Simploud is powered by the Salesforce platform, and leverages its robust compliance standards.
Salesforce maintains a comprehensive set of compliance certifications and attestations to validate
Title 21 of the Code of Federal Regulations, Part 11 defines legal criteria under which the Food and Drug Administration (“FDA”) considers electronic records, electronic signatures, and handwritten signatures executed on electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper. Ensuring compliance of the electronic records with 21 CFR Part 11 is the responsibility of the organization that utilizes electronic records for the documentation of quality-related product information/data.
The purpose of Annex 11 is to provide the EMA healthcare industry with consistent criteria for effective implementation, control, and use of computer systems. EU Annex 11 Guide to Computer Validation Compliance for the Worldwide Health Agency GMP supplies practical information to facilitate compliance with computer system GMP requirements, while highlighting and integrating the Annex 11 guidelines into the computer compliance program. Additional information can be found here
Good manufacturing practices (GMP) are the practices required in order to conform to the guidelines recommended by agencies that control the authorization and licensing of the manufacture and sale of food and beverages, cosmetics, pharmaceutical products, dietary supplements, and medical devices. These guidelines provide minimum requirements that a manufacturer must meet to assure that their products are consistently high in quality, from batch to batch, for their intended use. The rules that govern each industry may differ significantly; however, the main purpose of GMP is always to prevent harm from occurring to the end user. Additional information can be found here
ISO 13485 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Such organizations can be involved in one or more stages of the life-cycle, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development or provision of associated activities. ISO 13485 can also be used by suppliers or external parties that provide product, including quality management system-related services to such organizations. Additional information can be found here
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data.
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers and data centers are securely managed. These certifications run for 3 years (renewal audits) and have annual touch point audits (surveillance audits). ISO 27017 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO 27002 and ISO 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers. The International Organization for Standardization 27018 Standard (ISO 27018) covers privacy protections for the processing of personal information by cloud service providers.
In the experimental (non-clinical) research arena, good laboratory practice or GLP is a quality system of management controls for research laboratories and organizations to ensure the uniformity, consistency, reliability, reproducibility, quality, and integrity of products in development for human or animal health (including pharmaceuticals) through non-clinical safety tests; from physio-chemical properties through acute to chronic toxicity tests. GLP was first introduced in New Zealand and Denmark in 1972, and later in the US in 1978 in response to the Industrial BioTest Labs scandal. It was followed a few years later by the Organization for Economic Co-operation and Development (OECD) Principles of GLP in 1992; the OECD has since helped promulgate GLP to many countries.
DoD IL2 is a designation that includes all data cleared for public release, as well as some DoD sensitive information not designated as controlled unclassified information (CUI) or critical mission data, along with low sensitivity personally identifiable information (PII). All cloud service offerings (CSOs) granted a FedRAMP Moderate or High authorization are automatically granted DoD IL2 reciprocity.
Additional information can be found at salesforce , mulesoft , and slack.
The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements. DoD IL2 is a designation that includes all data cleared for public release, as well as some DoD sensitive information not designated as controlled unclassified information (CUI) or critical mission data, along with low sensitivity personally identifiable information (PII). All cloud service offerings (CSOs) granted a FedRAMP Moderate or High authorization are automatically granted DoD IL2 reciprocity. Additional information can be found at salesforce , mulesoft , and slack. DoD IL4 is a designation that includes controlled unclassified information (CUI), including export controlled data, personally identifiable information (PII), and protected health information (PHI), along with other mission critical data. Additional information can be found at salesforce.
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. Customers who want to build healthcare applications on Salesforce that comply with US HIPAA can contact your account representative regarding a Business Associate Addendum (BAA). For the current BAA Restrictions and HIPAA Covered Services refer to salesforce
Binding Corporate Rules (or "BCRs") are company specific, group-wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area to other countries. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with European data protection authorities. Salesforce has received approval from European data protection authorities for its Binding Corporate Rules ("Salesforce Processor BCR"). For more details about the scope of the Salesforce Processor BCR and applicable services, please see here. For additional information about the multiple legal transfer mechanisms which Salesforce has to help customers validate transfers of personal data, please see our Data Processing Addendum.