Skip to content
    Last updated on May 1, 2024

    The Security and Compliance You Need. The Trust You Want.

    We hold ourselves to the highest standard because Life Sciences are held to the highest standard. You can trust Vodori to keep your data secure and to maintain compliance with regulatory requirements and industry standards.

    Trusted by over 100 life science companies worldwide

    Trust through transparency

    Vodori software, infrastructure, and company operations are all designed to ensure your data is always secure. We believe that by providing transparency into our data security, privacy, quality and organizational practices, you can always trust Vodori.

    Explore the Vodori Trust Center

    Visit the Vodori Trust Center to access our SOC 2 Type 2 report, information security policies, real-time control monitoring, subprocessor list, and common security and privacy topics. 

    Vodori compliance

    Built for Life Science compliance

    Our built-in product compliance features help Life Science companies with audit readiness and submissions to government regulators.

    Electronic Signature

    Apply an e-Signature in compliance with FDA 21 CFR Part 11 and EU Annex 11

    Audit History

    See all actions performed on a document, automatically captured by the system

    Version History
    Track and store all previous versions of a document in one place
    FDA Submissions

    Easily compile the necessary documents to support FDA 2253 submissions

    Local Health Authority Submissions

    Easily allow your team to certify and generate certification reports for submission to local health authorities

    Document First Use & Expiration

    System-controlled publishing and withdrawal based on date of first use and expiration

    Claims & Evidence Management

    Substantiate materials with independently approved and tracked claims and references

    Configurable Workflows

    Use a parallel and/or sequential review process in accordance with your SOPs


    Control what users can see and do with permission-based access

    API Integrations

    Ensure a compliant chain of custody on all of your promotional materials by integrating Vodori with your downstream systems 

    Vodori quality

    Vodori’s quality assurance program is comprised of a series of policies and procedures for developing and maintaining software at Vodori to help ensure compliance with regulatory guidelines, uniformity of performance, and quality output. This includes procedures for change control, software validation, electronic record and electronic signature management, defect and incident management, configuration management, backup and restore, disaster recovery, and production access. You can download a majority of our quality policies and procedures on our Trust Center.

    Vodori security

    Our security approach is driven not only by compliance and regulatory requirements, but also by industry best practices including intrusion detection & prevention, secure coding practices (OWASP), advanced data encryption, and real-time vulnerability scanning. 

    Data & infrastructure security

    ISO 27001 certified data centers

    Vodori partners with Amazon Web Services (AWS), a SOC 2 Type 2 and ISO 27001 certified data center that provides a high degree of availability and security for our software. AWS’s SOC 2 and ISO 27001 compliance requirements provide systematic evaluation of risks, threats, and vulnerabilities through a set of established controls. Read more on AWS data center controls Physical and environmental security is handled entirely by Amazon and their vendors. Vodori employees do not have physical access to data centers.

    Vodori is currently deployed across 3 different data centers within the United States and a Europe data center is on the roadmap. If you are interested in a Vodori subscription in a data center outside the U.S., contact our Sales team

    Network monitoring

    All network traffic in and out of the Vodori platform is routed through a fully managed 3rd party Intrusion Detection System (IDS) and Web Application Firewall (WAF) that is actively monitored 24x7x365. Automatic blocking of malicious traffic is included.  If suspicious activity is identified, it is logged and escalated within Vodori for review and triage.

    Server hardening

    Vodori maintains documented security configuration standards, including secure images or templates, for authorized operating systems and software in the enterprise.

    Patches and upgrades for non-critical vulnerabilities are remediated on a monthly basis as part of scheduled monthly maintenance. Environments deployed to cloud-provided virtual machines are based on environment templates developed by Vodori according to company hardening standards.

    These environments are maintained with up-to-date patch levels by the engineering team.

    Data encryption in transit & at rest

    Customer data in transit to or from the Vodori platform is protected through either Hypertext Transfer Protocol Secure (HTTPS) over Transport Layer Security (TLS) or Secure File Transfer Protocol (SFTP).

    Vodori customer files are stored at AWS and logically separated by customer with dedicated customer specific access credentials. Files at AWS are encrypted at rest using a customer-specific encryption key. Data at rest is encrypted using Advanced Encryption Standard (AES) 256 bit. 

    Remote system administration access to Vodori web and application servers is available through cryptographic network protocols (i.e., SSH or AWS SSM) or an encrypted virtual private network (VPN) connection.

    Any transfer of Vodori customer data, protected data, or Vodori sensitive data takes place via an encrypted channel.

    Data redundancy & resiliency

    Vodori uses a redundant, fault-tolerant database that is deployed across multiple availability zones, and Amazon’s highly available and highly redundant storage architecture. If one or more availability zones are unavailable for an
    extended period of time, Vodori may choose to execute the Disaster Recovery Policy which allows instantiating a replica infrastructure in another AWS service region.

    In production environments, daily backups will be kept for 30 days. The last full backup of each month will be kept for 2 months resulting in a rolling 3 month backup retention. Backups would be used in the event of a full system restoration in which the most recent backup would typically be restored to minimize the lost work from the backup point forward.

    Vodori operates with a Recovery Point Objective (RPO) of 4 hours and a Recovery Time Objective (RTO) of 24 hours.

    Data retention & decommission

    Secure disposal of customer data occurs in the event the customer relationship is terminated. At the close of a customer contract, data is returned to the customer and/or removed/destroyed from Vodori's systems within 30 days or as agreed-upon between Vodori and the customer. 

    Production backups are excluded from this timeframe as they will be retained for at least 90 days following data deletion activities as they are systematically aged off in accordance with our backup and retention policies.

    Vodori personnel access to customer data & production

    Access to customer data by Vodori personnel is restricted to only authorized Vodori personnel. All production data access at AWS is logged and reviewed on a regular basis.

    To support our customers and end-users, the following teams have access to each customer-assigned Vodori environment:

    • Customer Success Manager(s)
    • Implementation Specialist(s)
    • Support Analyst(s)

    Customers are able to view, report, and modify this access using Vodori’s User Management solution. Data is not stored or retained by Vodori employees.

    Internal access to customer tenants and production is reviewed quarterly. Additionally, a managed detection and response platform is enabled and uses AI to alert internal Vodori teams if there is unusual behavior in production.

    Third party risk assessment process

    Prior to engaging any third party sub-processor, Vodori performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations to ensure they adhere to the same standards as Vodori to protect your Personal Information against unauthorized access, alteration, disclosure, destruction or loss. 

    Sub-processors and all other high risk vendors are assessed annually thereafter to ensure there are no material security or privacy risks with the provided services.

    Application security

    SAML & OAuth2 based SSO

    The Vodori platform’s SSO is based on industry standards SAML and OAuth2/OpenIDC for managing user authentication. Our SSO is able to integrate with third-party SSO providers such as: Microsoft Azure Active Directory, Google Apps, PingFederate, Auth0, and Okta.

    Role based access & session timeouts

    Vodori platform access is granted based on standard and configurable roles and groups to meet your organization’s specific needs. In addition, the system has a configurable total session and idle session timeout, which requires users to re-authenticate after a given period of time.

    Vulnerability management & penetration testing

    External penetration testing is conducted by a third party annually.

    Vodori conducts vulnerability scanning prior to considering an application ready for production use and after any significant changes in the application code. All Vodori builds include an integrated code and framework dependency security check. Whenever possible, Vodori will remediate identified Critical and High risk issues but may choose to defer remediation of a vulnerability if there is either no fix available or it has been determined that the system is not impacted by the specific issue. Each exception is documented in Vodori’s Ticket System and signed off by the CTO. Vulnerabilities identified as medium- or low-risk will be reviewed and addressed as needed. Further, all of our applications are security scanned so that bundled middleware is checked for known security issues.

    Application monitoring

    All applications and middleware have monitoring in place to observe and detect issues with responsiveness, resource utilization, runtime instrumentation, or to detect general errors.

    Vodori leverages five main types of monitoring:
    • Application exception logging
    • Application runtime logging
    • Application runtime performance monitoring
    • Infrastructure resource monitoring
    • Network intrusion detection monitoring

    Each type of monitoring configures critical alert categories that lets the Vodori team understand if there are issues which are impacting customer access, performance, system integrity, or Vodori's ability to deliver service per the SLA.

    Software Development Life Cycle

    Vodori has designed and implemented a secure Software Development Life Cycle based on good practice guidelines (GxP) which integrates comprehensive security practices from start to finish. We build our products using the “Security by Design” principles, a process and mindset that anticipates security features through the entire development process.

    Vodori engineers develop using test data and do not use production customer data. Vodori requires that all code merged into production code branches are reviewed and approved via a Pull Request and that code reviews follow Vodori’s Code Reviews standards. Vodori tests in a separate test environment, within a separate AWS account, so that production and customer data is separated from test data.

    Quality Assurance is integrated into our process, from individual code changes all the way through preparing a release for our customers. Each feature or change developed in the Vodori platform is tested using a combination of unit, integration, and regression test scripts as appropriate. All releases of Vodori undergo rigorous regression, security and validation testing prior to release.

    Upgrades & configuration change management

    As each release date nears, your Customer Success Manager will work with your team to discuss the newly available features and determine when your organization would like to upgrade. Each release is accompanied by a validation deliverable package evidencing our procedures. Upgrades are done first in your sandbox to enable your team to perform the desired level of acceptance testing or formal software validation. Once approved, your production environment is upgraded. 

    After configuration specifications are approved by the customer, the configuration is implemented and tested in the customer’s validation tenant. During User Acceptance Testing, the customer verifies the configuration has been completed according to the approved configuration specification and provides their approval. Once the configuration is approved and any customer dependencies are met, engineering promotes the configuration to the customer’s production tenant.

    Organizational security

    Confidentiality agreements & background checks

    Confidentiality agreements are executed with employees and third parties with access to Vodori protected data or customer data. Background checks are performed on new hires, prior to hire as permitted by local laws.

    Quarterly security & privacy training

    Within 30 days of hire and quarterly thereafter, all employees must complete training courses covering information security practices and relevant privacy regulations. The training courses are designed to assist employees
    in identifying and responding to social engineering attacks, avoiding inappropriate security practices and complying with privacy regulations.

    Formal security policies

    Corporate policies, programs, processes and standards are established to help ensure employees understand their individual roles and responsibilities concerning information security controls and maintaining system service commitments and system requirements. Policies are communicated through a compliance automation platform and also posted within the company knowledge base. All policies are reviewed at least annually and updated when needed.

    Strict access controls

    Vodori institutes the following access controls, which are designed to minimize potential exposure resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of the networks, systems and applications:

    • Employee access to systems is restricted based on need.

    • Access is through named accounts which require MFA to sign in.

    • Access to systems is logged.

    • No unapproved devices may access the Vodori network.

    • Segregation of duties is used to require that proper authorization is performed prior to access.

    Disaster recovery & backup restoration testing

    A Disaster Recovery Policy is documented, tested, and reviewed by management on an annual basis. Backup restoration is tested at minimum annually to confirm that data is able to be restored. A business continuity plan (BCP) is defined to address key environmental threats and is reviewed annually.

    Incident management

    Incidents are handled in accordance with Vodori’s Incident Response Process (IRP) following the lifecycle of an incident: Preparation, Detection and Analysis, Resolution, and Post-Incident Activity. Designated personnel are responsible for managing the response process in accordance with the IRP, completing an after-action review and coordinating any outbound communication that may be necessary following an incident.

    Have questions? Want more information?

    Contact Us