Privacy Policy

1. Data Collection & Processing

ComplianceWorxs collects and processes data in accordance with 21 CFR Part 11 requirements for electronic records and signatures. We collect:

• Account Information: Name, email, organization, role, and authentication credentials
• Compliance Data: Audit logs, decision records, deviation reports, CAPA records, and regulatory submissions generated through our platform
• Usage Analytics: Feature usage, service access patterns, and performance metrics for service improvement
• Technical Data: IP addresses, browser types, access times, and device information for security purposes

All data processing activities are documented in our Data Processing Agreement (DPA), available upon request for enterprise clients.

2. HIPAA Compliance

For clients in the pharmaceutical and healthcare sectors, ComplianceWorxs maintains HIPAA compliance through:

• Business Associate Agreements (BAAs): Available for all clients processing Protected Health Information (PHI)
• Administrative Safeguards: Role-based access controls, workforce training, and designated privacy officers
• Physical Safeguards: Secure data centers with 24/7 monitoring and access controls
• Technical Safeguards: AES-256 encryption at rest and TLS 1.3 in transit, audit trails, and automatic log-off

We do not sell, rent, or share PHI with third parties except as necessary to provide our services or as required by law.

3. GDPR & EU Data Protection

For clients operating within the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR):

• Legal Basis: We process personal data based on contractual necessity, legitimate interest, or consent
• Data Subject Rights: You may request access, rectification, erasure, restriction, or portability of your data
• Data Protection Officer: Contact our DPO at privacy@complianceworxs.com for GDPR-related inquiries
• Cross-border Transfers: Data transfers outside the EEA are protected by Standard Contractual Clauses (SCCs)
• Breach Notification: We notify supervisory authorities within 72 hours of discovering a qualifying data breach

4. Data Residency & Sovereignty

ComplianceWorxs offers flexible data residency options to meet your regulatory requirements:

• United States: Primary data centers in AWS US East (Virginia) and US West (Oregon)
• European Union: EU-only data storage available in AWS Frankfurt (eu-central-1) for GDPR compliance
• Geographic Restrictions: Enterprise clients may specify data processing location restrictions
• Data Replication: All data centers use multi-region replication with in-geography constraints for data residency compliance (see enterprise SLAs)

All data residency configurations are documented and auditable for regulatory inspections.

5. 21 CFR Part 11 Electronic Records

ComplianceWorxs is designed to support 21 CFR Part 11 compliance for electronic records and signatures:

• Audit Trails: Immutable, timestamped logs of all record creation, modification, and deletion events
• Electronic Signatures: Unique and attributable signature stamping and electronic identity verification
• System Validation: Documented and auditable controls with IQ/OQ/PQ documentation available
• Access Controls: Role-based permission structures with principle of least privilege enforcement
• Data Integrity: ALCOA+ data principles built into all core functionalities (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available)

Clients are responsible to validate their procedural controls and use ComplianceWorxs as part of their overall Part 11 compliance program.

6. Data Security Measures

We implement industry-leading security measures to protect your data:

• Encryption: AES-256 encryption at rest, TLS 1.3 encryption in transit
• Infrastructure: Multi-tier application architecture with DMZ and isolated subnets
• Compliance: SOC 2 Type II certified cloud infrastructure with continuous monitoring
• Penetration Testing: Annual third-party penetration testing and vulnerability assessments
• Incident Response: 24/7 security operations center with documented incident response procedures
• Backup & Recovery: Automated daily backups with 30-day retention and disaster recovery procedures

7. Data Retention & Deletion

Our retention policies are designed to meet regulatory requirements:

• Active Data: Retained for the duration of your subscription and for 90 days following termination
• Compliance Records: Audit logs and compliance records are retained for 7 years or as required by applicable regulations
• Account Deletion: Upon request, personal data is deleted within 30 days, subject to regulatory retention requirements
• Backup Purge: Deleted data is purged from backup systems within 90 days
• Legal Hold: Data subject to legal proceedings may be retained beyond standard retention periods

8. Third-Party Services

ComplianceWorxs uses trusted third-party services to deliver our platform:

• Cloud Infrastructure: Amazon Web Services (AWS) — SOC 2 Type II certified
• Payment Processing: Stripe — PCI DSS Level 1 compliant
• Email Services: SendGrid — SOC 2 Type II certified
• Analytics: Cookie-less analytics processed with compliant configurations
• AI Services: OpenAI and Google Gemini for AI-powered features (data not used for training)

All third-party processors are bound by Data Processing Agreements that mandate equivalent security and privacy standards.

9. Contact Information

For privacy-related inquiries, data subject requests, or to report a security concern:

• Privacy Team: privacy@complianceworxs.com
• Data Protection Officer: dpo@complianceworxs.com
• Security Team: security@complianceworxs.com
• Mailing Address: Socialize Commerce LLC DBA ComplianceWorxs, Massachusetts (Available Upon Request)

We respond to all privacy inquiries within 30 days, or sooner as required by applicable law.