Legal
Security
Last updated: January 01, 2025
Security is foundational to Genira. The Genira platform is designed for regulated life-science environments where data integrity, system availability, and privacy are not optional — they are regulatory requirements. This page provides a summary of our security programme and the controls we maintain to protect Customer Data.
For security enquiries or to report a vulnerability, contact us at security@genira.ai.
Table of Contents
1. Security Governance
Genira maintains a formal Information Security Management System (ISMS) aligned with the requirements of ISO/IEC 27001 and ISO 9001. Our security and quality programme is overseen by a designated Security Officer and reviewed by senior management at least annually.
Our security policies cover: acceptable use, access control, asset management, business continuity, change management, cryptography, incident management, physical and environmental security, supplier relationships, and vulnerability management.
All employees complete mandatory security awareness training upon onboarding and annually thereafter, with additional role-specific training for personnel handling Clinical or Personal Data.
2. Infrastructure and Hosting
The Genira platform is hosted on ISO 27001-aligned cloud infrastructure with primary hosting in Asia-Pacific and an EU data residency option for customers requiring data to remain within the European Economic Area.
Our cloud infrastructure provider operates under a shared responsibility model: the provider is responsible for security of the underlying physical infrastructure; Genira is responsible for security of the application layer, configuration, and all Customer Data.
All production infrastructure is defined and managed as code (IaC) with automated configuration enforcement and drift detection. Infrastructure changes go through mandatory peer review and automated testing before deployment.
3. Data Protection and Encryption
Encryption in transit
All data transmitted between clients and Genira services is encrypted using TLS 1.2 or higher. We enforce HTTP Strict Transport Security (HSTS) and disable legacy cipher suites. Internal service-to-service communication is also encrypted in transit.
Encryption at rest
All data stored on Genira infrastructure — including databases, object storage, and backup archives — is encrypted at rest using AES-256. Encryption keys are managed by a dedicated key management service with automatic rotation.
Data segregation
Each customer's data is logically segregated at the application and database level. Strict tenant isolation is enforced and regularly validated through automated testing.
4. Access Control and Identity
Genira enforces the principle of least privilege across all systems:
- All human access to production systems requires multi-factor authentication (MFA);
- Privileged access is granted on a just-in-time basis and fully audited;
- Access rights are reviewed quarterly and revoked immediately upon role change or departure;
- Customer-facing authentication supports SSO (SAML 2.0, OIDC), MFA enforcement, and configurable session policies;
- API access is authenticated via signed tokens (JWT) with short expiry and automatic rotation;
- Service accounts use unique credentials scoped to the minimum required permissions.
5. Audit Logging and Monitoring
Genira maintains comprehensive, tamper-evident audit logs in accordance with 21 CFR Part 11 and EU Annex 11 requirements:
- Every create, read, update, and delete operation on regulated data is logged with timestamp, user identity, and IP address;
- Audit logs are stored separately from application data and cannot be modified or deleted by application users;
- Logs are retained in accordance with applicable regulatory requirements;
- Real-time security event monitoring is performed via a SIEM, with automated alerting for anomalous access patterns, failed authentication attempts, and configuration changes.
6. Secure Development Lifecycle
Security is embedded throughout our software development lifecycle:
- Design. Threat modelling and security architecture review for all significant features;
- Development. Static application security testing (SAST) and software composition analysis (SCA) integrated into CI/CD pipelines;
- Testing. Dynamic application security testing (DAST) and automated regression tests prior to each release;
- Deployment. Immutable container images, signed artefacts, and automated rollback capability;
- Dependencies. Automated dependency scanning with risk-based remediation prioritisation.
We conduct periodic penetration tests by qualified independent third-party security firms. Summaries of findings and remediation status are available to customers under NDA on request.
7. Availability and Business Continuity
Genira designs production services for high availability. Our business continuity and disaster recovery programme includes:
- Automated regular backups with point-in-time recovery capability for all databases;
- Redundant, multi-zone deployment for all production services;
- Documented recovery objectives reviewed and tested periodically;
- DR exercises with documented results.
Specific availability commitments, where applicable, are set out in the relevant Order Form or Service Agreement.
8. Incident Response
Genira maintains a documented Incident Response Plan (IRP) covering detection, containment, eradication, recovery, and post-incident review.
- Confirmed Security Incidents are responded to promptly in accordance with our IRP;
- Affected customers are notified without undue delay following confirmation of a Personal Data breach, in accordance with applicable law (including GDPR Article 33);
- Post-incident reviews are conducted and findings fed back into our security improvement programme.
9. Compliance and Certifications
Genira's security and quality controls are designed to support the following regulatory frameworks and certifications:
| Framework / Standard | Status |
|---|---|
| ISO/IEC 27001:2022 | ISMS aligned with requirements; assessment in progress |
| ISO 9001:2015 | Quality management system aligned with requirements; assessment in progress |
| GDPR (EU 2016/679) | Compliant — DPA available |
| 21 CFR Part 11 (FDA) | Platform designed to support compliance; customer validation responsibility |
| EU Annex 11 | Platform designed to support compliance; customer validation responsibility |
| GAMP 5 | Development lifecycle aligned with GAMP 5 Category 4/5 guidance |
| HIPAA | BAA available upon request |
Documentation of our security and quality controls is available to customers and prospective customers under NDA. Please contact security@genira.ai.
10. Supplier Security
Third-party suppliers and Sub-processors that access or process Customer Data are subject to Genira's supplier security programme:
- Security and privacy due diligence is conducted before onboarding any supplier with access to production systems or data;
- Data Processing Agreements incorporating appropriate technical and organisational measures are executed with all Sub-processors;
- Supplier security posture is reviewed at least annually and upon significant change.
11. Responsible Disclosure
We encourage responsible disclosure of security vulnerabilities. If you have discovered a potential security issue, please report it to us at security@genira.ai with:
- A description of the vulnerability and its potential impact;
- Steps to reproduce the issue;
- Any proof-of-concept code or screenshots (if applicable).
We will acknowledge receipt promptly and keep you informed of progress. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate. We commit not to pursue legal action against researchers who act in good faith and in accordance with this policy.