe we might designate someone as DPO voluntarily since we handle cross-border data), we have appointed a DPO or at least a privacy officer function. The DPO (or privacy officer) monitors compliance, advises on GDPR obligations, and is involved in relevant discussions (like new projects, DPIAs, incident response). Their contact is available to users.
• Consent Management: Where we rely on consent (like for sending newsletters to prospects or using any optional cookies on our website beyond necessary ones), we implement proper consent mechanisms:
  • Consent is obtained via clear affirmative action (no pre-ticked boxes).
  • We record the consent (who consented to what and when).
  • We allow easy withdrawal of consent at any time (e.g., unsubscribe links).
• Data Breach Response: (As covered earlier) we have a process to notify authorities and individuals in case of personal data breaches that meet notification thresholds. We have a template notification letter and a decision matrix on when notification is needed. We also have internal escalation so that within e.g. 24 hours of discovering an incident, the incident response team and DPO evaluate the breach severity.
• Vendor Management (Processors): Under GDPR, when we use data processors (cloud providers, email delivery services, etc.), we ensure:
  • We have Data Processing Agreements (DPAs) in place with all processors, containing GDPR Article 28 clauses (including sub-processor approval, breach notification, assistance with DSARs, etc.).
  • We only choose processors who provide sufficient guarantees of security (checking certifications or standards compliance).
  • If data is transferred outside the EU, we utilize appropriate safeguards (e.g., Standard Contractual Clauses in the DPA, since after Schrems II we ensure US providers have SCCs and consider supplementary measures).
• International Data Transfers: We map data flows. If we handle EU personal data in the US (for example, our main operations might be in US, or using US-based cloud), we comply with transfer requirements:
  • Implement SCCs with any non-EEA data importer.
  • Assess if the legal environment of the importer might require additional safeguards (e.g., encryption in transit and at rest so even if government requests data it’s protected).
  • Keep an eye on EDPB recommendations and update measures as needed.
• Privacy by Design and DPIA: For any new system or feature involving personal data, we integrate privacy considerations from the start (this is part of our development checklist). If a new processing is likely high risk (though unlikely for us unless we start profiling health data or such), we conduct a Data Protection Impact Assessment to systematically analyze and mitigate risk. For example, if we considered implementing AI to scan regulatory documents containing personal data, we’d do a DPIA to see if it impacts privacy rights.
• Records and Audit: We maintain GDPR compliance documentation (policy, ROPA, DPA copies, training records, DPIAs, etc.). We also self-audit or get an external consultant to audit our privacy compliance periodically to ensure nothing is missed.
• CCPA & Other Laws Coordination: While GDPR is more comprehensive, we also tailor compliance to CCPA which emphasizes disclosure and opt-out of “sale” of data. We treat CCPA separately in the next section, but our core privacy program covers many overlapping principles (transparency, rights, security) that also satisfy CCPA and similar laws (like LGPD in Brazil, PDPA in some countries, etc. as needed).

In summary, GDPR compliance is deeply ingrained in our operations, not just as a legal checkbox but as part of how we respect user privacy. This builds trust with our European clients and users and, by extension, improves data practices for all users globally (since we often apply high standards universally rather than separate by region).

CCPA Compliance (California Consumer Privacy Act)

The CCPA grants California residents specific rights over their personal information and imposes duties on businesses that meet criteria (which the Company might, if doing business with CA residents and meeting thresholds). Our approach to CCPA compliance is as follows:

• Transparency (Notice at Collection): When we collect personal information from California residents (e.g., during signup on our platform or when an expert fills out their profile), we provide a notice at or before the point of collection that informs them of the categories of personal information to be collected and the purposes for which they will be used. Our Privacy Policy has a section tailored to CCPA that lists:
  • Categories of personal info we collect (e.g., identifiers like name, email; professional info; internet activity on our site; geolocation if any; etc.).
  • The business or commercial purposes for each category (e.g., to provide services, for analytics, for marketing).
  • Categories of third parties with whom we share that info.
  • It also confirms we do not sell personal info unless we explicitly start and provide opt-out (currently, we state we do not sell personal data as defined by CCPA, as we don’t exchange data for money or equivalent).
• Right to Know (Access) and Data Portability: Similar to GDPR’s access right – a California consumer can request that we disclose to them:
  • The categories of personal info we have collected about them.
  • The categories of sources of that info.
  • The business purpose for collecting it.
  • The categories of third parties we share it with.
  • Specific pieces of personal info we have collected about them.
• Our process for CCPA access requests aligns with our general DSAR process. We verify the requester (using information we have on file, and if necessary additional info, mindful of CCPA regs about verification). Within 45 days (or an extension if notified), we provide the information, largely drawn from our privacy policy and the individual’s data records. We have a template that covers each bullet point above, plus the specific data in a portable format.
• Right to Delete: A California consumer can request deletion of their personal info. Once we verify the request, we will delete the info from our records and direct our service providers to do the same, unless an exception applies (CCPA exceptions include needing the data for completing a transaction, legal compliance, security, etc.). Our deletion procedure follows similarly to GDPR erasure: remove from active systems, confirm to the consumer when completed, and note if anything was exempted (like we kept transaction history for legal compliance).
• Right to Opt-Out of Sale: Though we do not sell personal info in the common sense, CCPA’s definition of “sell” is broad (could include certain analytics or advertising sharing if any). We examined our data flows:
  • If we used any third-party advertising cookies that share data, we would treat that as a “sale” requiring opt-out. As of now, our platform doesn’t share user data for advertising, but we ensure that if in future we monetized data in any way, we’d implement a “Do Not Sell My Personal Information” link on our website footer, allowing a user (or authorized agent) to opt out easily. Currently, our privacy policy explicitly says “We do not sell personal information. In the event that changes, we will update this notice and provide opt-out options as required.”
  • For safety, we have the infrastructure ready: e.g., a page where a user can toggle their preference or contact us to record their opt-out. Although currently not needed, it’s part of our compliance readiness.
• Right to Non-Discrimination: We do not discriminate against anyone who exercises their privacy rights. That means if someone opts out of data sharing or asks for deletion, we will not deny them services or charge different prices (except if the service inherently requires data, but then it’s a consequence not a punishment, as allowed by CCPA). We train our customer service and sales on this – no retaliatory actions. If we ever offer a financial incentive (like a discount in exchange for staying subscribed to marketing, which CCPA allows with notice), we will ensure it’s permitted and that the terms are explained, but currently we have no such programs.
• Verification and Agents: When handling CCPA requests, we follow the regulations on verifying identity. For account holders, we can often verify by login authentication. For non-account holders or if an authorized agent makes the request, we may require a signed permission or even a proof of identity as allowed. We have a standard operating procedure for verification (e.g., match at least two or three pieces of data we have on file).
• Service Providers: Under CCPA, we ensure our contracts with service providers stipulate that they cannot use personal info except for the service they provide (so they are genuine “service providers” and not third parties to whom a sale would be attributed). Many of our suppliers have addenda stating their service provider status. This way, sharing data with them (like storing data on a cloud server, using a CRM, etc.) is not considered a sale.
• Training: CCPA mandates that employees handling inquiries about the company’s privacy practices or CCPA compliance are informed of the requirements. We have trained our support and compliance team on how to recognize and properly log/handle a CCPA request. They know the timelines (45 days initial, possible 45-day extension), and they know not to provide certain sensitive pieces in an access report unless appropriately requested (like SSN, which we typically don’t collect anyway).
• Data Mapping and Annual Review: We treat CCPA as part of our broader data mapping. Each year (or when processes change) we review what categories of info we collect and ensure our Privacy Notice is up-to-date. We also keep aware of developments, like the new California Privacy Rights Act (CPRA) amendments effective 2023, which extend CCPA (e.g., adding right to correct inaccuracies and additional requirements). We adapt our program accordingly (for instance CPRA adds data minimization and retention disclosure requirements, which we incorporate by stating retention periods and ensuring we don’t keep data longer than stated).
• Other State Laws: In practice, we extend similar courtesy to users from other regions too. Many states (like Virginia, Colorado etc.) are implementing their own privacy laws. Our system is flexible enough that honoring privacy requests isn’t limited to California residents only; we generally will honor legitimate requests from any user regarding their data, to maintain trust (unless there’s a conflicting legal requirement).

By meeting CCPA requirements, the Company not only stays legally compliant in California (avoiding potential fines or lawsuits) but also demonstrates respect for user privacy, which is a competitive advantage and part of our ethical values.

FDA 21 CFR Part 11 – Electronic Records and Signatures Compliance

For clients in regulated industries (such as pharmaceutical or medical device companies), our platform and services may be used in contexts where FDA 21 CFR Part 11 compliance is expected for electronic records and signatures. The Company has built controls into our platform and QMS to support Part 11 requirements:

• User Account Security: Each user (client or expert) who needs to sign or manage records in a Part 11 context has a unique account. Shared accounts are prohibited. This ensures accountability for actions. We enforce strong password policies and session timeouts to prevent unauthorized use of a logged-in session.
• Electronic Signatures Implementation: If our platform provides electronic signature functionality (for example, an expert “approving” a document or a client “signing off” on a deliverable):
  • Signatures are linked to the respective user accounts, which are under secure controls as mentioned.
  • When a user applies an e-signature, the system captures the printed name of the signer, the date and time of signature, and the meaning of the signature (for instance, a user might select a reason like “Approved” or “Reviewed”).
  • We ensure that once applied, electronic signature manifestations are stored with the record and cannot be excised or altered without detection.
  • We have established that signing requires a deliberate action: e.g., clicking a specific “Sign” button and possibly re-entering credentials or a PIN (two-factor authentication or at least password re-prompt) to confirm identity at time of signing, as is common practice for Part 11 compliancearenasolutions.com.
  • Signature records include a unique identifier linking the signature to the user and record, meeting the requirement for signature manifestationgreenlight.guru.
• Audit Trails: The platform maintains secure, computer-generated audit trails for any creation, modification, or deletion of electronic records that are Part 11 relevant. These audit trails record the user, timestamp, and action performed (e.g., document edited, data field changed). Importantly, audit trails are not editable by users. They are stored in an append-only manner, often in a separate secured log system. We also regularly review a sample of audit trails to ensure system integrity and check for any unusual activity.
• System Validation: We treat our platform as a GxP system for the sake of Part 11. We have a Software Validation Plan and maintain evidence that the platform is validated to perform as intended:
  • Requirements and specifications for features (especially those related to data, security, and signatures) are documented.
  • Testing (IQ/OQ/PQ – Installation, Operational, Performance Qualification) is performed for major releases. We have test cases covering functionality, security, and error conditions for the features that could affect record integrity or signature processes.
  • We retain validation documentation (test plans, test results, any deviations and resolutions).
  • When we update the software, we assess if re-validation or regression testing is needed to ensure continued compliance.
• Records Retention and Copies: We have policies consistent with predicate rules (the underlying regulations requiring records). For instance, if a client uses our platform to store regulatory submissions drafts, Part 11 requires that records be retained for as long as required by the regulatory authority and be available for FDA review. Our backup and archiving strategy ensures that data is not lost or prematurely deleted. If a client leaves, we offer them an archive of their records or an option for continued retention if needed by law. We also ensure we can produce accurate and complete copies of electronic records in both human-readable format (screen or PDF) and electronic format (CSV/XML) suitable for FDA inspection or client needs.
• Operational System Checks: The platform has checks to enforce proper sequencing of steps or events as required. For example, it won’t allow a document to be approved if mandatory fields are empty (enforcing completeness), or won’t allow deletion of a record that’s been signed without special admin intervention and audit trail. Any override actions are limited to admin roles and are also audited.
• Authority Checks: We implement role-based permissions to ensure that only authorized individuals can perform certain tasks (like only designated approvers can sign-off a record; only QA role can alter a controlled document’s status, etc.). This aligns with Part 11’s requirement to ensure only authorized individuals can use the system for its intended purposes.
• Device Checks: Since our platform is cloud-based, device checks (ensuring identity of workstation, etc.) are less applicable, but we ensure secure access via browsers. If we integrated any device like a smart card for signing, we would handle that. At minimum, we ensure that a user session originates from a known, authenticated device context (we may log device/browser info as part of audit trail).
• Training on Part 11: Our team is trained in Part 11 requirements so that design and testing take them into account. Also, if we assist clients in using the platform in a Part 11 context, we provide them guidance on how to maintain compliance (for example, advising them on their responsibilities like SOPs for using the platform, and the need to verify our compliance).
• Procedures and Documentation: Internally, we have an SOP on System Access and Electronic Signatures describing how accounts are managed, how electronic signatures are applied and controlled, and how we handle issues like signature revocation (if an account is compromised, etc.). We document system configuration (password rules, etc.) to show they meet Part 11.
• Collaborating with Clients: We can provide a Part 11 compliance package to clients, which includes our platform validation summary, standard operating procedures related to electronic records management, and possibly a third-party audit report if we have one (some clients may audit us themselves or ask for a compliance questionnaire; we are prepared for that by mapping how our controls meet each relevant Part 11 clause).
• Periodic Evaluation: Even though Part 11 doesn’t mandate certification, we periodically evaluate our compliance posture (potentially through internal audit or external consultant reviews focusing on Part 11). We also stay updated on FDA guidance (like FDA’s guidance on Part 11 scope and applicationfda.gov) to ensure we’re not misinterpreting requirements.

In summary, the Company’s platform and procedures are designed to ensure that electronic records and signatures handled through our service are trustworthy, reliable, and equivalent to paper records and handwritten signaturesen.wikipedia.org. This allows our clients in FDA-regulated sectors to use our platform with confidence and in compliance with their regulatory obligations (assuming they also follow any needed procedures on their side).

With the detailed standard-by-standard alignment covered, the manual now proceeds to concrete operational procedures (SOPs) that implement these policies on a day-to-day basis. The SOPs ensure consistency in execution of the QMS and provide step-by-step guidance for staff.

Standard Operating Procedures (SOPs)

Below is a collection of key Standard Operating Procedures that form part of the QMS. Each SOP outlines the purpose, scope, responsibilities, and specific procedure steps for critical processes. Adherence to these SOPs is mandatory for all relevant personnel. The SOPs are living documents; they are reviewed at least annually (or when processes change) and updated under document control.

(Note: Each SOP is identified by title and a reference code for internal use. The text below is a summary; refer to the full SOP document for comprehensive details.)

SOP: Document Control and Record Management

Reference: SOP-DC-001
Purpose: To ensure all QMS documentation and records are created, approved, distributed, modified, and archived in a controlled manner, maintaining integrity and traceability. This SOP applies to the quality manual, policies, procedures, forms, work instructions, and quality records (whether electronic or hardcopy).

Scope: All controlled documents and quality records within the QMS, including external documents that the QMS relies on (e.g., standards, laws), where applicable.

Responsibilities:

• Document Owner/Author: Drafts or updates documents as needed. Ensures content is accurate and aligns with standards and regulatory requirements.
• Reviewer(s): Individuals (could be process owners or subject matter experts) who review drafts for correctness and completeness.
• Approver: Typically, the Quality Assurance (QA) Officer or relevant top management who formally approves and signs off the document for release.
• QA Officer (Document Control Coordinator): Assigns document numbers, maintains the master list/index of documents, ensures only current versions are accessible, and archives superseded versions. Also responsible for training relevant staff on new/revised documents.
• All Staff: Use only the latest approved documents; promptly discard (or mark as obsolete) any old versions if found.

Procedure:

1. Document Creation/Revision: When a new QMS document is needed or an existing one requires change, the Document Owner drafts the document using the Company’s approved template (which includes sections like purpose, scope, etc., and a document control header with version, date, etc.). For revisions, changes are marked (or tracked) during drafting.
2. Document Identification: Every controlled document is given a unique ID code (e.g., SOP-XX-###) and a title. The header/footer of the document contains the ID, title, version number, effective date, and page numbers. Records (forms, logs) have IDs too but may not have versioning if they are one-time records, except for form templates which do have versions.
3. Review & Approval: The draft document is circulated to designated reviewer(s). They provide feedback or necessary edits. The Document Owner revises accordingly. Once content is satisfactory, the document is submitted for approval. The Approver reviews final content and if acceptable, signs (physically or electronically) the document with approval date. The status is now “Approved”.
4. Version Control: Approved documents are labeled with a version number (starting from 1.0 for initial release; minor edits as 1.1, major as 2.0, etc.). The QA Officer updates the Document Master List (an index of all QMS docs, with current version and dates). The new version supersedes any prior version.
5. Distribution: The QA Officer ensures the latest approved version is made accessible to all intended users:
   • If electronic (preferred): upload to the QMS SharePoint / intranet / document management system. If using a DMS, set appropriate read/write permissions.
   • If hardcopy (only if needed for certain operational areas): print controlled copies on colored paper or stamp “Controlled Copy” and issue to locations. Hard copies are numbered or otherwise tracked.
   • Along with distribution, QA may announce the new or revised document via email or team meetings, highlighting key changes and effective date.

6. Retrieval of Obsolete Versions: Upon new issuance, any user-maintained copies of the old version should be removed from use. The QA Officer, with document owners, will coordinate collecting or deleting old hardcopies and replacing them. Electronic repositories are updated so that only current versions are in the main folder; obsolete versions are moved to an archive folder marked “Obsolete”.
7. Archiving: Obsolete documents (previous versions) are archived by QA Officer. They are kept for a defined retention period (e.g., at least 3 years or as required) to provide history and audit trail but are clearly marked as “Superseded” and not used for operations.
8. Document Changes: When a controlled document needs updating, the same process is followed: propose changes (often tracked with redlines), review, approve, assign new version number and effective date. In the Master List, record the change summary and date. On the document itself, include a Revision History table summarizing what changes were made in each version and approvals.
9. Uncontrolled Documents: The SOP clarifies that any copies of documents not obtained through official distribution are uncontrolled (e.g., if someone saved a PDF locally and it’s updated later, their copy becomes uncontrolled). Users are instructed to check the repository for latest versions rather than relying on old printouts or local files.
10. External Documents: For standards or regulations or client-provided specifications that are referenced in our QMS: we maintain a list of those as well. The QA Officer monitors relevant websites or subscription services for updates to these and updates the QMS accordingly. External documents are not given our internal ID, but we note their source, version/date, etc., and ensure users have access to the current version (e.g., via links or storing copies that are updated).
11. Records Management: Completed records (filled forms, audit reports, training logs, etc.) are collected and stored properly. Each record type has a retention period defined (often in a Records Matrix appendix). For example, audit reports might be kept for 5 years, training records for duration of employment + 3 years, etc. Electronic records are backed up as part of ISMS; paper records if any are kept in secure cabinets. Access to records is controlled by role (privacy and confidentiality respected).
12. Record Integrity: No record should be altered after the fact. If a correction is needed (like in a paper form), single-line strikeout, initial, and date the correction. For electronic records, any changes should have audit trail or versioning. Unauthorized record alteration or destruction is prohibited. Disposition (destruction at end of retention) is done securely (shredding paper, permanently deleting electronic files) and documented.
13. Monitoring: The QA Officer periodically audits the document control process (e.g., checks a sample of documents to see if employees are using the right version, ensures the Master List is up-to-date, etc.). Findings are used to improve the process if needed.

Outputs: Controlled current documents accessible to staff, an updated Master Document List, and a well-maintained records archive. This ensures everyone works from the latest instructions and that we can produce evidence of compliance (records) when needed for audits or reviews.

SOP: Corrective and Preventive Action (CAPA)

Reference: SOP-CAPA-001
Purpose: To systematically manage issues that adversely (or potentially) affect quality, compliance, or security by identifying root causes and implementing corrective and/or preventive actions to prevent recurrence. This SOP drives continuous improvement and fulfills requirements for addressing nonconformities in ISO 9001 and other standards.

Scope: Covers corrective actions in response to identified nonconformities (e.g., audit findings, customer complaints, service delivery failures, security incidents, etc.) and preventive actions to address potential issues identified via risk assessments or trend analysis. Applies to all departments and processes.

Definitions:

• Nonconformity: Non-fulfillment of a requirement (could be a deviation from a procedure, a failure to meet a client spec, a violation of policy, etc.).
• Correction: Immediate action to fix or contain a problem (e.g., reworking a deliverable).
• Corrective Action: Action to eliminate the cause of a detected nonconformity to prevent recurrence.
• Preventive Action: Action to eliminate the cause of a potential nonconformity to prevent it from occurring (often identified through risk analysis or near-misses).

Responsibilities:

• Initiator: Person who identifies an issue (could be anyone: auditor, employee, client via complaint, etc.) and reports or records it in the CAPA system.
• CAPA Owner: A designated person (typically a manager or process owner for the area of the issue) assigned to investigate and drive the CAPA to closure.
• Investigation Team: Individuals (cross-functional if needed) who help analyze the root cause.
• Quality Assurance Officer: Oversees the CAPA system, ensures CAPAs are properly logged, tracked, and closed; provides guidance on investigation methods; verifies effectiveness of actions.
• Management: Provides resources for implementing CAPAs; reviews CAPA status in management review; escalates priority for critical issues.

Procedure:

1. Issue Identification & Reporting: When a nonconformity or undesirable trend is identified, it is documented in a CAPA Request Form or Log. Essential details: date, reporter, description of issue (what happened or what risk is noted), references (e.g., audit report #, complaint #), and initial severity assessment (e.g., minor, major, critical).
   • If urgent (critical impact on product or compliance), immediate containment (correction) is done first (e.g., stop use of faulty process, inform client, fix immediate problem).
   • The QA Officer assigns a unique CAPA ID and enters it into the CAPA Register.

2. Evaluation & Priority: The QA Officer (and relevant management) evaluates the issue’s risk/impact:

1. • Severity (impact on customer satisfaction, regulatory compliance, safety, etc.),
   • Frequency or scope (one-time or system-wide),
   • Timing urgency.
     They classify it (e.g., Critical CAPA needing urgent action, or Routine CAPA). This determines timelines (critical might require immediate action and daily updates, routine maybe within 30-60 days closure).

3. Assignment: A CAPA Owner is appointed – usually the manager of the area or someone with knowledge and authority to implement changes. The CAPA Owner forms an investigation team if necessary.
4. Investigation & Root Cause Analysis: The CAPA team investigates the problem to find root cause(s). Use appropriate tools:

1. • 5 Whys analysis: iteratively asking “why” something happened to drill down.
   • Fishbone (Ishikawa) diagram to consider various cause categories (People, Methods, Machines, Materials, Environment, etc.).
   • Process mapping or Pareto analysis if the data supports.
     They should identify root cause(s) (underlying reasons, not just symptoms) and also note any contributing factors.
     If multiple root causes or systemic issues are found, list them.
     The investigation results and evidence are documented on the CAPA form (e.g., “Root cause of document error: lack of review step in process + training gap on regulatory requirement X”).

5. Action Plan Development: Based on the root cause, the team develops actions:

1. • Corrective Actions: Specific measures addressing each root cause to prevent recurrence. These could include: process changes, additional training, revising documents, adding an oversight step, upgrading software, etc.
   • Preventive Actions: If the issue suggests other areas could have similar problems, or a potential issue was identified before it occurred, plan actions to prevent its occurrence elsewhere. Could overlap with corrective if the issue wasn’t actual yet, but could be.
     Each action is described, responsibility assigned, and a target deadline set. Also, consider interim containment actions if the final fix will take time.
     The plan is recorded and reviewed by the QA Officer and possibly by management for approval if resources are needed.

6. Implementation: The responsible persons implement the actions by the due dates. This might involve:

1. • Changing an SOP or work instruction (following Document Control SOP).
   • Conducting a training session for staff on the new or revised process.
   • Technological fixes (like patching a software bug, adding a field in a form).
   • Communication to stakeholders if needed (e.g., inform clients of a policy change).
     During implementation, the CAPA Owner tracks progress. Any delays or hurdles are noted and, if critical, escalated to management.

7. Verification of Implementation: After all actions are reported as completed, the QA Officer (or someone not directly in the process, to ensure objectivity) verifies that:

1. • Actions were indeed completed (e.g., check new SOP is in place and people trained; verify a tool update has been deployed).
   • The changes address the identified issues (walk through the process to see if the weakness is resolved).
     This may involve an audit or testing. For example, if the CAPA was about improving data backups, verify that backups are now running per the new schedule and that restoration tests passed.
     The verification date and person are recorded.

8. Effectiveness Check: Perhaps the most important step, after some time of the action being in place, evaluate if the issue has truly been resolved and is not recurring.

1. • The CAPA form will specify a timeline or metric for effectiveness (e.g., “No similar complaints in next 3 months,” or “Next internal audit shows 100% compliance in that area,” or “System reports error rate dropped below X%”).
   • At the predetermined time, QA or CAPA Owner reviews data or performs an audit. If the desired outcome is achieved, the CAPA can be considered effective.
   • If not effective (problem persists or reoccurs), the CAPA is reopened: either do a deeper root cause analysis or try alternate actions. This might escalate to higher management if needed.

9. Closure: Once implemented actions are verified and effectiveness demonstrated, the CAPA can be formally closed. QA Officer signs off on the CAPA record with a closure date. The final record includes a summary of root cause, actions taken, dates, and evidence of effectiveness.

1. • The CAPA Register is updated to show it closed.
   • If this CAPA addresses an audit finding or client issue, relevant parties are informed of closure.

10. Trend Analysis: Periodically (e.g., quarterly), QA reviews all CAPAs:

1. • Look for recurring types of issues or root causes (maybe multiple CAPAs point to “lack of training” – then consider a broader training program).
   • Summarizes the number of CAPAs opened, closed, overdue, by category, etc. This is reported in the management review.
   • If many CAPAs in one area, that area might need a targeted audit or management attention.
   • Also ensures no CAPAs stagnate; follow up on overdue ones.

11. Preventive Action (Proactive): Not all preventive actions come from CAPA after a problem. Some come from risk assessment or staff suggestions. These are also logged perhaps in the CAPA system or a Preventive Action Log. We initiate them similarly: analyze potential issue, plan and implement preventive measure, and monitor. We treat them with the same diligence, except initial trigger is not a nonconformance but a risk or opportunity.
12. Communication: Significant CAPAs (e.g., those related to critical compliance issues or major client-impacting problems) are communicated to all relevant personnel so lessons are learned organization-wide. The QA Officer may share a de-identified summary of a CAPA in monthly quality briefs to spread knowledge (“We found that X happened; here is what we did; please ensure you follow the new process to avoid X”).
13. Records: All CAPA forms and supporting evidence (like investigation notes, meeting minutes, training records from action, etc.) are maintained as quality records. Retention perhaps 5 years or duration of certification cycle plus one, etc. These are accessible during audits to demonstrate our improvement process.

Key Performance Indicators for CAPA: We track e.g., number of CAPAs opened vs closed in period, average time to close, percentage of effective vs ineffective actions on first try. Our goal is to address issues promptly and sustainably.

Following this CAPA process ensures we don’t just fix issues superficially – we learn from them and strengthen our system, which is vital for continuous improvement and regulatory compliance.

SOP: Data Security and Privacy (Information Security & GDPR Controls)

Reference: SOP-IS-002 (Data Security & Privacy Management)
Purpose: To outline procedures for protecting Company and client data (especially personal data) in line with our Information Security policies and privacy regulations (GDPR, CCPA, etc.). It covers user access management, data handling practices, incident response at the operational level, and privacy compliance steps for everyday operations.

Scope: All employees, external experts, and any contractors who handle Company information assets or personal data. Covers use of Company systems, cloud platform security, and handling of client data both on the platform and offline.

Key Related Documents: Information Security Policy, Access Control Policy, Privacy Notice, Incident Response Plan. (This SOP references those higher-level policies and provides day-to-day procedure.)

Responsibilities:

• All Users: Responsible for following security practices (using strong passwords, not sharing accounts, reporting suspicious events) and privacy guidelines (only using data as necessary, respecting confidentiality).
• IT Administrator: Manages user accounts, system configurations, monitors for security events, and executes technical measures (backups, patching, etc.).
• Data Protection Officer (or Privacy Lead): Oversees GDPR/CCPA compliance, handles data subject requests, monitors data flows, and advises on privacy matters.
• Information Security Officer: (if separate from IT) Coordinates overall ISMS efforts, risk assessments, and ensures enforcement of security policies.
• Department Managers: Ensure their team members have appropriate access only and that data in their custody is handled per policy. Also ensure any vendors in use by their team are approved.
• Incident Response Team: Group of IT, security, and management that convenes for handling incidents.

Procedure:

1. User Access Management

• Onboarding New Users:
  • For employees: HR or hiring manager requests IT to set up accounts once employment is confirmed. IT generates a unique username (often first.last) and a temporary password which must be changed on first login. Role-based access is determined by job function – e.g., a developer gets access to dev systems, not client data; a project manager gets access to relevant client projects on platform. IT references an access matrix for standard roles.
  • For external experts: Upon successful onboarding (contract signed, etc.), an account is created with appropriate permissions on the platform (access only to their own profile and assigned projects). The expert sets their own secure password via a registration email link.
  • All accounts are tagged with an access level and groups (for example, marketing, finance, etc.) to streamline permission assignments.
• Access Reviews: Managers and IT review user lists every [quarter] to ensure people still need their accesses. Any unnecessary or excess privileges are revoked (principle of least privilege). For external experts, periodically verify they should still have active status (remove if they haven’t taken projects in a long time unless needed).
• Password Management: Enforce password policy: minimum length (e.g., 12 chars), complexity, not reused. Passwords expire every 90 days (for critical admin accounts; for normal users we lean on MFA instead of frequent changes, per modern best practice). Provide a secure password manager if needed. Absolutely no sharing of passwords – if a shared function needed, assign group roles or delegate access via the system.
• Multi-Factor Authentication: For admin accounts and highly sensitive access (like AWS console, database admin), MFA is mandatory (e.g., authenticator app). We are extending MFA to all user logins on the platform gradually.
• Removal/Off-boarding: When an employee leaves, HR informs IT specifying the last work day. On that day (or immediately after exit meeting), IT disables all accounts (Windows login, email, platform, VPN, etc.) and collects/revokes devices. For external experts, when contract ends or they request to leave, their account is deactivated. In both cases, ensure any personal data access is revoked promptly (within 24 hours or even beforehand). Document this in an access revocation log.
• Privilege Changes: If someone changes roles or an expert now is also hired as employee, adjust permissions accordingly. Requires approval by their manager and QA/IT if giving higher privileges.
• Temporary Access: If someone needs temporary elevated access (say a developer needs DB access for a migration), it must be approved, time-bound, and logged. After the task, access is removed.

2. Data Classification and Handling

• The Company classifies data broadly as:
  • Public: e.g., marketing materials (no restrictions).
  • Internal: general business info not public but low sensitivity.
  • Confidential: client project data, personal data of users, Company financials, etc.
  • Highly Confidential: passwords, private keys, sensitive personal data (if any health data, etc.).
• All personal data is treated at least Confidential. Sensitive personal data (if we ever handle any, like someone’s ID copy) is Highly Confidential.
• Handling rules:
  • Confidential data should only be accessed by those with need. Should not be emailed externally unless encrypted or as necessary to client with proper safeguards.
  • Use Company-approved storage (the platform, SharePoint, encrypted drives). Do not store client data on personal devices unencrypted.
  • When sharing with external parties (like sending a report to a client), ensure correct recipient and use secure methods (our platform portal or encrypted email if needed).
  • Printouts of confidential data should be minimized. If printed, don’t leave on printer, label and shred when done.
  • Highly confidential (e.g., passwords or keys) are never emailed or shared in plain text. Use secure key management or secret-sharing tool.
• Cloud data: The majority of data sits in our secure cloud database and storage; direct database access is limited to IT admins. Others use application interface which enforces permissions.
• Encryption: All laptops have full disk encryption enabled. USB drives must be encrypted or usage is discouraged. Data in transit: enforce VPN when on untrusted networks. Personal data fields in database are encrypted at rest.
• Anonymization/Pseudonymization: Where possible for analytics or testing, personal data is anonymized. For example, a test environment uses dummy data or masked real data (names scrambled, etc.).
• Retention: Follow the retention schedule to delete data that’s no longer needed, especially personal data, to reduce risk footprint. For instance, if a client leaves, after X years their data is removed unless needed legally.

3. Workstation and Device Security

• All Company-issued laptops have up-to-date antivirus/endpoint protection. They auto-lock after 5 minutes idle. Employees must use strong passwords for OS and enable encryption.
• For BYOD (if experts use their own computers): They must still follow security guidelines— updated OS, antivirus, secure Wi-Fi, etc. We may require signing an agreement to maintain security. If they access our portal only via web, risk is a bit lower, but any downloaded docs must be protected.
• No installing unapproved software that could pose security risk. IT maintains an approved software list.
• Patching: IT pushes updates for corporate devices. Users are told not to delay critical patches.
• Remote work: When working remotely, users should connect via secure networks. We advise using a VPN if on public Wi-Fi or at least ensure SSL (our platform is SSL anyway). Public computers (e.g., internet cafes) should not be used for logging into Company accounts.
• Physical security: Keep devices safe – not left in cars in plain sight, etc. Use privacy screen filters if working on planes or public places. Paper documents with sensitive data should be locked in a drawer when not used.

4. Backup and Recovery

• The IT admin ensures that servers (database and file storage) are backed up nightly (incremental) and weekly full. Backups stored in separate location (another cloud region).
• Critical business files (like financial records, HR records on SharePoint) also have backup or version history enabled.
• Regularly test recovery: IT will attempt a test restore of data quarterly to confirm backups are viable.
• End-user devices are not centrally backed up, so users are instructed to save critical files to OneDrive/SharePoint which is backed up, instead of local disk, to avoid data loss if laptop fails.

5. Monitoring and Logging

• Our systems log key events: user logins (success and failure), changes to user roles, data exports/downloads, etc.
• IT/security uses a monitoring tool or manual review to check logs daily for anomalies (like repeated failed logins could indicate brute force; unusual time access by an account; large data export by someone).
• We have alerting in place: e.g., admin accounts usage outside office hours triggers an email to Security Officer.
• Emails: We use spam filtering and malware scanning on email attachments. Users are trained to recognize phishing and report suspicious emails to IT (we do periodic phishing awareness exercises).
• If any violation of policy is noticed (like someone saving data to an unauthorized cloud drive), it’s addressed with that person and potentially disciplinary if intentional.

6. Handling Data Subject Requests (Privacy):

• If any staff receives a request from an individual regarding their personal data (access, deletion, etc.), they must immediately forward it to the Data Protection Officer or privacy contact. They shouldn’t try to handle it alone or ignore it.
• The DPO verifies the request and coordinates gathering data or deleting as required, within legal timeframes (see GDPR compliance earlier).
• All such requests and outcomes are logged.

7. Third-Party Data Sharing and Transfers:

• Before sharing any personal data with a third party (like an outsourced service or a new integration), we ensure a DPA is in place and that the third party is approved by management. E.g., if marketing wants to use a new email campaign tool, they must check with DPO for compliance.
• For transfers outside EU (if applicable): follow our policy to use SCCs etc. Generally, refrain from storing EU personal data outside approved regions.

8. Incident Response (User-Level Actions):

• At the first sign of a security incident (suspected phishing compromise, lost laptop, strange system behavior), users must report to the Incident Response Team (IRT) via the designated channel (e.g., security@company or a Teams hotline).
• If a device is lost or stolen: the user informs IT immediately. IT will attempt remote wipe if possible and change credentials that were used on that device.
• If malware suspected: disconnect device from network, IT will isolate and scan it.
• If user account suspected compromised: IT resets password, logs out active sessions, and investigates logins.
• The Incident Response Plan (IRP) is then followed by the IRT, but initial containment steps are given in this SOP for quick action by staff.
• No one should hush an incident; openness is encouraged to minimize damage.

9. Compliance and Audit:

• All staff and experts must annually re-acknowledge the Acceptable Use and Data Security policies (we may have an online training or quiz).
• We carry out periodic internal audits on security (SOPs, logs, user compliance) and also may be subject to external audits from clients or certification bodies. Staff should cooperate and provide accurate info during audits.
• Non-compliances found (like an employee using unauthorized storage) will lead to CAPA as per CAPA SOP.

10. Disciplinary Actions:

• The SOP states that willful or grossly negligent violation of data security policies (like intentionally sharing client data outside, or ignoring repeated warnings) can result in disciplinary action up to termination or legal consequences if warranted. This underscores seriousness.

11. Updates and Training:

• The InfoSec Officer updates this SOP in line with evolving threats or law changes (e.g., if new privacy law arises).
• Regular training sessions (at least annually) are held to remind users of key security practices and privacy principles. New hires get this training within their first week.

By following this SOP, the Company ensures day-to-day operations maintain the high level of security and privacy required by our ISMS and privacy commitments.

SOP: Internal Audits

Reference: SOP-QA-003 (Internal Quality Audit Procedure)
Purpose: To describe the process for planning, executing, reporting, and following up on internal audits of the QMS, ISMS, and other management system elements. Internal audits verify compliance with standards (ISO 9001, 27001, etc.), Company procedures, and effectiveness of implementation, and identify opportunities for improvement.

Scope: All internal audits conducted by or on behalf of the Company, including system audits (covering entire management system against standards), process audits (specific departments or processes), and product/service audits (specific projects or deliverables). Covers audits of internal functions and also includes audits of external expert activities as part of “Expert Health” (detailed separately but aligned with this procedure).

Responsibilities:

• Audit Program Manager: (Typically the QA Officer) develops the annual audit schedule, assigns auditors, ensures resources, and monitors audit program performance.
• Internal Auditors: Trained personnel (could be cross-functional staff) who conduct audits objectively and report findings. They must be independent of the area being audited (no auditing own work).
• Auditee (Process Owner): Manager or team lead of area being audited. Responsible for cooperating with auditor, providing access to info, and implementing corrective actions for findings.
• Top Management: Endorses the audit schedule, provides support to ensure audits happen, reviews results in management review, and ensures issues are addressed.
• Follow-up Auditor: Could be the same or different from internal auditor, who verifies that corrective actions for past findings are completed.

Procedure:

1. Audit Planning (Annual Schedule):
   • The Audit Program Manager prepares an Internal Audit Schedule covering a defined period (e.g., each calendar year or rolling 12 months). The schedule ensures that:
     • All key processes and departments are audited at least annually. Some critical areas (like data security, regulatory compliance processes) may be audited twice a year.
     • Both management system requirements and regulatory standards requirements are covered over the year. We often group by standard or process.
     • If we have multiple management system standards, we may integrate audits (e.g., one audit might cover both quality and security aspects in an IT process).
     • Specific audit dates are set (e.g., “Week of July 1: Company-wide internal audit” and “Week of Jan 2: follow-up internal audit”), as required by our policy of twice-yearly audits starting July 1.
   • The schedule is risk-based; if certain areas had problems or changes, they might be audited earlier or more frequently.
   • The schedule is approved by top management and circulated so all departments know roughly when to expect audits.
   • Any ad-hoc audits (due to incidents or client requests) can be added as needed.
   • The schedule is documented (like a table, see Internal Audit Schedule section of manual) and includes planned dates and assigned lead auditor.

2. Audit Preparation (Each Audit):

1. • The Auditor (or lead) reviews relevant documents prior: procedures, previous audit reports, CAPA from last audit, performance data, etc.
   • They prepare an Audit Plan outlining scope (which processes/clauses, sites, timeframe), audit objectives (usually to confirm conformity and effectiveness), and an agenda with timing for meetings and interviews.
   • Audit checklists are prepared or updated referencing criteria (ISO clauses, internal SOPs). This ensures they systematically cover required points but still allow flexibility.
   • Auditee is notified in advance with the audit plan (except for truly unannounced spot checks if any). Usually 1-2 weeks notice, detailing what will be audited and when, so they can be available and have records ready.
   • Logistics: schedule opening meeting time, arrange any travel if auditor is remote from auditee site (most likely it’s internal same site or remote meeting if both are distributed), ensure access to systems/records is arranged.

3. Conducting the Audit:

1. • Opening Meeting: Auditor meets with auditee management at scheduled time. They introduce the audit scope and plan, confirm availability of staff and resources, and reiterate that this is a fact-finding, not blame, process. The auditee can mention any areas of concern or recent changes. Everyone aligns on schedule.
   • Audit Execution: The auditor proceeds to examine objective evidence of compliance:
     • They interview personnel involved in the process (ask about how they do tasks, knowledge of policies, etc.).
     • They observe activities if happening (e.g., how data is entered, or how an expert selection is done).
     • They review documents and records: e.g., training files, project files, logs, reports, outputs.
     • Use sampling: e.g., pick 5 project records to see if they followed procedure X, or check a few incident reports.
     • They tick off checklist items as evidence is found or not found.
     • They note any nonconformity (where requirements are not met) or observation (not a full nonconformance but something suboptimal).
     • They gather evidence details (record document names, record IDs, quotes of a procedure clause vs actual practice).
     • Ensure to remain objective and polite; if something unclear, they ask for clarification.
   • Classification of Findings: Typically:
     • Major Nonconformity: total absence or failure of a system element or a situation that can lead to significant risk of non-compliance or customer dissatisfaction (e.g., no evidence of required regulatory check at all).
     • Minor Nonconformity: isolated or small gap in otherwise effective system (e.g., one instance of a form not signed).
     • Observation/Opportunity for Improvement (OFI): not a direct requirement breach but a suggestion to improve efficiency or a potential weak point.
       (This classification is communicated at closing).
   • The auditor keeps an Audit Log of what was examined and findings with evidence.
   • Closing Meeting: After covering all items, the auditor meets with auditee management to present findings. They clearly describe each nonconformance with evidence and reference to requirement (standard clause or SOP step). They avoid naming individuals responsible in reports, focus on process issues. The auditee can clarify any points or provide more evidence if misunderstanding. The auditor does not argue but will adjust if valid evidence was missed.
     • The auditor and auditee may agree on general corrective action approach or at least that the finding is understood. However, root cause and action planning are to be done after (not in detail at closing).
     • If there were good practices observed, auditor also mentions positives (to motivate and not just find faults).
     • Auditor explains next steps: a written report will follow, and they expect a CAPA response by certain timeline, with QA oversight.
   • Management present signs attendance and acknowledges the findings (signature on closing meeting form perhaps).

4. Audit Report:

1. • Within a short time (e.g., 1 week) the auditor writes the formal Audit Report. It includes:
     • Audit scope, date(s), team.
     • Summary of audit (which departments, overall conclusion).
     • Table of findings: each nonconformity (with category major/minor), description, evidence, reference to criteria.
     • Any observations/OFIs listed.
     • Positive notes or best practices (if any).
     • Conclusion: e.g., “Based on this audit, the department generally follows QMS requirements except for noted NCs. Corrective actions are required by [date].”
   • The report is sent to auditee’s management and QA Officer and possibly top management if serious issues.
   • The auditee is required to respond with a corrective action plan for each nonconformity by a certain due date (often within 2 weeks for plan, and completion in 4-8 weeks depending severity).

5. Correction and CAPA:

1. • For each nonconformity, the responsible manager enters it into the CAPA system (if not already as part of audit).
   • They perform root cause analysis as per CAPA SOP, propose corrective actions, and implement them. Sometimes minor issues might be corrected on the spot (e.g., they corrected a document during audit itself – still root cause should be checked).
   • They reply to the auditor/QA with their action plan and timeline. Auditor reviews if it seems adequate.
   • QA tracks that actions are completed by deadlines.

6. Follow-Up Audit:

1. • If a major nonconformity was found, a follow-up audit might be scheduled soon after the corrective action date to verify effectiveness. For minor ones, verification can be at next routine audit or via evidence review.
   • The follow-up can be limited to checking that particular area. The auditor will note if NCs are closed or still open.
   • If still open or actions ineffective, escalate to management and maybe increase severity (since repeated failure indicates bigger issue).

7. Audit Records:

1. • Maintain all audit documentation: plans, checklists (marked), reports, attendance sheets, and any notes. These are stored by QA for at least the certification cycle or as per policy.
   • The findings and status are also logged in an Audit Findings Tracker, showing which are open/closed. This tracker ties into CAPA tracking.

8. Audit Schedule Adjustments:

1. • Based on results, the audit program may be adjusted. E.g., if one area had many issues, audit it again sooner or expand scope next time. If always clean, maybe that process is stable and can have a lighter touch.
   • At year-end, QA evaluates if all planned audits happened. If any were missed or postponed, document reasons and carry over to next plan.

9. Management Review Input:

1. • Summaries of audits (number of NCs, main themes) are provided to management review. This helps gauge QMS health and allocate resources to problem areas.
   • Highlight systemic issues found across audits (like multiple departments having training gaps suggests something).

10. Auditor Qualification:

1. • Auditors undergo training (internal or external ISO 9001 internal auditor training, for instance). We keep records of training. If new auditors, they might shadow an experienced one first.
   • Ensure rotation if possible so auditors get fresh eyes on different areas over time.

By following this SOP, our internal audit process remains consistent and effective, ensuring we self-identify issues before external audits or customer issues occur, and driving continuous improvement.

(Note: The Internal Audit Schedule with specific dates is referenced in the manual separately. Auditors should adhere to that schedule when using this procedure.)

SOP: External Expert Oversight and “Expert Health” Audits

Reference: SOP-EXP-004 (External Expert Management and Quality Oversight)
Purpose: To establish how the Company selects, onboards, and monitors external experts (freelance regulatory affairs professionals on our platform) to ensure they meet quality standards and comply with Company policies. This includes periodic “Expert Health” internal audits of expert performance and adherence to procedures, especially after onboarding and periodically thereafter.

Scope: All external experts offering services via the Company’s marketplace, from initial vetting to ongoing performance evaluation. Also covers actions to take when issues with an expert’s work quality or compliance arise.

Responsibilities:

• Expert Onboarding Team (or HR/Partner Manager): Conducts initial qualification checks (credentials, experience) and orientation training for new experts.
• Quality Assurance (QA) Officer: Ensures experts are briefed on QMS requirements, schedules expert audits, and reviews performance metrics.
• Project Managers/Client Engagement Managers: Oversee day-to-day interactions with experts on projects, provide feedback on expert performance, and escalate any concerns.
• External Experts: Responsible for delivering services per agreed standards, following Company SOPs relevant to their work (like data security and client communication guidelines), and cooperating with any oversight activities.
• Audit Team for Expert Health: Assigned internal auditor(s) or QA who carry out the periodic audits of experts as per schedule.

Procedure:

A. Selection & Onboarding of Experts:

1. Recruitment and Verification: When a professional applies or is invited to join as an expert:
   • Obtain detailed CV, copies of relevant certifications/licenses (e.g., regulatory affairs certification, pharmacovigilance training, etc.), and references from prior work if available.
   • Verify credentials: The Onboarding Team checks authenticity of certifications (perhaps via issuing bodies or online registries), and verifies at least one reference or past project success if possible. Also verify identity (government ID) to ensure legitimacy.
   • Conduct an interview (via video conference) to gauge communication skills and subject matter expertise. Possibly involve a senior regulatory expert from our network to assess technical depth.
   • Check for any conflicts of interest or prior ethical issues (expert asked to disclose if they are debarred by any agency or had any legal troubles related to work).
   • Only proceed if verification is satisfactory.

2. Contracting: Have the expert sign a Master Services Agreement which includes:

1. • Adherence to Company’s Code of Conduct, Anti-bribery policy, confidentiality agreement (NDA), data protection agreement (if they will handle personal data), and commitment to follow QMS procedures (document control on deliverables, etc.).
   • Defines quality expectations (e.g., deliverables must be correct as per regulatory guidelines, timelines, etc.), and consequences for poor performance (like removal from platform).
   • If needed, non-compete or non-solicitation clauses (they shouldn’t steal clients off-platform).
   • Also covers IP ownership (clients will own the work product unless otherwise specified).

3. Orientation Training: Once contracted, the expert receives an onboarding packet or training:

1. • Introduction to how the platform works (posting proposals, using collaboration tools).
   • Key SOPs summarised: e.g., Data Security & Privacy SOP (so they know how to handle client data), Client Communication SOP (professional communication standards), any report templates or formatting guidelines the Company expects, etc.
   • Emphasize ethics: e.g., cannot promise regulatory approvals by unethical means, must report any attempt by clients to engage in bribery, etc.
   • Platform usage policies (no sharing their account, prompt updates on tasks, etc.).
   • Possibly a short quiz or acknowledgement to ensure they understand.
   • Record that training is completed in expert’s file.

4. Mentoring/Shadowing (if applicable): For less experienced experts or first assignment, the Company might have a staff regulatory specialist do extra review or mentor on their first project to ensure standards. (This may not always be possible but is ideal for quality.)
5. Profile Activation: Only after successful onboarding steps, the expert’s profile is made public/active for clients to see. QA or Onboarding Team double-checks that their profile information is accurate (no exaggerated claims), and perhaps adds a “Verified by Company” badge if we did verify credentials.
6. Initial “Expert Health” Audit (Post-Onboarding): Within a set period (say 3-6 months after onboarding or after first project completion, whichever first), QA conducts an Expert Internal Audit of that expert’s work. (Details in section B below.)

B. Expert Performance Monitoring and Audits (“Expert Health Internal Audit”):

1. Ongoing Project Oversight: For each project an expert does:
   • The Project Manager monitors deliverables and client feedback during the project. They ensure timelines are met and that the expert is responsive. Any minor issues are corrected through feedback immediately.
   • Clients are asked to formally rate the expert and project at completion (quality, communication, expertise).
   • All completed deliverables from experts might undergo an internal quality review by our staff or at least a sanity check to ensure nothing obviously wrong before client final submission (depending on contract).
   • These performance data (ratings, any complaints, any rework needed) are logged in an Expert Performance Log.

2. Periodic “Expert Health” Audits: We schedule audits of external experts akin to internal audits. The schedule is often relative to onboarding:

1. • Initial Audit: e.g., 3 months after first project or 6 months after joining, to ensure early that they comply with processes.
   • Subsequent Audits: e.g., annually thereafter, or more often if risk (an expert with borderline feedback might be audited in 6 months).
   • The Expert Health Audit covers:
     • Compliance with platform usage: Did the expert maintain updated profile, sign required documents? Are they using official communication channels (and not moving clients off to private channels against rules)?
     • Quality of deliverables: Auditor reviews a sample of the expert’s deliverables to see if they followed relevant procedure/templates, and if output was technically sound (this might involve a technical peer review by another expert or QA).
     • Client feedback record: Auditor checks the client ratings and any issues. If any complaint was filed, ensure it was resolved.
     • Adherence to data security: Check if the expert stored client files only on platform or approved means, no leakage of data. Possibly ask them about their data practices to ensure understanding.
     • Timeliness and professionalism: Look at how timely the expert was in responding and delivering. Check communication logs if needed for professionalism.
     • Compliance with Company values: Did they engage in any behavior against code of conduct? (No signs of bribery, discrimination, etc.)
   • The auditor uses a checklist and may interview the expert (like an audit interview) or the project managers who worked with them.
   • Findings are noted: could be “Expert performance acceptable” or if issues, categorize:
     • Nonconformity example: Expert did not follow the approved template for a report resulting in format issues (minor NC).
     • Or Expert twice missed deadlines without valid reason (could be major if it affected clients significantly).
     • Or Expert used personal email to send client documents (violating data security SOP – major NC).
   • Audit results are communicated to the expert and management.

3. Audit Results Handling: If the Expert Health Audit finds nonconformities:

1. • Minor issues: We discuss with the expert, provide coaching or warning. They implement corrective steps (maybe re-training on a process).
   • Serious issues (e.g., breach of contract or policy): Management may suspend or remove the expert from the platform if needed. But generally, a corrective action plan is attempted first:
     • E.g., if quality of work was lacking in regulatory nuance, maybe assign them only certain simpler projects until they undergo further training.
     • If data security lapse, definitely retrain and maybe limit data access features for them.
   • Document these actions in the expert’s record. Possibly put the expert on a probationary status where their next project is closely monitored or outputs reviewed by QA before client delivery.
   • If improvements are not seen, we may decide to terminate the contract with that expert to protect overall quality.

4. Expert Audit Schedule Table: We maintain a schedule (see example in manual) listing each active expert, their onboarding date, last audit date, next scheduled audit date, and auditor assigned. This helps ensure none are missed.

1. • For example:

1. • This schedule is reviewed quarterly by QA to adjust for new experts or ones who left.

5. Feedback Loop: The findings from expert audits are also used to improve our expert management:

1. • If multiple experts struggle with a certain SOP, maybe our training was insufficient; so update training.
   • If an expert had a great approach, share that best practice with others (e.g., one expert’s way of documenting meeting minutes is exemplary; we ask them to show others).
   • Consider setting up an experts’ forum or periodic webinar to refresh knowledge and communicate common audit findings or client expectations.

6. External Expert Communication: Make sure experts know we will do these audits. It’s in their contract that quality will be monitored and they must cooperate (which might mean providing information or access to their records if needed). Typically, we have all needed info on our systems, so minimal burden on them.
7. Rewards/Recognition: Not exactly part of audit per se, but if an expert consistently excels (high client feedback, clean audits), we might recognize them as a “Top Expert” which can motivate maintaining quality. Conversely, repeated poor performance will lead to removal – they are aware of this.
8. Expert Offboarding: If an expert is leaving or removed:

1. • Ensure they return/destroy any client confidential info they still have. Revoke their access to platform and any data (similar to staff offboarding).
   • If removal was due to non-compliance, note reasons internally in case they try to reapply. Possibly also inform affected clients if necessary (with tact, e.g., “Expert X is no longer available, we will assign a new expert to ensure quality” without disparaging details).
   • Conduct an exit interview if possible to get their feedback on working with us (maybe we learn improvements too).

Expert Health Audit Record: For each audit, we have a brief report or checklist outcome that goes into expert’s file. Over time, this forms a quality dossier for each expert.

By diligently overseeing external experts in this manner, the Company maintains a high standard of service delivery, mitigates risks associated with outsourcing, and ensures clients receive consistent quality regardless of who (internally or externally) performs the work.

SOP: Client Communication and Satisfaction Management

Reference: SOP-COM-005 (Client Communication & Feedback)
Purpose: To ensure professional, clear, and effective communication with clients throughout the project lifecycle, and to systematically manage client feedback and complaints to improve satisfaction.

Scope: All interactions with clients (and prospective clients) via any medium – email, phone, platform messages, meetings – from initial inquiry to project completion and follow-up. Also covers handling of client complaints or escalations.

Responsibilities:

• Project Managers/Account Managers: Primary point of contact for clients on active projects. Ensure timely updates, understand client needs, and coordinate responses.
• External Experts: Often communicate technical details directly with clients (under oversight). Must abide by guidelines for tone, confidentiality, and responsiveness.
• Sales/Business Development: Handles initial communications for new leads or proposals, ensuring expectations are set correctly.
• Quality Assurance Officer: Oversees complaint handling process, ensures serious issues trigger CAPA if needed, and monitors satisfaction metrics.
• All Staff interacting with Clients: Follow the communication protocol; treat clients courteously and handle information appropriately (e.g., not revealing something we shouldn’t, maintaining privacy).

Procedure:

1. Initial Client Inquiry/Onboarding:
   • When a potential client contacts us (via website or referral), Sales responds within X hours (target e.g., 24 hours). Use a friendly, helpful tone, providing information requested and possibly scheduling a call.
   • Provide clear information about our services, how the marketplace works, pricing structure, etc. Avoid over-promising. Use templated info for consistency but personalize as needed.
   • If an RFP or specific project inquiry, acknowledge receipt and give timeline for formal response. Then coordinate internally to prepare a proposal (which often the external experts and PM help craft).
   • Ensure any confidentiality needed is handled (e.g., sign NDA if client requires before detailed info exchange).
   • Once client decides to proceed, clearly outline next steps, introduce their Project Manager, and confirm scope, deliverables, timeline in writing (project agreement or kickoff email).

2. Communication During Project:

1. • Kickoff Meeting: Always have a kickoff (by teleconference or in person) where the Project Manager, expert, and client align on objectives, deliverables, communication channels, and frequency. We document key points and share a brief minutes/plan.
   • Regular Updates: PM (or expert) will update client at agreed frequency (e.g., weekly status email or meeting). Update includes progress, any issues or risks, next steps. This prevents surprises.
   • Response Time: Strive to respond to any client email or call same day (or within one business day). Even if full answer will take time, acknowledge and give ETA for answer.
   • Issue Escalation: If the expert encounters a challenge (like needing more data or a timeline slip), proactively inform the client and propose solutions rather than hiding it. PM to facilitate such discussions and escalate internally if extra resources needed.
   • Meeting Etiquette: For calls/meetings with client, prepare an agenda, be punctual, keep it focused, and send follow-up notes highlighting decisions and action items.
   • Professional Tone: All communications should be respectful, courteous, and clear. Use appropriate level of formality as fits the client’s culture. Avoid jargon unless the client is familiar, or explain it. Ensure correct language (we might serve international clients, so confirm preferred language).
   • Documentation: Copy important communications into our project management system or at least store them (so if a PM changes or in audits we have record). E.g., significant client approvals or changes must be captured in writing.
   • Change Management: If client requests changes in scope or timeline, PM will evaluate impact and communicate if any additional cost or time needed. Confirm changes in writing (an amendment or email confirmation) so both sides agree.

3. Protecting Confidential Info:

1. • Do not cc people unnecessarily (avoid exposing info to wrong parties). Use secure methods for sensitive file transfer (prefer platform or encrypted email).
   • If multiple stakeholders, be clear on who receives what. Use BCC as needed to protect addresses.
   • Follow any client-specific communication protocols (some big companies have rules).

4. Client Complaints/Issues Handling:

1. • If a client expresses dissatisfaction (quality of deliverable, missed deadline, etc.), the recipient of that complaint immediately notifies the Project Manager and QA Officer.
   • Acknowledgment: Respond to the client quickly, thanking them for feedback and apologizing for any inconvenience. Assure them it’s being addressed.
   • Investigation: Internally, analyze what went wrong. If it’s a minor issue (typo in report, easily fixable), correct and send corrected deliverable promptly with a courteous note. If major (like a strategic error, or consistent delays), involve management.
   • Resolution proposal: Present the client with a plan to make it right: e.g., revised work by a senior expert at no extra charge, a partial refund or discount if appropriate, and measures to prevent reoccurrence.
   • Follow-through: Ensure the promised resolution is delivered. Keep the client updated during this process so they know we are on it.
   • Escalation: If client is very upset or threatens to terminate contract, escalate to top management immediately. Possibly arrange a call with an executive to reassure them of priority and oversight.
   • Documentation: Log the complaint in the Client Complaint Register with details and outcome. Determine if it triggers a CAPA (likely yes if due to process failure).
   • Closing the Loop: After fixing, ask the client if the solution is satisfactory. Perhaps schedule a short follow-up call to ensure they are now happy. We want to convert a complaint into a demonstration of good service recovery.
   • Learnings: Feed this back to team – e.g., if complaint was about communication gap, remind all PMs of best practices. If it was about technical error by an expert, maybe that expert needs re-training or review of workload.

5. Client Feedback and Satisfaction Measurement:

1. • At project completion, request formal feedback:
     • Could be a survey (scale 1-5 on various aspects) or a feedback form.
     • Or at least a closing meeting asking “how did we do, what can be improved?”.
   • Encourage testimonials if they’re happy, but only after addressing any negative points.
   • Maintain a Client Satisfaction KPI such as average rating. Possibly “% of projects with client rating >= 4/5” as an objective.
   • On a rolling basis, identify any common threads (e.g., some clients mention they want more frequent updates – then adjust our standard).
   • Also track repeat business and referrals as metrics of satisfaction.

6. Communication with Regulatory Agencies or Third Parties:

1. • Sometimes our client communication includes interacting with third parties (like regulatory agencies on behalf of client, or client’s partners).
   • Experts/PM should get clear written permission on what they can disclose on client’s behalf and stick to it. Always maintain professionalism as we essentially represent the client in those interactions.
   • After such interactions, inform client of the outcome immediately.

7. Conflicts or Scope Creep:

1. • If during a project a disagreement arises with client (e.g., they expect more work than initially scoped), handle diplomatically:
     • Show empathy, then refer to signed agreement to clarify scope. If they truly need extra, negotiate amicably (maybe as change order).
     • Involve account manager to handle commercial discussions so the project team can focus on solution.
   • Keep tone collaborative, not defensive.

8. Record Keeping:

1. • Save key communication threads in project folder. Use the platform’s messaging system so that communications are logged (if possible).
   • Meeting minutes for crucial discussions should be written and approved by both sides.
   • This not only helps in case of disputes but also is learning for future similar projects.

9. Training & Guidelines for Staff/Experts:

1. • Provide a one-pager or training on email etiquette, handling difficult client conversations, etc., especially to new team members or experts not used to consulting environment.
   • Possibly do role-play scenarios in training (like an angry client call simulation) to prepare staff.
   • Emphasize cultural sensitivity if dealing with international clients (e.g., formality levels, avoid slang, etc).

10. Review of this SOP’s Effectiveness:

1. • QA or Customer Success Manager periodically reviews how communications are going. E.g., randomly sample some email threads for tone/quality, get input from clients through direct conversations.
   • If any communication mishaps are found (like an email that came off rude), address it with that team member privately as coaching.
   • Update guidelines as needed (for instance, if new communication tools introduced like chat integration, incorporate how to use it professionally).

By adhering to this SOP, we aim to maintain high client satisfaction, build strong relationships, and swiftly rectify any issues, thereby enhancing our reputation and likelihood of repeat business.

These SOPs (Document Control, CAPA, Data Security, Internal Audits, External Expert Oversight, Client Communication) work in tandem to operationalize the QMS and related management system requirements. All staff and external experts are expected to follow these procedures. Each SOP is stored in the controlled document system (with their reference codes) and any updates to them will be communicated promptly.

The following sections include specific schedules, guidelines, and reference lists to supplement the SOPs and overall QMS.

Internal Audit Schedule (Twice-Yearly Program)

As part of our QMS and ISMS maintenance, the Company will conduct internal audits two times per year, as a minimum. The schedule begins on July 1, 2025, per our implementation plan, and continues at six-month intervals (and/or as needed). Below is the planned Internal Audit Schedule for the next audit cycles, including dates and the responsible auditor, as well as a sign-off provision for the QA Officer to confirm completion.

Planned Internal Audits:

(Note: January 1, 2026 is New Year’s Day, so the audit is scheduled from January 4, 2026 to accommodate holidays. Future dates similarly adjust if they fall on weekends or holidays.)

• Frequency: Audits are planned roughly every six months (early January and early July) to ensure continuous coverage. Additional spot audits or focus audits may be added if significant changes or incidents occur.
• Scope Variance: Each audit cycle may have specific focus areas as indicated, but collectively over the year, all departments and standard requirements are covered. This ensures we meet ISO 9001’s requirement to audit the QMS annually and ISO 27001’s requirement to cover the ISMS.
• Lead Auditor Independence: The assigned lead auditor will not audit areas for which they are directly responsible. For instance, when the IT Manager (John D. Auditor) leads the ISMS audit, QA Officer will co-audit sections where needed to maintain impartiality, and vice versa.
• Sign-Off: The QA Officer (or designated Quality Manager) will sign off in the table once each audit is completed, confirming it took place. Audit reports will be filed and referenced with the date.

The QA Officer will maintain this table and update it as audits are executed. If any audit is delayed or rescheduled, the table will be updated accordingly and reasons documented in the audit records.

This schedule is approved by management and provides an overview for the team to anticipate audit activities. All departments should ensure readiness and cooperation with auditors on these dates. After each audit, management will review results and ensure timely corrective actions for any findings.

Expert Health Internal Audit Guidelines

Under our External Expert Oversight program, we conduct “Expert Health” internal audits to ensure each external expert remains qualified and compliant after onboarding. The following guidelines describe how these audits are carried out and a scheduling table for planning purposes:

• Audit Trigger: An initial audit of a new expert is scheduled approximately 3 months after their first project or 6 months after onboarding (whichever comes first) to evaluate early performance. Subsequent audits are annually, or more frequently if issues are noted.
• Audit Scope: Each Expert Health audit reviews the expert’s recent project deliverables, client feedback, adherence to communication and data security protocols, and any complaints or incidents involving the expert. It checks that the expert continues to meet our quality standards and follows Company policies (e.g., uses the platform correctly, signs required documents, no ethical breaches).
• Audit Method: A QA representative or assigned internal auditor will:
  • Review at least one deliverable produced by the expert (for technical accuracy and compliance with required format/procedure).
  • Check records of client interactions/timeliness (e.g., were status updates provided, deadlines met).
  • Interview the internal Project Manager or client (if appropriate) for qualitative feedback on working with the expert.
  • Verify the expert’s training and compliance records (did they complete annual refreshers, etc.).
  • Compile findings and discuss any improvement points with the expert in a constructive manner.
• Outcomes: If nonconformities are found, they are recorded and the expert is required to take corrective action (additional training, improved process). Serious issues may lead to suspension of assignments until resolved. Good performance is acknowledged and expert is kept in good standing.
• Records: Maintain an audit report for each expert, and track in the schedule when next audit is due. Pattern or repeated findings across experts are analyzed to improve overall processes (maybe our expert training needs enhancement if similar issues seen).

Below is the Expert Audit Schedule for currently onboarded experts (as an example):

(The above is a hypothetical excerpt; the actual schedule is maintained by QA and will include all active experts. New experts will be added upon onboarding.)

• Adjustments: If an expert has no active projects in a given year, an audit may be deferred until they have activity to review, but generally not skipped for more than 1 year of inactivity.
• Sign-off: Each expert audit report is signed by the auditor and acknowledged by the expert (to confirm receipt of feedback).

The QA Officer reviews this expert audit schedule quarterly to ensure audits are happening as planned and to update the “Next Audit Due” based on actual completion.

This proactive “Expert Health” audit program ensures that our network of external experts remains reliable and that clients receive consistent, high-quality service. It also provides a structured way to engage with experts on improving their performance or recognizing excellence.

List of Standard Operating Procedures (SOPs)

For ease of reference and completeness of the QMS manual, below is a consolidated list of the Company’s Standard Operating Procedures and key policies referenced in this manual. Each SOP is identified by title and reference code, and all are maintained under document control (see SOP-DC-001 for version information). Users should refer to the latest version of each in the document management system.

• SOP-DC-001: Document Control and Record Management – Procedure for controlling QMS documents and maintaining records (version 1.0, effective Jan 2025).
• SOP-CAPA-001: Corrective and Preventive Action Procedure – Detailed CAPA process for addressing nonconformities and improvement actions.
• SOP-IS-002: Data Security and Privacy Management – Information security procedures including user access, data handling, and privacy compliance (mapping to ISO 27001/27018 and GDPR/CCPA requirements).
• SOP-QA-003: Internal Audit Procedure – Internal auditing process covering planning, execution, and follow-up of audits (aligned with ISO 9001 and ISO 19011 guidelines).
• SOP-EXP-004: External Expert Oversight and Audit – Process for onboarding external experts and conducting Expert Health audits to ensure ongoing quality.
• SOP-COM-005: Client Communication and Satisfaction Management – Guidelines for engaging with clients and handling feedback/complaints to ensure high satisfaction.
• (Additional SOPs on request)
  • SOP-BC-006: Business Continuity and Disaster Recovery – outlines steps for maintaining operations during disruptions (supporting ISO 22301).
  • SOP-HR-007: Training and Competence Management – process for identifying training needs, conducting training, and competency records (supports clause 7.2 of ISO 9001).
  • SOP-ETH-008: Anti-Bribery Compliance Procedure – specific procedures for due diligence, reporting, and managing anti-bribery controls (aligned with ISO 37001).
  • SOP-SAF-009: Workplace Health & Safety Guidelines – instructions for employees on maintaining a safe work environment (aligned with ISO 45001, though many points covered in policy form).
  • SOP-ENV-010: Environmental Practices – simple operational controls for reducing environmental impact (aligned with ISO 14001).

Key Policy Documents

• Quality Policy Statement – outlines the Company’s quality commitments (approved by CEO, QP-2025, displayed in office and intranet).
• Information Security Policy – high-level policy summarizing ISMS goals and responsibilities (ISP-2025).
• Privacy Policy/Notice – external-facing document meeting GDPR/CCPA disclosure requirements (published on website).
• Code of Conduct and Ethics Policy – includes anti-bribery, anti-discrimination, and social responsibility principles every employee/expert must follow.
• Environmental Policy – statement of environmental responsibility and objectives.
• Occupational Health & Safety Policy – commitment to a safe workplace and health promotion.
• Business Continuity Policy – management commitment to continuity and recovery objectives.

Each of the above SOPs and policies is stored in the QMS repository with controlled access. The master list (Document Master List) maintained by QA includes all of these with current revision numbers and dates.

Staff and external experts are expected to be familiar with SOPs relevant to their role. Training materials and summaries are provided especially for external experts on SOP-EXP-004 and SOP-COM-005, as those directly impact their daily work with clients.

Company Integrated Management System Policies

Quality Policy Statement (QP-2025)

Purpose & Commitment:
Company is committed to delivering high-quality regulatory software solutions and services that meet or exceed customer expectations and comply with all applicable requirements. This Quality Policy is a formal statement from top management outlining our commitment to quality as a foundation for setting quality objectives. It is aligned with Company’s mission and strategic direction to support the life sciences industry. The policy emphasizes customer satisfaction, continual improvement, and compliance with relevant standards and regulations.

Key Principles:

Customer Focus:
Company strives to consistently meet customer and regulatory requirements for product quality and reliability. We aim to achieve a high level of customer satisfaction by providing solutions that fulfill agreed requirements for functionality, performance, and compliance. Feedback from clients and partners is actively sought and used to improve our products and services.

Regulatory Compliance & Industry Standards:
We maintain a certified Quality Management System (QMS) in accordance with ISO 9001:2015, demonstrating our adherence to internationally recognized quality management practices. Company also commits to comply with relevant life science industry regulations and guidelines, including FDA 21 CFR Part 11 (which establishes requirements for secure electronic records and electronic signatures in regulated environments) and International Council for Harmonisation (ICH) guidelines for regulatory submissions. We recognize that ICH guidelines are internationally recognized standards that ensure the safety, quality, and efficacy of pharmaceutical products, and we align our internal procedures, documentation, and software features to support these high standards of quality and data integrity.

Quality Objectives and Continuous Improvement:
This policy provides a framework for setting and reviewing quality objectives at relevant functions and levels. Company is committed to the continual improvement of our QMS and processes. We regularly evaluate performance through audits, management reviews, and key quality metrics, and we implement corrective and preventive actions to drive ongoing improvements. All employees and contractors are expected to understand their role in upholding quality standards and are encouraged to participate in improvement initiatives.

Employee Responsibility and Awareness:
Quality is the responsibility of every member of Company. Management, staff, and partners are trained on quality procedures and understand that their individual contributions directly impact product quality and the success of the company. We promote a culture where everyone is accountable for complying with the QMS procedures and for identifying opportunities to enhance quality. Suppliers and subcontractors are also required to cooperate and comply with Company’s quality standards.

Communication and Review:
This Quality Policy is approved by the Chief Executive Officer (CEO) of Company. It is prominently displayed at Company’s offices and on the corporate intranet to ensure it is communicated and available to all employees and interested parties. Management will review this policy at least annually (and upon significant changes in business or regulations) to ensure its continuing suitability and alignment with Company’s strategic direction. Updates to the policy are also communicated throughout the organization. The CEO and top management demonstrate leadership and commitment by endorsing this policy and ensuring that adequate resources are provided to achieve quality objectives and maintain compliance with ISO 9001:2015 requirements.

(Signed and approved by CEO, effective as of January 2025)

Information Security Policy (ISP-2025)

Policy Statement: Company is dedicated to protecting the confidentiality, integrity, and availability of all information under its control. This Information Security Policy establishes the framework for Company’s Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022, and reflects our commitment to managing information security risks effectively. It applies to all Company business units, employees, contractors, and IT assets globally within the defined ISMS scope. By implementing this policy, Company aims to safeguard client data, proprietary information, and personally identifiable information (PII) entrusted to us, in compliance with applicable laws and industry standards.

Scope: This policy covers all information assets owned, leased, or used by Company, including but not limited to software products (e.g. the regulatory affairs platform), databases, cloud services, hardware, networks, and paper records. It encompasses the processing of client regulatory data and any personal data hosted or processed on Company’s cloud platforms. The ISMS scope is defined to include operations at all Company locations and any relevant external providers or partner services that handle Company information.

Objectives: Company’s information security objectives include protecting information assets against unauthorized access, disclosure, alteration, or destruction; ensuring that information and systems are available to authorized users as needed; and meeting the security, privacy, and compliance expectations of our clients and stakeholders. We establish measurable information security objectives and targets, which are reviewed periodically as part of ISMS management reviews. These objectives align with Company’s strategic business needs and risk appetite.

Key Principles & Controls:

• Leadership and Commitment: Company’s top management endorses this policy and is committed to maintaining an effective ISMS in line with ISO/IEC 27001. Leadership ensures that information security is integrated into organizational processes and that the necessary resources are available. A designated Information Security Officer (ISO) or Chief Information Security Officer (CISO) has overall responsibility for implementing and monitoring the ISMS. Management demonstrates its commitment by establishing information security objectives and promoting a culture of security consciousness at all levels.
• Regulatory Compliance and Requirements: The ISMS is designed to ensure compliance with all applicable information security and data protection laws and regulations in the markets we serve. Company satisfies relevant contractual security obligations and regulatory requirements (such as data breach notification laws, export controls, and industry-specific regulations). In particular, where Company processes personal data, we adhere to security requirements under privacy laws (e.g. encryption and access control measures for GDPR compliance) and follow ISO/IEC 27018:2019 code of practice for protection of PII in cloud services. ISO/IEC 27018 provides additional controls and guidance to protect personal data in cloud computing environments, which Company implements to safeguard the privacy of customer data on our cloud platform.
• Risk Management: Company adopts a risk-based approach to information security. We systematically identify information security risks by conducting risk assessments covering threats to our assets, vulnerabilities, and the likelihood and impact of potential incidents. Identified risks are evaluated and treated with appropriate controls in line with ISO 27001 requirements. Risk treatment may include applying technical controls (e.g. firewalls, encryption, identity and access management), implementing policies/procedures (such as access control policy, secure development policy, incident response plan), and transferring or avoiding risks when appropriate. We maintain a risk register and review risks regularly, including whenever there are significant changes to our systems, business processes, or threat landscape.
• Information Security Controls: Company has implemented a comprehensive set of information security controls, aligned with ISO/IEC 27002 best practices and Annex A of ISO 27001:2022. Key areas include: physical security of facilities; logical access control (enforcing least privilege and strong authentication for systems); network security measures (firewalling, intrusion detection, secure configuration); encryption of data at rest and in transit, especially for sensitive and personal data; secure software development lifecycle practices; malware protection; backup and recovery procedures; and monitoring and logging of critical systems. We also enforce policies for acceptable use of assets, information classification and handling, and secure use of cloud services. Specialized policies (e.g. Access Control Policy, Incident Response Plan, Business Continuity and Disaster Recovery Plan) supplement this Information Security Policy and provide detailed requirements in specific domains.
• Roles and Responsibilities: Clearly defined roles and responsibilities are fundamental to our ISMS. All Company personnel (employees and contractors) are responsible for complying with this policy and protecting Company information. Specific responsibilities include: Top Management – providing direction, resources, and oversight for information security and ensuring integration with business processes; Information Security Officer/CISO – maintaining the ISMS, advising on security matters, and reporting on performance and incidents; IT Department – implementing and managing technical security controls, system monitoring, and incident response; Department Managers – ensuring staff in their teams follow security policies and complete required training; Employees and Users – adhering to security procedures in their daily tasks, safeguarding their credentials, reporting suspected incidents or weaknesses, and completing security awareness training. Third-party vendors and service providers with access to Company information are required to follow equivalent security controls as per contractual agreements and undergo security due diligence (per our Third-Party Security Policy).
• Incident Management and Business Continuity: Company maintains an incident response process to handle security breaches or suspected information security events. All incidents must be reported immediately to the InfoSec team. We have defined escalation, investigation, and response procedures, including communication to affected stakeholders and regulatory notification if required by law. Post-incident reviews are conducted to identify root causes and improve controls. Additionally, as part of our commitment to business continuity (see Section 7 – Business Continuity Policy), we ensure critical information assets and services can be restored in a timely manner after disruptive events. Regular backups of key systems and data are performed and tested, and redundancy is built into systems where feasible to prevent single points of failure.
• Awareness and Training: Company fosters a culture of security awareness. All employees undergo information security awareness training at hire and periodically thereafter. Training covers understanding data classification, recognizing and preventing phishing or social engineering attacks, secure handling of sensitive data, and employees’ responsibilities under this policy. We also conduct regular security reminders and exercises (such as simulated phishing tests) to keep security top-of-mind. Employees are encouraged to report any observed or suspected security weaknesses.
• Continuous Improvement: In line with ISO 27001 principles, Company is committed to the continual improvement of the ISMS. We monitor the effectiveness of security controls through regular internal audits, management reviews, and tracking of key performance indicators (such as number of incidents, compliance rates, and risk assessment results). Any identified non-conformities or areas for improvement are addressed through our corrective action process. We keep abreast of evolving cybersecurity threats and best practices, updating our security measures accordingly. This policy, and the entire ISMS, is reviewed at least annually and upon significant changes to ensure it remains appropriate to the organization’s purpose, context, and risk environment.

Policy Governance: This Information Security Policy is approved by Company’s CEO and executive management. It is maintained as documented information and communicated to all employees and relevant external parties. The policy is made available to interested parties (e.g. clients or auditors) upon request, reflecting Company’s commitment to transparency in our security practices. Any exceptions to this policy must be authorized by the Information Security Officer and the executive management and be documented, with compensating controls implemented. Violations of this policy may result in disciplinary action, up to and including termination of employment or contract, and potential legal action if laws were violated. All employees acknowledge the Information Security Policy and associated policies, confirming their understanding and agreement to comply.

By following this policy, Company protects the sensitive information of our clients and stakeholders, thereby maintaining trust and supporting our business objectives in the life sciences regulatory domain.

Privacy Policy/Notice (GDPR & CCPA Compliance)

Introduction: Company respects the privacy of individuals and is committed to protecting personal data in line with international data protection standards. This Privacy Policy explains how Company collects, uses, stores, and discloses personal information, and outlines the rights individuals have regarding their personal data. It is intended as an external-facing notice that is concise, transparent, intelligible, and easily accessible, in compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) (as amended by the CPRA). This policy applies to all personal data processed by Company in the course of our operations, including data of clients, end-users, website visitors, and other individuals whose information we handle. By using Company’s regulatory affairs software services or interacting with our website, you acknowledge the practices described in this Privacy Policy.

Identity of the Data Controller: Company (headquartered in the United States with international operations) is the “data controller” for personal information that we collect and determine the purposes and means of processing. For any questions or concerns about this policy or your personal data, you may contact Company’s Data Protection Officer (DPO) at [privacy@company.com] or by mail at [Company address]. Our DPO oversees compliance with GDPR and other privacy laws.

Personal Data We Collect: We may collect and process the following categories of personal data, depending on your relationship with Company:

• Contact Information: such as name, business title, email address, telephone number, and mailing address.
• Account Credentials: usernames, passwords, or other authentication data for accessing Company’s platforms.
• Professional Information: for users of our regulatory software, this may include employer or organization name, department, and professional role or license numbers if relevant.
• Usage Data: when you use our software or visit our website, we collect usage logs, device identifiers, IP addresses, browser type, access times, and pages visited. This helps us maintain security and improve our services (see “Cookies and Tracking” below).
• Client Regulatory Data: data that clients upload or store in our platform during regulatory submission management may include personal data (e.g. names or contact details in submission documents). In such cases, Company processes this data as a data processor on behalf of the client (who remains the data controller). We handle client data only as instructed in our contract with the client.
• Support and Inquiry Information: if you contact Company for support or information, we will collect the content of your communications along with your contact information.
• Cookies and Tracking Technologies: Our website uses cookies and similar technologies to enhance user experience, for analytics, and for advertising (where permitted). For details, see our separate Cookies Notice. We do not use cookies to collect sensitive personal data, and where required by law, we obtain consent for non-essential cookies.

We do not intentionally collect any sensitive personal data (such as health information, biometric identifiers, or financial account details) from general users, and we ask that you do not provide such data through our services. If Company ever needs to handle sensitive data for a specific purpose, we will do so in accordance with applicable laws and with appropriate notice and consent.

Purpose and Legal Basis for Processing: Company processes personal data for specified and legitimate purposes. The purposes for which we process personal data include:

• Providing Services: To provide, maintain, and support the regulatory affairs software services you have requested, including creating user accounts, authenticating users, hosting and backing up data, and enabling core functionality of our platform.
• Customer Support and Communications: To respond to inquiries, provide customer support, send service notices, updates, and administrative communications.
• Improvement and Analytics: To analyze usage of our products and website (in aggregate form) in order to improve features, user experience, and performance. This may involve the use of analytics tools that collect technical information about your device and interactions (IP address, device type, pages visited, etc.). Wherever feasible, we use anonymization or pseudonymization for analytics data.
• Marketing (with Consent): To send marketing or promotional communications about our products, industry insights, or events that may interest you. We will only send direct marketing emails to individuals in jurisdictions where such communications are lawful, and we provide the option to opt-out or unsubscribe at any time. (For EU individuals, our marketing is based on consent or our legitimate interest in promoting our services, as appropriate; for U.S. individuals, we honor any “Do Not Contact” requests.)
• Legal Compliance and Security: To comply with our legal obligations and regulatory requirements (such as export control, anti-money laundering (if applicable), or responding to lawful requests by public authorities). Also, to protect the rights and safety of Company, our users, or the public – for example, by monitoring and preventing fraudulent activity, cybersecurity threats, or policy violations on our platform. We may process logs and user activity data for these security purposes.
• Other Purposes: We may process personal data for other purposes that are compatible with the original purposes or as specifically described to you at the time of collection. If we need to process your personal data for a new purpose that is not compatible with those above, we will obtain your consent (if required by law) or provide notice as necessary.

For personal data collected from individuals in the European Economic Area (EEA) or United Kingdom, our processing is based on certain legal grounds under the GDPR. The legal bases we rely on include: performance of a contract (e.g. providing the software service to our clients and end-users), legitimate interests (e.g. improving our services, securing our platform – we ensure our interests are not overridden by individuals’ rights through balancing tests), consent (for marketing communications or optional cookies), and compliance with legal obligations (for any mandatory disclosures or record-keeping). We will clearly inform you when the provision of personal data is statutory or contractual and when you are obliged (or not) to provide data, as well as the possible consequences of not providing the data.

Disclosure of Personal Data: Company does not sell personal information to third parties. We may share personal data with the following categories of recipients, solely for the purposes described above and in accordance with applicable law:

• Service Providers: Third-party companies that perform services on our behalf, such as cloud infrastructure providers, email communication platforms, customer relationship management (CRM) software, analytics providers, or consultants. These service providers are bound by contractual agreements to process personal data only under our instructions and to implement appropriate security measures (as “processors” under GDPR or “service providers” under CCPA).
• Business Partners: In some cases, Company may partner with other organizations (for example, a local reseller or integration partner) to deliver our services or host joint events. We will only share the minimum necessary personal data with such partners and only for the agreed-upon purposes (such as confirming your registration for a co-hosted webinar). Our business partners must comply with applicable privacy laws and are not allowed to use the data for unrelated purposes.
• Affiliates: We may share information with our affiliate companies (subsidiaries or parent company) as needed to operate our global business (for instance, if our support team in another region handles a support ticket, they will access relevant account information). All affiliates will uphold the same level of data protection as described in this notice.
• Legal and Compliance: We may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g., to comply with a subpoena, court order, or regulatory requirement). We may also disclose data if necessary in the good-faith belief that such action is needed to investigate or protect against harmful activities to Company users, associates, or property (for example, investigating fraud or a security incident), or to exercise or defend Company’s legal claims.
• Business Transfers: In the event of a proposed or actual merger, acquisition, financing, reorganization, or sale of all or a portion of Company’s business, personal data held by Company may be transferred to the new owners or partners, but will remain protected by this policy (unless and until it is superseded by an updated policy, of which users would be notified). Any acquiring entity will be required to use personal data only for the purposes for which it was originally provided or for compatible purposes.

Company does not share personal data with third parties for their own direct marketing purposes without your consent.

International Data Transfers: Company is headquartered in the U.S., and we operate internationally. Thus, personal data we collect may be transferred to or accessed by Company personnel and service providers in countries outside of your home jurisdiction. When we transfer personal data from the EEA or other regions with data transfer restrictions, we ensure appropriate safeguards are in place in compliance with GDPR Chapter V. These may include relying on the European Commission’s Standard Contractual Clauses (SCCs) for data transfers, verification of recipient’s compliance with frameworks like the EU-U.S. Data Privacy Framework (if applicable), or other legally accepted mechanisms. A copy of the relevant transfer safeguards can be provided upon request. We take steps to ensure that personal information continues to have a high level of protection wherever it is processed, consistent with the protections required under applicable law.

Data Subject Rights: Company is committed to facilitating the exercise of rights granted to individuals under applicable data protection laws:

• Rights under GDPR (for EU/EEA/UK individuals): You have the right to obtain confirmation as to whether Company is processing personal data about you, and if so, to request access to that data (a copy of the data and information on how we use it). You also have the right to request rectification of inaccurate personal data and to have incomplete data completed. Subject to certain conditions, you may request erasure of your personal data (“right to be forgotten”), or restriction of processing (to suspend active processing of your data). You have the right to object to our processing of your data when it is based on legitimate interests, including the right to object to profiling or direct marketing. To the extent our processing is based on your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You also have the right to data portability for data you provided, where processing is carried out by automated means and based on contract or consent – we will provide your data in a structured, commonly used, machine-readable format. Additionally, you have the right to lodge a complaint with a supervisory authority (such as an EU Data Protection Authority or the UK Information Commissioner’s Office) if you believe that we have infringed your data protection rights. We encourage you to contact us first at [privacy@company.com] so we can address your concerns directly.
• Rights under CCPA (for California residents): If you are a California consumer, you have specific rights under the CCPA regarding your personal information. These include: Right to Know – the right to request that we disclose what personal information we have collected about you, including the categories of information, the sources, the business purpose for collection, and the categories of third parties with whom we share it. 

Right to Access – to receive a copy of the specific pieces of personal information collected about you in the past 12 months. 

Right to Delete – the right to request deletion of personal information that we have collected from you, subject to certain exceptions (for example, we may retain information as required by law or for legitimate business needs). 

Right to Opt-Out of Sale/Sharing – while Company does not sell personal data for monetary consideration, the CCPA broadly defines “sale” to include some transfers of data in exchange for value. If Company ever engages in practices deemed a “sale” or “sharing” of personal information, you have the right to direct us not to sell or share your personal information. We will provide a “Do Not Sell or Share My Personal Information” link on our website if this becomes relevant, and we honor signals transmitted through the Global Privacy Control (GPC) as a valid opt-out request. 

Right to Correct – the right to request correction of inaccurate personal information (effective under the CPRA). 

Right to Limit Use of Sensitive Personal Information – if we collect any sensitive personal data (as defined by CCPA/CPRA), you can ask us to limit its use/disclosure to that which is necessary for our services. 

Right to Non-Discrimination – Company will not deny goods or services, charge you different prices, or provide a different quality of service for exercising your privacy rights. We do not engage in retaliatory or discriminatory practices against those who exercise their rights. These CCPA rights can be exercised by contacting us via the methods below. We may need to verify your identity (or that of your authorized agent) before fulfilling certain requests, as required by law.

To exercise any applicable privacy rights or to inquire about your personal data, please contact Company at [privacy@company.com] with your name, contact information, and a description of your request. We will respond to verifiable requests as soon as possible, and in any event within the timeframe required by law (30 days for GDPR; 45 days for CCPA, with extension if needed and notified).

Data Security: Company takes information security seriously and has implemented appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, loss, or destruction. Measures include access controls limiting who can access personal data, encryption of personal data in transit (e.g., TLS for our website and platform) and at rest (for sensitive data stored in databases or backups), network security (firewalls, intrusion detection systems), regular security testing and audits, and security policies and training for our personnel. We also require our third-party service providers to implement security controls that meet or exceed industry standards for the type of personal data involved. Despite our efforts, no security measures are infallible and Company cannot guarantee absolute security of data; however, we continuously assess and improve our security posture to reduce risks. If Company becomes aware of a data breach affecting personal information, we will notify affected individuals and regulators as required by law, and take steps to mitigate the impact.

Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal, accounting, or reporting requirements. For example, we keep account information for the duration of the customer contract plus a reasonable period thereafter to deal with any post-contract matters or as required by law. We retain support correspondence for a period needed to effectively address and track issues. Where we process data based on consent (e.g., marketing communications), we retain it until consent is withdrawn or it is no longer useful. Once retention periods expire, Company will securely delete or anonymize the personal data. If deletion (or anonymization) is not immediately possible (for instance, if the data is stored in backup archives), we will ensure it is isolated from further active processing until deletion is possible.

Children’s Privacy: Company’s services and website are not directed to children under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal data from a child under 16 (or the relevant minimum age in the child’s jurisdiction), we will delete such information as soon as possible. Parents or guardians who believe Company might have information about a child can contact us to request deletion.

Updates to this Privacy Policy: We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update the policy, we will post the new version with an updated effective date at the top. If changes are material, we will provide a more prominent notice (such as a banner on our website or direct notification via email, where required by law). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Contact Information: If you have any questions, comments, or concerns about this Privacy Policy or our data practices, please contact:

• Data Protection Officer (EU/UK): [Name], Email: [DPO email], Address: [Company EU Representative address if applicable].
• Privacy Team (US/Global): Email: privacy@company.com, Address: Company, [Headquarters address].
• California Privacy Inquiries: California residents may also call our toll-free privacy number at 1-800-XXX-XXXX to exercise CCPA rights or ask questions.

You also have the right to lodge a complaint with your local data protection authority or the relevant supervisory authority. In the EU, you can find contact details for Data Protection Authorities here: [link]. In the UK, contact the Information Commissioner’s Office (ICO). In California, you can contact the California Attorney General’s Office or the California Privacy Protection Agency.

This Privacy Policy is effective as of Jan 1, 2025. By continuing to use Company’s services, you acknowledge that you have read and understood this policy.

Code of Conduct and Ethics Policy (CCE-2025)

Purpose: The Code of Conduct and Ethics Policy outlines the principles of ethical business behavior and professional conduct expected of all Company employees, officers, contractors, and representatives. This policy reflects Company’scommitment to integrity, honesty, and compliance in all aspects of our operations, and it incorporates globally recognized ethical standards and legal requirements. By following this Code, we ensure trust with our customers, regulators, business partners, and the communities we serve. The Code is aligned with the U.S. Chamber of Commerce’s principles of business ethics and international frameworks such as the International Chamber of Commerce (ICC) guidelines and ISO 26000:2010 guidance on social responsibility. All personnel at Company must adhere to both the letter and spirit of this Code, and leaders are expected to foster a culture of ethics and compliance.

Core Ethical Principles: Company believes in and upholds fundamental principles of business ethics, including integrity, honesty, fairness, respect, transparency, accountability, and responsibility. We hold ourselves accountable for doing the right thing and we expect employees to demonstrate these values in their daily work. Ethical conduct means not only obeying laws and regulations, but also acting in a manner consistent with high moral standards and our company values even when laws do not provide clear guidance.

Compliance with Laws and Regulations: Company will conduct its business in compliance with all applicable laws, rules, and regulations in the jurisdictions where we operate. This includes, but is not limited to, laws related to anti-corruption, fair competition, data protection, labor and employment, health and safety, environmental protection, and financial reporting. Employees and representatives of Company are expected to understand and follow the laws relevant to their job duties, and to seek guidance from the Legal/Compliance Department when unsure. Ignorance of the law is not an excuse for non-compliance. We monitor legal developments and provide training to ensure our workforce stays informed of their legal obligations.

Anti-Bribery and Anti-Corruption: Company maintains a zero-tolerance policy for bribery, corruption, and any form of unethical inducement or payment. We strictly prohibit offering, giving, soliciting, or receiving any bribe or improper advantage (including kickbacks, excessive gifts, or facilitation payments) to or from any person or organization, including government officials and private business partners, for the purpose of obtaining or retaining business or securing any improper advantage. Company’s Anti-Bribery Management System is aligned with ISO 37001:2016, the international standard for anti-bribery management systems. We have implemented controls and procedures to prevent corruption, such as due diligence on third parties, approval requirements for gifts and travel expenses, accurate record-keeping, and channels for reporting suspicious activity. All employees receive training on anti-corruption laws (such as the U.S. Foreign Corrupt Practices Act and the UK Bribery Act) and must certify their compliance with these laws and Company’s anti-bribery policy. Any employee who engages in or tolerates bribery will face disciplinary action and possible legal penalties. We expect our business partners (suppliers, consultants, agents) to likewise uphold anti-corruption principles; adherence to our Supplier Code of Ethics or equivalent standards is a condition of doing business with Company.

Conflicts of Interest: Employees and representatives of Company must act in the best interests of the Company and avoid situations where personal, financial, or other outside interests conflict with their duties to Company. A conflict of interest may arise, for example, if an employee has a significant financial interest in a competitor or supplier, if they engage in outside employment that interferes with their Company responsibilities, or if they have a close personal relationship with someone (such as a family member) who is employed by a competitor or is negotiating a contract with Company. All actual or potential conflicts of interest must be disclosed to Company’s management or Ethics & Compliance Officer so that appropriate measures can be taken (such as recusal from decision-making, divestment of the interest, or other mitigation steps). Company provides guidance to help employees recognize and handle conflicts of interest, and managers are responsible for addressing reported conflicts fairly and consistently. Even the appearance of a conflict should be avoided, as it can undermine trust and integrity.

Fair Competition and Business Practices: Company is committed to competing vigorously but fairly in the marketplace. We adhere to applicable antitrust and competition laws that prohibit anti-competitive agreements, abuse of market power, or other unfair business practices. Employees must not engage in collusion with competitors (such as price-fixing, bid-rigging, or market allocation) or exchange sensitive competitive information with competitors. We gather business intelligence ethically and lawfully, never through theft, misrepresentation, or unauthorized surveillance. We treat our customers and business partners honestly and fairly, and we do not take unfair advantage of anyone through manipulation, concealment, misuse of privileged information, or any other unethical practice. Marketing and advertising of our services must be truthful and not misleading.

Protection of Confidential Information and Assets: Employees and those acting on Company’s behalf must protect Company’s confidential and proprietary information, as well as the confidential information entrusted to us by our clients and partners. Such information includes trade secrets, software source code, product designs, strategic plans, customer data, pricing strategies, marketing plans, and any non-public financial or technical data. Unauthorized use, disclosure, or distribution of confidential information is strictly prohibited and may result in disciplinary action and legal consequences. Even within Company, confidential information should only be shared on a need-to-know basis. We also respect the intellectual property rights of others and do not knowingly infringe patents, copyrights, trademarks, or other IP. All Company assets, whether tangible (equipment, funds, facilities) or intangible (intellectual property, data), must be used responsibly and only for legitimate business purposes. Theft, fraud, embezzlement, or misuse of Company assets is grounds for immediate termination and potential prosecution.

Workplace Conduct and Non-Discrimination: Company is committed to providing a safe, inclusive, and respectful work environment for all employees, free from harassment, intimidation, and unlawful discrimination. We value diversity and base employment decisions (hiring, promotion, compensation, etc.) on merit, qualifications, and business needs, without regard to personal characteristics such as race, color, ethnicity, national origin, sex, gender identity, sexual orientation, religion, age, disability, veteran status, or any other characteristic protected by law. Harassment (including sexual harassment, bullying, or other abusive conduct) and discrimination in any form are strictly prohibited. Employees are expected to treat colleagues, customers, and partners with respect and dignity. Managers have a special responsibility to foster an environment of inclusion and to address any concerns of harassment or discrimination promptly in accordance with our HR policies. Retaliation against anyone who in good faith reports a concern or participates in an investigation of a possible policy violation is not tolerated. This commitment to a respectful workplace aligns with Company’s values and with internationally recognized human rights principles (as outlined in ISO 26000 guidance on social responsibility) to treat all individuals fairly and humanely.

Health, Safety, and Environment: Company integrates ethical considerations into our operations by also prioritizing occupational health & safety and environmental stewardship (see Sections 5 and 6 for detailed policies on Environmental and OH&S commitments). Every employee is expected to perform their job in a safe manner, following all safety rules and procedures. We promote wellness and encourage employees to speak up about potential hazards or suggestions to improve safety. We also encourage sustainable practices such as reducing waste and energy usage in our offices, consistent with our Environmental Policy. Demonstrating social responsibility means Company and its employees strive to contribute positively to society and minimize any negative impact of our operations.

Social Responsibility and Community Engagement: Company acknowledges its broader responsibilities to society. We aim to be a good corporate citizen, which includes respecting human rights, supporting the communities where we operate, and engaging in sustainable business practices. Company’s approach to social responsibility is guided by principles of accountability, transparency, ethical behavior, respect for stakeholder interests, respect for the rule of law, international norms of behavior, and human rights. We encourage employees to contribute to their communities through volunteering and charitable activities, and the company may sponsor or donate to social causes, particularly those related to education, healthcare, or STEM initiatives relevant to our industry. All charitable contributions or sponsorships on behalf of Company must be ethical and not a subterfuge for bribery. We do not make political contributions as a company, except as allowed by law and approved by executive management, and any lobbying or political activities must be conducted in compliance with applicable regulations and transparently reported. Company also expects its suppliers and business partners to uphold standards of human rights, labor rights (e.g. no forced or child labor, fair wages, freedom of association), and environmental protection consistent with our values and the tenets of ISO 26000 social responsibility guidance.

Reporting and Enforcement: Every employee has a responsibility to speak up if they observe conduct that may violate this Code, Company policies, or the law. Company provides secure and confidential channels for reporting concerns or suspected misconduct, including the option to report anonymously (where permitted by law) via an ethics hotline or web portal. We will investigate all reports promptly and thoroughly, maintaining confidentiality to the extent possible and respecting the rights of all involved. Employees are expected to cooperate fully with internal investigations. Retaliation against anyone who, in good faith, reports an issue or participates in an investigation is strictly prohibited (as noted above). Verified violations of the Code of Conduct and Ethics will result in appropriate disciplinary action, up to and including termination of employment or contract. In addition, certain actions may result in legal consequences (civil or criminal) for the individuals involved and the company.

Governance: This Code of Conduct and Ethics Policy is endorsed by Company’s Board of Directors and executive leadership. The Board (or a designated Ethics & Compliance Committee) provides oversight of ethical compliance, and senior management is responsible for implementing the Code and ensuring it is understood. The Code is reviewed annually to confirm that it remains current with legal requirements and best practices, and updates may be made as needed with approval from the Board. All employees and officers are required to review and acknowledge this Code upon hire and at regular intervals (e.g., annually). Training on key topics covered by the Code (such as anti-corruption, data privacy, harassment prevention) is provided to employees on a periodic basis. Managers are expected to lead by example and promote a culture of ethics and compliance, ensuring their teams understand and follow the Code.

Conclusion: The reputation and success of Company depend on each of us conducting business ethically and in compliance with the law. Upholding this Code of Conduct and Ethics is not only about avoiding wrongdoing, but actively doing what is right and just. By following these principles and fostering an open, accountable workplace, we build trust with our stakeholders and each other. If you are ever unsure about the proper course of action in a situation, ask yourself: Is it legal? Is it consistent with Company’s values and this Code? Would I feel comfortable if my action were made public? When in doubt, seek guidance from a supervisor or the Compliance department. Remember, integrity in our actions is essential to Company’s mission of serving the life sciences industry with excellence and responsibility.

(Approved by the CEO and Board of Directors of Company, effective 2025. This Code shall be posted on Company’sintranet and website for transparency to employees, partners, and stakeholders.)

Environmental Policy (ENV-2025)

Policy Statement: Company is committed to environmental stewardship and the protection of the environment as an integral part of our business activities. We recognize our responsibility to conduct operations in a manner that is sustainable and environmentally responsible, contributing to the well-being of the communities and ecosystems in which we operate. This Environmental Policy outlines Company’s environmental objectives and commitments, in line with the ISO 14001:2015 Environmental Management System (EMS) standard and applicable environmental laws and regulations. Top management has established this policy to guide our decision-making and actions toward minimizing environmental impacts, preventing pollution, and continually improving our environmental performance.

Key Commitments:

• Compliance with Environmental Laws and Other Obligations: Company will meet or exceed all applicable environmental legislation, regulations, and other compliance obligations in the jurisdictions where we operate. We systematically identify and evaluate our compliance requirements (such as waste management laws, emissions regulations, chemical handling rules, etc.), and integrate them into our operational controls. We also commit to any voluntary environmental agreements or industry codes to which Company subscribes. Compliance is the baseline of our environmental performance; we strive not only to comply but to adopt best practices that go beyond minimum legal requirements whenever feasible.
• Pollution Prevention and Environmental Protection: Company is dedicated to protecting the environment through proactive measures to prevent pollution and minimize any adverse impacts of our activities. This includes controlling and reducing emissions to air, discharges to water, and waste generation from our facilities and products. We focus on pollution prevention at the source by using environmentally sound materials and processes, rather than simply treating pollution after its creation. For example, we aim to reduce hazardous substances in our operations, avoid accidental releases through proper maintenance and emergency preparedness, and implement recycling and waste reduction programs. We are committed to the efficient use of resources such as energy, water, and raw materials, and to reducing our carbon footprint and greenhouse gas emissions in support of global climate change mitigation efforts. Specific objectives and targets are set (e.g., percentage reduction in energy use or paper consumption) to drive performance in these areas. Our commitment to protection of the environment, including the prevention of pollution, is a core part of this policy.
• Continual Improvement of the EMS: Company maintains an Environmental Management System aligned with ISO 14001:2015, providing a structured approach to managing environmental aspects. We are committed to continually improving the effectiveness of this EMS and our overall environmental performance. This is achieved by setting environmental objectives and targets, monitoring progress, and reviewing results regularly. We conduct periodic environmental audits and management reviews to identify opportunities for improvement and to ensure that the EMS remains suitable and effective given changing business activities, regulatory updates, and stakeholder expectations. Lessons learned from incidents, audits, and new technologies are incorporated to enhance our environmental controls.
• Environmental Objectives and Targets: Through our EMS planning process, Company establishes environmental objectives that are specific, measurable, achievable, relevant, and time-bound (SMART). These objectives address our significant environmental aspects, such as energy usage, waste management, and emissions. For example, objectives may include reducing electricity consumption by a certain percentage, increasing the recycling rate of office waste, or improving the energy efficiency of our software data centers. Each objective is supported by targets and action plans, and responsibility for achieving them is assigned to appropriate functions. Progress toward environmental objectives is tracked and reported to top management and employees, fostering accountability and motivation for continual improvement.
• Resource Conservation and Sustainable Practices: Company integrates sustainability principles into its operations and product lifecycle. We strive to conserve natural resources by implementing measures like energy-saving technologies, water conservation practices, and responsible procurement (e.g., choosing eco-friendly office supplies or cloud providers that use renewable energy). We encourage digital solutions over paper to reduce paper waste (which aligns with our software’s goals of digital regulatory submissions). When feasible, we implement green building practices and maintain efficient facility management (such as HVAC optimizations and LED lighting in offices). Business travel is managed with consideration of its environmental impact – we promote teleconferencing and video meetings to reduce air travel, and when travel is necessary, we follow a policy that considers carbon impact (for instance, using economy class and direct routes, or carbon offsetting). Our product development also considers environmental aspects, seeking to optimize software for energy efficiency and to enable clients to reduce their own environmental footprint via our cloud-based solutions (which can eliminate the need for on-premise infrastructure).
• Protection of Biodiversity and Natural Habitat: Although Company’s operations (primarily office-based and data center use) have a limited direct impact on biodiversity, we remain conscious of our indirect impacts. We commit to handle any hazardous materials or e-waste (electronic waste) through licensed and responsible disposal or recycling firms, to prevent environmental contamination. If Company were to engage in activities affecting land or facilities, we would assess potential impacts on local ecosystems and take measures to avoid or mitigate harm (e.g., proper site management, habitat preservation efforts). We also support environmental initiatives and community programs that enhance environmental protection and awareness.
• Awareness, Training, and Employee Involvement: We believe environmental responsibility is everyone’s responsibility. Company provides training and awareness to employees about our Environmental Policy, significant environmental aspects, and best practices they can follow (such as waste segregation, energy conservation, and reporting of environmental issues). We encourage employees to actively participate in environmental programs and to offer suggestions for improving our environmental performance. Worker consultation and participation are valued in line with our integrated management system approach (since environmental and OH&S matters often intersect). Our Green Team or Sustainability Committee, where in place, helps drive employee-led environmental initiatives.
• Communication and Stakeholder Engagement: Company is committed to transparent communication regarding our environmental performance and initiatives. This Environmental Policy is documented, maintained, and made available to all interested parties – we publish it on our intranet for employees and on our corporate website for the public, clients, and partners. We communicate relevant environmental requirements to contractors and suppliers working on our behalf, ensuring they understand and adhere to Company’s standards (for example, contractors must follow our waste disposal and site environmental rules). We also engage with clients and business partners on sustainability issues, collaborating on ways to reduce collective environmental impact (for instance, supporting customers’ sustainability reporting by providing data on our services’ energy usage/carbon intensity when requested). Internally, we celebrate and communicate environmental achievements (like reaching a recycling goal or obtaining a certification) to reinforce commitment. Externally, we may publish an annual sustainability report or include environmental metrics in our corporate responsibility reporting to share progress with stakeholders.
• Emergency Preparedness and Response: In the event of an environmental incident or emergency (such as a spill, fire, or other accident that could impact the environment), Company has established procedures to respond promptly and effectively. This includes emergency response plans, spill prevention and control measures, and communication protocols to notify authorities and affected parties if necessary. We aim to minimize any environmental damage and to learn from incidents by conducting root cause analysis and updating our controls to prevent recurrence.

Accountability and Responsibilities: Ultimate accountability for environmental stewardship lies with Company’s top management. The CEO and executive team are responsible for endorsing this policy and ensuring that environmental considerations are integrated into our business strategy. An Environmental Management Representative (or Sustainability Officer) may be appointed to oversee the EMS and coordinate environmental programs. Managers at all levels are expected to enforce environmental procedures and ensure their teams have the resources and knowledge to comply. Every employee and person working on Company’s behalf has a duty to follow the environmental policy and procedures, to work in an environmentally responsible manner, and to report any environmental concerns or incidents to management. Environmental performance is included in management reviews, and management incentives may incorporate environmental objectives to drive leadership accountability.

Continual Review: This Environmental Policy and the associated EMS are reviewed at least annually, as well as when significant changes occur (e.g., new regulatory requirements or changes in Company’s activities). The review ensures the policy remains relevant to Company’s context (business nature, environmental impact, stakeholder concerns) and continues to inspire high standards of environmental performance. Any updates to the policy will be approved by top management and communicated to all employees and interested stakeholders.

By adhering to this Environmental Policy, Company demonstrates its commitment to sustainable development and the well-being of current and future generations. We believe that protecting the environment is not only a legal obligation but a fundamental part of our corporate social responsibility and long-term success.

(Approved by CEO of Company. This policy is posted in Company workplaces and on the corporate website. All employees and contractors are required to be familiar with and follow this Environmental Policy.)

Occupational Health & Safety Policy (OHSP-2025)

Policy Statement: Company is committed to providing a safe and healthy work environment for all employees, contractors, visitors, and others affected by our operations. We consider occupational health and safety (OH&S) a top priority and an integral part of how we conduct our business. Our goal is zero harm – preventing work-related injuries and ill health – and continual improvement of our workplace health and safety performance. This Occupational Health & Safety Policy is established in accordance with ISO 45001:2018 and relevant occupational safety laws (including U.S. OSHA regulations), demonstrating Company’s commitment to proactive risk management and compliance with all applicable OH&S requirements. Management at all levels shall lead by example in promoting a culture where safety is everyone’s responsibility.

Key Commitments:

• Safe and Healthy Working Conditions: Company will provide and maintain safe and healthy working conditions, equipment, and systems of work for all employees and others under our control. We are committed to taking appropriate actions to prevent work-related injuries, illnesses, and accidents. This includes ensuring that our facilities meet or exceed safety standards, machinery and tools are properly guarded and maintained, and that appropriate personal protective equipment (PPE) is available and used wherever required. We strive to identify workplace hazards and mitigate them at the source so as to create a work environment free from serious recognized dangers. In line with the U.S. Occupational Safety and Health Act’s General Duty clause, Company will provide a workplace free from recognized hazards that are causing or are likely to cause death or serious physical harmosha.gov.
• Elimination of Hazards and Risk Reduction: We commit to a proactive approach of hazard identification and risk assessment for all our activities. Company systematically identifies potential hazards (physical, chemical, ergonomic, psychosocial, etc.) and unsafe conditions or practices in the workplace. Once identified, we assess the risks (likelihood and severity of harm) and take action to eliminate the hazards or, if elimination is not feasible, to reduce the OH&S risks to an acceptable level. This hierarchy of controls – eliminating hazards, substituting safer alternatives, engineering controls, administrative controls, and finally PPE – is used to implement effective risk controls. For example, if our software development staff faces ergonomic risks from prolonged computer use, we implement ergonomic workstations and mandatory break schedules to reduce the risk of musculoskeletal issues. If field engineers face travel-related safety risks, we establish travel safety protocols. We also address potential emergency scenarios (fire, evacuation, medical emergencies) by implementing emergency preparedness plans and conducting drills. Our aim is continuous risk reduction and a workplace with zero accidents.
• Compliance with Legal Requirements: Company is committed to full compliance with all applicable occupational health and safety laws, regulations, standards, and codes of practice in each jurisdiction where we operate. This includes OSHA standards in the United States, as well as any country-specific OH&S regulations for our international offices (for example, EU directives on workplace safety, or local fire safety/building codes). We have procedures to keep current with changes in OH&S legislation and ensure that operational controls and training reflect the latest requirements. Where laws or regulations set minimum standards, Company aims to exceed them where reasonably practicable. We also adhere to any client-specific or industry-specific safety requirements when working on client sites or projects. Compliance extends to safety-related recordkeeping and reporting (such as recording workplace injuries, reporting incidents to authorities as required, etc.), which we manage in a timely and accurate manner.
• OH&S Objectives and Continuous Improvement: Company sets OH&S objectives and targets as part of our ISO 45001 safety management system planning. These objectives are aligned with our commitment to eliminate hazards and reduce risks, and they provide a framework for measuring our performance. Examples might include targets for reducing the incident rate, increasing the number of safety inspections or near-miss reports, or achieving certain training milestones. Progress towards OH&S objectives is monitored and reviewed by management regularly. We are committed to continual improvement of the OH&S management system and performance, meaning we not only correct problems when they occur but also actively seek ways to enhance safety culture and controls. Through internal audits, incident investigations, and employee feedback, we identify opportunities to improve and take preventive and corrective actions. Lessons learned from any accidents or near-misses are used to strengthen our programs. Our philosophy is that all work-related injuries and illnesses are preventable, and we drive improvement until that is achieved.
• Roles, Responsibilities, and Worker Participation: Ensuring workplace safety is a shared responsibility. Management at all levels is responsible for the implementation of this policy and for providing leadership in OH&S. Senior management ensures the integration of safety into business processes and provides the necessary resources (personnel, training, equipment, budget) to support our OH&S commitments. Managers and supervisors are directly responsible for the safety of their team members and are expected to enforce safety rules, correct unsafe conditions promptly, and encourage open communication about safety. Employees and Contractors have the responsibility to follow all safety procedures, correctly use provided safety equipment, and to look out for the safety of themselves and others. Workers must promptly report any hazards, incidents, or near-misses to their supervisor or through Company’s reporting system, without fear of reprisal. We strongly encourage employee involvement in the OH&S management system: employees (especially non-managerial staff) are consulted and given opportunities to participate in hazard identification, risk assessments, incident investigations, safety committees, and suggestion programs. This consultation and participation are requirements of ISO 45001 and are critical to developing practical and effective safety solutions. By harnessing the knowledge and experience of our workforce, we create a more robust safety culture.
• Training and Competence: Company provides OH&S training to all employees appropriate to their roles. New employees receive orientation on general workplace safety rules, emergency procedures, incident reporting, and their rights under safety laws (for example, the right to refuse unsafe work, and the right to know about workplace hazards as per OSHA’s Hazard Communication). Job-specific training is given to those performing tasks with particular hazards – for instance, electrical safety and lockout/tagout training for maintenance staff, ergonomic and eye strain prevention for computer users, safe driving training for employees who travel for work, etc. We ensure that employees are competent to perform their duties safely, and where certifications or authorizations are required (such as first aid, forklift operation, or working at heights), we provide the necessary training and refresher courses. Contractors working on-site are also required to demonstrate appropriate safety training and must adhere to Company’s safety standards. Training is refreshed periodically and whenever changes in equipment or processes introduce new hazards. We maintain records of training and use drills or tests to verify understanding.
• Incident Reporting and Investigation: Despite our best efforts in prevention, incidents may occasionally occur. Company requires that all workplace injuries, illnesses, incidents, and near-misses be reported immediately to supervision and the EHS (Environment, Health, and Safety) department, no matter how minor they may seem. We treat near-misses as valuable learning opportunities. All reported incidents and near-misses are investigated to determine root causes and identify corrective actions. Our approach is not to place blame, but to find out what system improvements can be made to avoid recurrence. Corrective actions might include engineering fixes, revised procedures, additional training, or disciplinary action if safety rules were willfully violated. We track the closure of corrective actions to ensure they are implemented effectively. Summary incident data and investigation findings are reviewed by management and discussed in safety committees to promote transparency and collective learning.
• Emergency Preparedness and Response: Company maintains emergency preparedness and response plans to handle potential crises such as fires, natural disasters, medical emergencies, chemical spills (if applicable), or security threats. These plans are communicated to employees and include clear responsibilities (e.g., fire wardens, first aid responders), evacuation routes, assembly points, emergency contact information, and procedures for accounting for personnel. We conduct regular emergency drills (fire drills, for example) to ensure readiness and to identify any improvements needed in our response. First aid supplies and equipment (like fire extinguishers, defibrillators) are provided in sufficient quantity and are maintained. We also coordinate with property managers and local emergency services as needed to ensure an effective joint response. Business continuity and disaster recovery aspects align with our Business Continuity Policy (see Section 7), ensuring that employee safety is the first priority in any continuity scenario.
• Health and Wellness: Company’s commitment to “health” extends beyond preventing injuries to also promoting overall employee well-being. We encourage activities and programs that support physical and mental health, such as wellness initiatives, ergonomic assessments, stress management resources, and work-life balance policies (recognizing that fatigue and stress can impact safety). Where appropriate, we may offer employee assistance programs (EAPs) for counseling or support. We strive to accommodate employees with disabilities or medical needs by making reasonable adjustments in the workplace (in line with legal requirements and our values of inclusion). Ensuring employees are healthy and fit for work (which may include fitness for duty evaluations in certain cases) helps maintain a safer workplace for all.

Regulatory Alignment: This OH&S Policy and the supporting safety management system align with international best practices (ISO 45001) and local regulatory guidelines, such as the U.S. OSHA guidelines and standards. OSHA’s fundamental requirement is that employers provide a safe workplace and comply with applicable OSHA standardsosha.gov; Company embraces this duty and aims to exceed basic compliance through our proactive safety culture. We also heed guidance from authoritative bodies like the U.S. National Institute for Occupational Safety and Health (NIOSH) or EU OSHA when developing our programs, ensuring we incorporate the latest knowledge in hazard control and worker protection.

Consultation and Communication: Company is committed to consulting with and involving employees (and, where they exist, workers’ representatives) in the development and implementation of OH&S measures. We have established a Safety Committee that includes employee representatives from various departments, which meets regularly to review safety performance, discuss suggestions, and plan improvements. The Environmental Health & Safety (EHS) or HR team communicates safety information through multiple channels: postings on bulletin boards (e.g., this policy and safety signs), intranet updates, emails/newsletters highlighting safety tips or updates, and toolbox talks or meetings for those in operational roles. We encourage open dialogue – employees are actively encouraged to voice concerns or improvement ideas, and management commits to listening and taking action. All personnel are informed about this OH&S Policy and are expected to understand it. The policy is available on the intranet and in common areas, and new hires are briefed on it during orientation.

Accountability and Enforcement: Everyone at Company is accountable for upholding this OH&S Policy. Managers will be held accountable for the safety performance of their teams (safety metrics may be part of performance evaluations). Employees must adhere to safety rules and report hazards; failure to do so or willful violations may result in disciplinary actions. Conversely, Company positively recognizes and rewards good safety behavior and proactive risk identification (e.g., through safety awards or recognition programs). Safety performance and incidents are reported to senior leadership and the Board (or a designated committee), ensuring high-level oversight. In the unfortunate event of a serious incident, top management will be directly involved in ensuring proper investigation and response, demonstrating that safety is a core value at the highest level of the company.

Continual Review: This Occupational Health & Safety Policy is subject to periodic review (at least annually and when significant changes occur in our operations or applicable regulations) to ensure it remains relevant and effective. Top management, in consultation with worker representatives, will update the policy as needed. Updates will be communicated throughout the organization.

By adhering to this OH&S Policy, Company demonstrates its unwavering commitment to the health, safety, and well-being of our workforce. Protecting our employees is not only a legal and moral obligation – it is fundamental to Company’s success. Safe operations lead to better quality, productivity, and morale. Every member of Company has the right to a safe workplace and the responsibility to contribute to a safe workplace. Through collective vigilance and dedication to these principles, we will achieve our goal of an incident-free workplace.

(Approved by Company CEO and executive management, January 2025. This policy is posted at all work locations and on the intranet. All employees and contractors must familiarize themselves with it and comply with its provisions.)

Business Continuity Policy (BCP-2025)

Purpose: Company is committed to ensuring the continuity of our critical business operations and the resiliency of our services in the face of disruptive incidents. The purpose of this Business Continuity Policy is to establish a framework for developing, implementing, and maintaining effective business continuity and disaster recovery plans throughout Company. By doing so, we aim to protect our employees, fulfill our obligations to clients, safeguard our assets, and uphold our reputation even during unexpected events. This policy aligns with ISO 22301:2019, the international standard for Business Continuity Management Systems (BCMS), and demonstrates Company’s dedication to meeting high availability and reliability standards. It also supports compliance with any legal, regulatory, or contractual requirements related to contingency planning and operational resilience. The policy has the full support of Company’s top management, who will ensure that business continuity planning is an integral part of our corporate governance and risk management.

Objectives: The primary objectives of Company’s Business Continuity Policy are to: (1) Identify and prioritize Company’s critical business functions, processes, and resources (including personnel, IT systems, data, and facilities) that are essential to delivering our products and services; (2) Anticipate the types of threats or disruptions (e.g., natural disasters, power outages, cyber-attacks, pandemic situations, supply chain failures, etc.) that could impact those critical operations; (3) Implement appropriate prevention and preparedness measures to reduce the likelihood and impact of such disruptions; (4) Develop robust response and recovery strategies to ensure that in the event of a disruption, Company can continue operations at an acceptable level or resume operations in a timely and orderly manner, thus meeting our obligations to customers and other stakeholders; and (5) Continually improve our business continuity capabilities through regular testing, review, and updates of plans. Ultimately, our business continuity efforts aim to enhance organizational resilience – the ability to withstand shocks and adapt quickly – thereby protecting Company’s people, assets, and mission. As ISO 22301 emphasizes, effective business continuity management strengthens an organization’s resilience against unforeseen disruptions.

Scope: This policy applies to all Company divisions and departments, and covers business continuity and IT disaster recovery planning for all critical products and services offered by Company. It encompasses Company’s primary office locations, data centers/cloud services, and any mission-critical third-party services or suppliers that support our operations. Each organizational unit of Company must participate in business continuity planning as relevant to its functions. The scope includes emergency response, crisis management, IT recovery, and continuity of operations planning. Scenarios addressed range from short-term localized incidents (like building evacuation) to longer-term widespread crises (like a regional natural disaster or global pandemic). The BCMS scope and boundaries are defined and documented as part of our ISO 22301 implementation, taking into account external and internal issues and stakeholder requirements.

Management Commitment and Responsibilities: Company’s executive management is committed to the Business Continuity Management System and will ensure the necessary support and resources. The CEO and senior leaders endorse this policy and have appointed a Business Continuity Manager (or BCM team) with the authority and responsibility to develop and implement the BCMS. Management demonstrates leadership by integrating business continuity considerations into decision-making (for example, considering resilience when designing systems or selecting outsourcing providers) and by supporting a culture of preparedness. Roles and responsibilities for business continuity are clearly defined: departmental heads are responsible for identifying critical processes and resources in their areas and for developing recovery procedures; the IT department is responsible for IT disaster recovery planning (ensuring backup, redundancy, and restore capabilities for key systems); HR and Facilities may lead people and site-related continuity planning; and the Business Continuity Manager coordinates the overall program and ensures plans are coherent and meet the company-wide objectives. All employees should be aware of how to respond in an emergency and some may have specific roles in continuity plans (e.g., serving on a crisis management team or as backup personnel for critical tasks).

Business Impact Analysis (BIA) and Risk Assessment: Company conducts regular Business Impact Analyses to identify which business functions and processes are critical to our operations and to assess the potential impact if those functions were disrupted. The BIA considers factors such as each process’s contribution to revenue or customer obligations, recovery time sensitivity (Maximum Acceptable Outage), and interdependencies between processes. For each critical function, we determine Recovery Time Objectives (RTOs) – the target time by which the function must be resumed – and Recovery Point Objectives (RPOs) for data (how much data loss can be tolerated). Alongside the BIA, we perform risk assessments to identify and evaluate threats that could lead to business interruptions (e.g., natural hazards like hurricanes or earthquakes, technology failures, human error, supply chain disruptions). This risk-based approach informs our continuity strategies, focusing on the most likely and most severe scenarios. The output is a set of prioritized risks and an understanding of potential impacts, which guide the development of mitigation and recovery strategies. We review and update our BIA and risk assessments periodically (at least annually, or when significant changes occur in the business or threat landscape) to ensure they remain accurate and relevant.

Business Continuity Strategies: Based on the BIA and risk assessment, Company selects appropriate business continuity and recovery strategies to achieve the defined RTOs and RPOs. Our continuity strategy typically includes:

• Prevention/Mitigation Measures: Actions taken in advance to reduce the likelihood of disruptions or to limit their impact. For example, to mitigate risk of IT downtime, we maintain redundancy for critical systems and use geographically dispersed data centers for our cloud services. We perform regular data backups and use cloud-based high-availability architectures such as failover clustering. To mitigate facility risks, our offices have emergency power solutions or arrangements to relocate staff if a site is inaccessible. We also maintain insurance coverage (property, business interruption insurance) as a financial risk transfer mechanism.
• Response Structure: Company has a Crisis Management Team (CMT) composed of key executives and department heads that will convene in the event of a major disruption. The CMT is responsible for overall coordination, communications (internal and external), and strategic decision-making during the incident. We define communication plans to reach employees (phone trees, text alerts) and to inform clients and stakeholders as needed.
• Business Continuity Plans (BCPs): Documented plans are developed for each critical business function or location. These plans outline step-by-step procedures for how to continue or resume operations in various scenarios. For example: an Office/Facility BCP covers what to do if an office location is inaccessible (including instructions for switching to remote work or moving to a recovery site); an IT Disaster Recovery Plan (DRP) details how to recover critical IT infrastructure, applications, and data (servers, networks, cloud environments) in the event of outages or cyber incidents, including roles of IT staff, activation of backup systems, and restoration order of services. A Supply Chain/Third-Party Continuity Plan identifies alternative suppliers or arrangements if key vendors fail. Each plan includes contact information for team members, lists of critical resources and records, and manual workarounds if technology is down. The plans are tailored to ensure each department knows its priorities and actions during a disruption, but are also integrated to support the company-wide objectives. According to ISO 22301 best practices, our business continuity plans address strategies to minimize the impact of disruptions and maintain continuity of operations, such as relocating work to unaffected offices, having employees work from home, using backup providers, etc.
• Recovery Time Objectives: Each plan clearly states the RTO for the process or system it covers, and outlines how to achieve it. For instance, our client support service might have an RTO of 4 hours to ensure clients can reach us even if our primary call center is down – thus, we have an arrangement to reroute support lines to an alternate location or mobile phones. Our regulatory software service might have an RTO of 24 hours for full functionality, supported by real-time database replication to a secondary data center that can be brought online quickly. Setting these targets and strategies demonstrates to interested parties that Company has concrete plans to restore operations within acceptable downtime limits.

Plan Implementation and Resource Allocation: Company will ensure that adequate resources (personnel, technology, information, finances) are allocated to implement and maintain business continuity and disaster recovery capabilities. This includes investing in backup infrastructure, emergency communication tools, and possibly maintaining an alternate work site or contracts with recovery service providers. Roles necessary for emergency response and business recovery are staffed with trained personnel, and deputies are assigned to ensure backup for key roles. We incorporate business continuity tasks into job descriptions as needed (e.g., an IT manager might be explicitly charged with maintaining DR capabilities). The Business Continuity Manager coordinates implementation efforts across departments, but each department head is responsible for implementing the continuity strategies for their area (for example, ensuring their team can operate from home if needed, or that critical paper documents are scanned and accessible off-site).

Testing and Exercises: To ensure that our business continuity plans are effective and that staff are familiar with their roles, Company conducts regular testing and exercises. At minimum, critical plans are tested annually. Different types of exercises are used, including: Tabletop exercises (discussion-based walk-throughs of plan scenarios with the CMT and department recovery teams to validate content and decision-making processes); Functional drills (e.g., IT conducts a failover test to the backup data center to verify systems can be recovered within the expected timeframe, or an unannounced test of restoring from backups to ensure data integrity); Evacuation drills (testing facility emergency response plans); and Call tree tests (verifying we can reach all employees via emergency contact methods). These exercises are evaluated and documented, with lessons learned captured. Any gaps or weaknesses identified during tests lead to updates in the plans or additional training – for instance, if a test shows that a certain business process could not meet its RTO due to missing information or resources, we adjust the plan or strategy accordingly. Regular testing not only validates our readiness but also builds confidence among stakeholders that Company’s continuity strategies will work effectively when needed.

Maintenance and Continuous Improvement: Business continuity is not a one-time project but an ongoing process. Company will keep all BCP and DR plans up-to-date. Plans are reviewed and revised when there are significant organizational changes (such as new systems, new office locations, changes in key personnel, or changes in the business model) or after any incident or exercise highlights needed improvements. We maintain version control and distribution lists for our plans to ensure that everyone has the latest approved version. The BCMS itself is subject to internal audit and management review (as per ISO 22301 requirements) to evaluate overall effectiveness and conformance with the standard and our own policy. Top management reviews business continuity status at least annually, including results of tests, incidents that occurred, and any recommended enhancements. We cultivate a culture of continuous improvement by encouraging feedback on the plans and by staying informed about emerging best practices in continuity and resilience. Company understands that new threats (like evolving cyber threats or pandemics) may arise, and we adapt our continuity planning accordingly to remain resilient. This continuous improvement approach ensures that the business continuity program remains dynamic and effective over time.

Communication and Awareness: Company communicates this Business Continuity Policy to all employees so they understand the importance of continuity planning and their role in it. Key elements of the BC plans (especially emergency response procedures and communication channels) are included in employee training and onboarding. We also communicate relevant aspects of our continuity capabilities to customers, regulators, or partners upon request or as part of contractual obligations – for instance, some clients in the life sciences sector might require assurances that our service will remain available during their critical submission timelines, so we may share summary information about our BC/DR program or certifications. During an actual disruptive event, we have pre-defined communication strategies to keep employees informed (e.g., using an emergency notification system) and to update clients on the status of our operations. Transparency and timely communication can significantly reduce stakeholder concern in a crisis, thus it’s a key part of our continuity strategy.

Integration with Other Management Systems: This Business Continuity Policy is part of Company’s Integrated Management System and works in conjunction with related policies such as the Information Security Policy (some incidents may be security-related), the Occupational Health & Safety Policy (people safety in emergencies), and the Disaster Recovery Plan for IT. It also aligns with any client-required contingency plans, such as those following ICH or FDA guidelines for maintaining critical compliance systems. Our approach ensures that continuity plans do not conflict with but rather complement these areas – for example, in a disaster, life safety (OH&S) takes priority (evacuating personnel), followed by business recovery steps; similarly, security measures should remain in place during recovery to protect data integrity.

Compliance and Auditing: Adherence to this policy and the effectiveness of the BCMS will be monitored through periodic audits (internal and, if applicable, external ISO 22301 certification audits). Non-conformities or areas for improvement identified in audits will be addressed in a timely manner. Company also evaluates the BCMS against any regulatory requirements or industry standards relevant to our sector (for instance, FDA’s expectations for regulated companies to have backup of electronic records systems as per 21 CFR Part 11, or contracts with pharmaceutical clients that may stipulate business continuity provisions). By meeting these obligations, we assure our clients and regulators of our robust preparedness.

Conclusion: Company recognizes that in the life sciences industry, timely regulatory submissions and continuous support are critical – any prolonged downtime or data loss on our part could significantly impact our clients’ operations. Therefore, we treat business continuity as a vital aspect of our service commitment and risk management. This Business Continuity Policy, supported by detailed plans and ongoing investment in resilience, helps Company to maintain trust and reliability. It demonstrates to all stakeholders – employees, customers, partners, and regulators – that Company is prepared to manage disruptions effectively and ensure the continuous delivery of products and services. Enhancing resilience not only protects our business but also provides a competitive advantage in being a stable, dependable partner in all circumstances.

(Approved by Company CEO and executive management. This policy is communicated to all relevant staff and is available to clients or interested parties upon request. The Business Continuity Manager is the custodian of this policy and is responsible for its implementation and maintenance. Next review due: January 2026 or after any major incident, whichever comes first.)

Reference Materials and Standards Links

This section collates the key external references and materials that inform our QMS and compliance efforts. These documents are not reproduced here in full, but are available to authorized personnel via the provided links or the Company library. They serve as the foundation for our management system requirements:

• • ISO 9001:2015 – Quality Management Systems Requirements
    International standard for Quality Management Systems (QMS).
    Official ISO reference: https://www.iso.org/standard/62085.html 
  • ISO/IEC 27001:2022 – Information Security Management Systems
    International standard for Information Security Management Systems (ISMS).
    Official ISO reference: https://www.iso.org/standard/82875.html
  • ISO/IEC 27018:2019 – Code of Practice for PII Protection in Cloud Computing
    Guidelines for public cloud service providers processing personally identifiable information (PII).
    Official ISO reference: https://www.iso.org/standard/76559.html 
  • ISO 22301:2019 – Business Continuity Management Systems
    Requirements for establishing a Business Continuity Management System (BCMS) to ensure resilience.
    Official ISO reference: https://www.iso.org/standard/75106.html 
  • ISO/IEC 17021-1:2015 – Conformity Assessment for Certification Bodies
    Requirements for bodies providing audit and certification of management systems.
    Official ISO reference: https://www.iso.org/standard/61651.html 
  • ISO/IEC 25012:2008 – Data Quality Model
    Defines general data quality characteristics (e.g., accuracy, completeness, consistency).
    Official ISO reference: https://www.iso.org/standard/35736.html 
  • ISO 14001:2015 – Environmental Management Systems
    Guidance for organizations to manage their environmental responsibilities systematically.
    Official ISO reference: https://www.iso.org/standard/60857.html 
  • ISO 45001:2018 – Occupational Health & Safety Management Systems
    Framework for improving employee safety, reducing workplace risks.
    Official ISO reference: https://www.iso.org/standard/63787.html 
  • ISO 37001:2016 – Anti-Bribery Management Systems
    Standard that helps organizations establish, implement, and maintain anti-bribery controls.
    Official ISO reference: https://www.iso.org/standard/65034.html 
  • ISO 26000:2010 – Guidance on Social Responsibility
    Provides guidance on integrating social responsibility into organizational practices.
    Official ISO reference: https://www.iso.org/standard/42546.html 
  • EU GDPR (Regulation (EU) 2016/679) – General Data Protection Regulation
    EU regulation on the protection of natural persons regarding the processing of personal data.
    Full text via EUR-Lex: https://eur-lex.europa.eu/eli/reg/2016/679/oj
  • California Consumer Privacy Act (CCPA)
    California legislation that enhances privacy rights and consumer protection.
    Full legal text: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&chapter=&article= 
  • FDA 21 CFR Part 11 – Electronic Records; Electronic Signatures
    U.S. FDA regulation on trustworthy and reliable electronic records and signatures.
    Full regulation text: https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11
    FDA Guidance: https://www.fda.gov/media/75414/download 
  • ISO 19011:2018 – Guidelines for Auditing Management Systems
    Provides principles and guidance for auditing management systems and training auditors.
    Official ISO reference: https://www.iso.org/standard/70017.html 
  • NIST Cybersecurity Framework (Optional Use)
    U.S. National Institute of Standards and Technology (NIST) framework to improve critical infrastructure cybersecurity.
    Official reference: https://www.nist.gov/cyberframework
  • Local Labor Laws and Health & Safety Regulations
    Include national/local regulatory guidelines such as OSHA (for U.S. operations).
    U.S. OSHA: https://www.osha.gov/laws-regs 
  • Business Ethics Guidelines
    U.S. Chamber of Commerce Principles of Business Ethics. Fundamental expectations for ethical behavior in business, covering integrity, compliance, accountability, and fair competition. https://www.uschamber.com/co/start/strategy/business-ethics-and-compliance
  • ICH Guidelines 

ICH or other best practices relevant to regulatory submissions https://www.ich.org

• • Client-Specific Requirements
    Client-directed frameworks, SOPs, or security protocols may apply and are documented per project specifications.

All personnel can consult these references to better understand the “why” behind our procedures. For instance, understanding GDPR articles helps in executing our privacy SOP correctly. The Company provides access to standards in a reading room (for ISO standards, which are copyrighted, a licensed copy is held by QA for reference).

Document Locations:

• Internal policies and SOPs are on the Company Intranet under the “Quality Manual & SOPs” section.
• External standards and regulations links are provided on the intranet as well (or can be requested from QA). Key ones like GDPR and CCPA are publicly accessible online. ISO standards can be accessed via our purchased copies in the Quality library.
• Training materials summarizing these references are available for easier digestion (e.g., a GDPR training slide deck, an ISO 9001 principles cheat sheet).

Using these references, the Company ensures alignment with current best practices and legal requirements. They are the backbone of our compliance and quality commitments.

QMS Validity and Revision Control

This Quality Management System Manual is issued under controlled conditions and is effective upon approval. It remains valid indefinitely as the framework for the Company’s management systems, with the following stipulations to ensure it stays current and effective:

• Living Document: The QMS Manual (and associated procedures) is intended to be a living document set. It does not have a fixed expiration, but is subject to continual improvement. Revisions will be made whenever needed to reflect changes in standards, regulations, Company processes, or corrective actions from audits.
• Annual Review and Renewal: At minimum, on an annual basis, the QA Officer (with input from process owners) will review the entire manual and key SOPs. This typically coincides with a management review meeting near year-end or the beginning of the year. Unless substantial changes are required, the QMS Manual will be “renewed” by re-approval each year to affirm its continued applicability. This is documented by a signed statement from the QA Officer or Management Representative (and CEO if required), noting that the manual was reviewed and remains in effect (with minor changes, if any).
• Revision Control: Any changes to the QMS Manual content will result in a new version number and date. Changes are reviewed and approved by top management before release. The Document Control SOP ensures all users get the updated manual and obsolete versions are removed. Each page of the manual carries the version identifier to avoid confusion.
• Lifetime Commitment: The Company commits that the QMS as described will be maintained for the life of the Company’s operations. Should there be major organizational changes (mergers, scope change) that impact the QMS, the manual will be revised accordingly rather than retired.
• Default Renewal: If the annual review passes without needing major revision, the manual is considered renewed for another year by default. A memo or email from QA to all staff will note that the manual was reviewed on [date] and remains in effect as-is. This serves as evidence of compliance with a yearly review requirement.
• Availability: This manual is available to all Company employees and external experts (in an appropriate form) to ensure awareness. Significant updates are communicated through training or a memo.
• External Audit/Certification Use: In the event of external audits (client audits or ISO certification audits), this manual serves as a key reference. Its validity and currency are crucial; hence, the above process ensures auditors see a document that is up-to-date and reflects actual practice.

By authority of the CEO and QA Officer, this QMS Manual version (Version 1.0, effective May 2025) is hereby approved and released for use. It will remain the authoritative source of QMS guidelines until superseded by a formally approved new revision.

Approval

• Quality Assurance Officer: Signature (Digital Signature)           Date: May 21, 2025
• Chief Executive Officer: Signature (Digital Signature)               Date: May 21, 2025

(Signatures on file)

(Signatures on file indicate that this manual has been reviewed and approved for use. Electronic approval via the document management system is also acceptable.)

This statement of validity and the above signatures affirm that the QMS Manual is current as of the date signed. Going forward, the manual will undergo annual review and be re-signed or a memo of continuance issued to reflect its ongoing validity. Changes, when made, will be clearly identified and communicated.

By maintaining strict document control and regular review of this manual, the Company ensures that our QMS remains an effective and authoritative guide for our operations. The manual in its current version shall remain in force until formally superseded by an approved new version.

(This QMS Manual is formatted and structured for easy editing and conversion to other formats, such as Microsoft Word, to serve as an editable internal document. An official, controlled copy can be downloaded from the Company intranet or provided by QA.) 

End of Quality Management System Manual.

Privacy Policy/Notice (GDPR & CCPA Compliance)

Introduction: Company respects the privacy of individuals and is committed to protecting personal data in line with international data protection standards. This Privacy Policy explains how Company collects, uses, stores, and discloses personal information, and outlines the rights individuals have regarding their personal data. It is intended as an external-facing notice that is concise, transparent, intelligible, and easily accessible, in compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) (as amended by the CPRA). This policy applies to all personal data processed by Company in the course of our operations, including data of clients, end-users, website visitors, and other individuals whose information we handle. By using Company’s regulatory affairs software services or interacting with our website, you acknowledge the practices described in this Privacy Policy.

Identity of the Data Controller: Company (headquartered in the United States with international operations) is the “data controller” for personal information that we collect and determine the purposes and means of processing. For any questions or concerns about this policy or your personal data, you may contact Company’s Data Protection Officer (DPO) at [privacy@company.com] or by mail at [Company address]. Our DPO oversees compliance with GDPR and other privacy laws.

Personal Data We Collect: We may collect and process the following categories of personal data, depending on your relationship with Company:

• Contact Information: such as name, business title, email address, telephone number, and mailing address.
• Account Credentials: usernames, passwords, or other authentication data for accessing Company’s platforms.
• Professional Information: for users of our regulatory software, this may include employer or organization name, department, and professional role or license numbers if relevant.
• Usage Data: when you use our software or visit our website, we collect usage logs, device identifiers, IP addresses, browser type, access times, and pages visited. This helps us maintain security and improve our services (see “Cookies and Tracking” below).
• Client Regulatory Data: data that clients upload or store in our platform during regulatory submission management may include personal data (e.g. names or contact details in submission documents). In such cases, Company processes this data as a data processor on behalf of the client (who remains the data controller). We handle client data only as instructed in our contract with the client.
• Support and Inquiry Information: if you contact Company for support or information, we will collect the content of your communications along with your contact information.
• Cookies and Tracking Technologies: Our website uses cookies and similar technologies to enhance user experience, for analytics, and for advertising (where permitted). For details, see our separate Cookies Notice. We do not use cookies to collect sensitive personal data, and where required by law, we obtain consent for non-essential cookies.

We do not intentionally collect any sensitive personal data (such as health information, biometric identifiers, or financial account details) from general users, and we ask that you do not provide such data through our services. If Company ever needs to handle sensitive data for a specific purpose, we will do so in accordance with applicable laws and with appropriate notice and consent.

Purpose and Legal Basis for Processing: Company processes personal data for specified and legitimate purposes. The purposes for which we process personal data include:

• Providing Services: To provide, maintain, and support the regulatory affairs software services you have requested, including creating user accounts, authenticating users, hosting and backing up data, and enabling core functionality of our platform.
• Customer Support and Communications: To respond to inquiries, provide customer support, send service notices, updates, and administrative communications.
• Improvement and Analytics: To analyze usage of our products and website (in aggregate form) in order to improve features, user experience, and performance. This may involve the use of analytics tools that collect technical information about your device and interactions (IP address, device type, pages visited, etc.). Wherever feasible, we use anonymization or pseudonymization for analytics data.
• Marketing (with Consent): To send marketing or promotional communications about our products, industry insights, or events that may interest you. We will only send direct marketing emails to individuals in jurisdictions where such communications are lawful, and we provide the option to opt-out or unsubscribe at any time. (For EU individuals, our marketing is based on consent or our legitimate interest in promoting our services, as appropriate; for U.S. individuals, we honor any “Do Not Contact” requests.)
• Legal Compliance and Security: To comply with our legal obligations and regulatory requirements (such as export control, anti-money laundering (if applicable), or responding to lawful requests by public authorities). Also, to protect the rights and safety of Company, our users, or the public – for example, by monitoring and preventing fraudulent activity, cybersecurity threats, or policy violations on our platform. We may process logs and user activity data for these security purposes.
• Other Purposes: We may process personal data for other purposes that are compatible with the original purposes or as specifically described to you at the time of collection. If we need to process your personal data for a new purpose that is not compatible with those above, we will obtain your consent (if required by law) or provide notice as necessary.

For personal data collected from individuals in the European Economic Area (EEA) or United Kingdom, our processing is based on certain legal grounds under the GDPR. The legal bases we rely on include: performance of a contract (e.g. providing the software service to our clients and end-users), legitimate interests (e.g. improving our services, securing our platform – we ensure our interests are not overridden by individuals’ rights through balancing tests), consent (for marketing communications or optional cookies), and compliance with legal obligations (for any mandatory disclosures or record-keeping). We will clearly inform you when the provision of personal data is statutory or contractual and when you are obliged (or not) to provide data, as well as the possible consequences of not providing the data.

Disclosure of Personal Data: Company does not sell personal information to third parties. We may share personal data with the following categories of recipients, solely for the purposes described above and in accordance with applicable law:

• Service Providers: Third-party companies that perform services on our behalf, such as cloud infrastructure providers, email communication platforms, customer relationship management (CRM) software, analytics providers, or consultants. These service providers are bound by contractual agreements to process personal data only under our instructions and to implement appropriate security measures (as “processors” under GDPR or “service providers” under CCPA).
• Business Partners: In some cases, Company may partner with other organizations (for example, a local reseller or integration partner) to deliver our services or host joint events. We will only share the minimum necessary personal data with such partners and only for the agreed-upon purposes (such as confirming your registration for a co-hosted webinar). Our business partners must comply with applicable privacy laws and are not allowed to use the data for unrelated purposes.
• Affiliates: We may share information with our affiliate companies (subsidiaries or parent company) as needed to operate our global business (for instance, if our support team in another region handles a support ticket, they will access relevant account information). All affiliates will uphold the same level of data protection as described in this notice.
• Legal and Compliance: We may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g., to comply with a subpoena, court order, or regulatory requirement). We may also disclose data if necessary in the good-faith belief that such action is needed to investigate or protect against harmful activities to Company users, associates, or property (for example, investigating fraud or a security incident), or to exercise or defend Company’s legal claims.
• Business Transfers: In the event of a proposed or actual merger, acquisition, financing, reorganization, or sale of all or a portion of Company’s business, personal data held by Company may be transferred to the new owners or partners, but will remain protected by this policy (unless and until it is superseded by an updated policy, of which users would be notified). Any acquiring entity will be required to use personal data only for the purposes for which it was originally provided or for compatible purposes.

Company does not share personal data with third parties for their own direct marketing purposes without your consent.

International Data Transfers: Company is headquartered in the U.S., and we operate internationally. Thus, personal data we collect may be transferred to or accessed by Company personnel and service providers in countries outside of your home jurisdiction. When we transfer personal data from the EEA or other regions with data transfer restrictions, we ensure appropriate safeguards are in place in compliance with GDPR Chapter V. These may include relying on the European Commission’s Standard Contractual Clauses (SCCs) for data transfers, verification of recipient’s compliance with frameworks like the EU-U.S. Data Privacy Framework (if applicable), or other legally accepted mechanisms. A copy of the relevant transfer safeguards can be provided upon request. We take steps to ensure that personal information continues to have a high level of protection wherever it is processed, consistent with the protections required under applicable law.

Data Subject Rights: Company is committed to facilitating the exercise of rights granted to individuals under applicable data protection laws:

• Rights under GDPR (for EU/EEA/UK individuals): You have the right to obtain confirmation as to whether Company is processing personal data about you, and if so, to request access to that data (a copy of the data and information on how we use it). You also have the right to request rectification of inaccurate personal data and to have incomplete data completed. Subject to certain conditions, you may request erasure of your personal data (“right to be forgotten”), or restriction of processing (to suspend active processing of your data). You have the right to object to our processing of your data when it is based on legitimate interests, including the right to object to profiling or direct marketing. To the extent our processing is based on your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You also have the right to data portability for data you provided, where processing is carried out by automated means and based on contract or consent – we will provide your data in a structured, commonly used, machine-readable format. Additionally, you have the right to lodge a complaint with a supervisory authority (such as an EU Data Protection Authority or the UK Information Commissioner’s Office) if you believe that we have infringed your data protection rights. We encourage you to contact us first at [privacy@company.com] so we can address your concerns directly.
• Rights under CCPA (for California residents): If you are a California consumer, you have specific rights under the CCPA regarding your personal information. These include: Right to Know – the right to request that we disclose what personal information we have collected about you, including the categories of information, the sources, the business purpose for collection, and the categories of third parties with whom we share it. 

Right to Access – to receive a copy of the specific pieces of personal information collected about you in the past 12 months. 

Right to Delete – the right to request deletion of personal information that we have collected from you, subject to certain exceptions (for example, we may retain information as required by law or for legitimate business needs). 

Right to Opt-Out of Sale/Sharing – while Company does not sell personal data for monetary consideration, the CCPA broadly defines “sale” to include some transfers of data in exchange for value. If Company ever engages in practices deemed a “sale” or “sharing” of personal information, you have the right to direct us not to sell or share your personal information. We will provide a “Do Not Sell or Share My Personal Information” link on our website if this becomes relevant, and we honor signals transmitted through the Global Privacy Control (GPC) as a valid opt-out request. 

Right to Correct – the right to request correction of inaccurate personal information (effective under the CPRA). 

Right to Limit Use of Sensitive Personal Information – if we collect any sensitive personal data (as defined by CCPA/CPRA), you can ask us to limit its use/disclosure to that which is necessary for our services. 

Right to Non-Discrimination – Company will not deny goods or services, charge you different prices, or provide a different quality of service for exercising your privacy rights. We do not engage in retaliatory or discriminatory practices against those who exercise their rights. These CCPA rights can be exercised by contacting us via the methods below. We may need to verify your identity (or that of your authorized agent) before fulfilling certain requests, as required by law.

To exercise any applicable privacy rights or to inquire about your personal data, please contact Company at [privacy@company.com] with your name, contact information, and a description of your request. We will respond to verifiable requests as soon as possible, and in any event within the timeframe required by law (30 days for GDPR; 45 days for CCPA, with extension if needed and notified).

Data Security: Company takes information security seriously and has implemented appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, loss, or destruction. Measures include access controls limiting who can access personal data, encryption of personal data in transit (e.g., TLS for our website and platform) and at rest (for sensitive data stored in databases or backups), network security (firewalls, intrusion detection systems), regular security testing and audits, and security policies and training for our personnel. We also require our third-party service providers to implement security controls that meet or exceed industry standards for the type of personal data involved. Despite our efforts, no security measures are infallible and Company cannot guarantee absolute security of data; however, we continuously assess and improve our security posture to reduce risks. If Company becomes aware of a data breach affecting personal information, we will notify affected individuals and regulators as required by law, and take steps to mitigate the impact.

Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal, accounting, or reporting requirements. For example, we keep account information for the duration of the customer contract plus a reasonable period thereafter to deal with any post-contract matters or as required by law. We retain support correspondence for a period needed to effectively address and track issues. Where we process data based on consent (e.g., marketing communications), we retain it until consent is withdrawn or it is no longer useful. Once retention periods expire, Company will securely delete or anonymize the personal data. If deletion (or anonymization) is not immediately possible (for instance, if the data is stored in backup archives), we will ensure it is isolated from further active processing until deletion is possible.

Children’s Privacy: Company’s services and website are not directed to children under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal data from a child under 16 (or the relevant minimum age in the child’s jurisdiction), we will delete such information as soon as possible. Parents or guardians who believe Company might have information about a child can contact us to request deletion.

Updates to this Privacy Policy: We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update the policy, we will post the new version with an updated effective date at the top. If changes are material, we will provide a more prominent notice (such as a banner on our website or direct notification via email, where required by law). We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Contact Information: If you have any questions, comments, or concerns about this Privacy Policy or our data practices, please contact:

• Data Protection Officer (EU/UK): [Name], Email: [DPO email], Address: [Company EU Representative address if applicable].
• Privacy Team (US/Global): Email: privacy@company.com, Address: Company, [Headquarters address].
• California Privacy Inquiries: California residents may also call our toll-free privacy number at 1-800-XXX-XXXX to exercise CCPA rights or ask questions.

You also have the right to lodge a complaint with your local data protection authority or the relevant supervisory authority. In the EU, you can find contact details for Data Protection Authorities here: [link]. In the UK, contact the Information Commissioner’s Office (ICO). In California, you can contact the California Attorney General’s Office or the California Privacy Protection Agency.

This Privacy Policy is effective as of Jan 1, 2025. By continuing to use Company’s services, you acknowledge that you have read and understood this policy.

Toggle Content