BioSureBioSure
S · 01Security

Compliance is the product  not an add-on.

BioSure was built for labs that get inspected. Every workflow, control, and data policy is documented, auditable, and available to review.

Last audit
Jan 2026
Uptime
99.97%
Data residency
US / EU
BAA
All plans
02Frameworks

Every standard your program depends on.

We don't treat compliance as an optional checkbox. Each framework below is aligned to the specific workflow surfaces inside BioSure — not a blanket SOC 2 logo in the footer.

USP 797Native support

USP 797 Compounding Standards (2023 revision)

Every report template, air-sampling workflow, and gowning-qualification form is aligned to the 2023 USP 797 revision — with configurable limits for ISO 5 / 7 / 8 cleanrooms.

  • Cleanroom class configuration per site
  • Action-level and alert-level breach tracking
  • Surface, air, and personnel sampling workflows
  • Retrospective trending over any window
21 CFR Part 11Lab Pro & Enterprise

FDA 21 CFR Part 11 — Electronic Records & Signatures

Every mutation is captured as an immutable record with user, timestamp, intent, and cryptographic attribution. E-signatures meet Part 11 identification, non-repudiation, and linking requirements.

  • Two-factor identification for signers
  • Biometric or password-based signature binding
  • Audit trail that cannot be altered or deleted
  • Linking of signatures to the signed content
HIPAABAA available on all plans

Health Insurance Portability and Accountability Act

BioSure operates as a Business Associate for labs handling PHI. We sign a BAA on day one and follow the HIPAA Security Rule for administrative, physical, and technical safeguards.

  • Signed Business Associate Agreement
  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access with least-privilege defaults
  • Breach-notification procedures per §164.400
SOC 2 Type IIType II report · Jan 2026

SOC 2 Type II infrastructure controls

Our cloud infrastructure is built on SOC 2 Type II-audited services. The BioSure application layer is on track for our own Type II report by Q3 2026 — Type I completed January 2026.

  • AWS us-east / us-west SOC 2 Type II regions
  • Quarterly penetration testing
  • Continuous vulnerability scanning
  • Independent annual audit
ISO 17025Aligned

ISO/IEC 17025 General requirements for testing labs

Documentation, method validation, and equipment calibration workflows are modelled after ISO 17025 expectations — helping your lab maintain accreditation without duplicating records.

  • Method validation workflows
  • Equipment calibration & maintenance logs
  • Proficiency-testing integration
  • Deviation & corrective-action tracking
03Controls

The architecture behind every report.

Four domains, continuously audited. Available in a SIG-Lite or CAIQ questionnaire, and documented in our architecture brief (NDA on request).

01 · Data

  • AES-256 at rest, TLS 1.3 in transit
  • Daily encrypted backups, 35-day retention
  • Customer-owned data — full export anytime, no lock-in
  • Optional data residency (US / EU) on Enterprise

02 · Access

  • Role-based permissions with least-privilege defaults
  • Optional SAML SSO / OIDC on Enterprise
  • Session logging with geolocation and device fingerprint
  • Two-factor authentication available for all users

03 · Infrastructure

  • Hosted on AWS us-east / us-west, SOC 2 Type II regions
  • 99.9% uptime SLA on Lab Pro and Enterprise
  • Multi-AZ redundancy, disaster recovery tested quarterly
  • Content-Security Policy + Subresource Integrity enforced

04 · Operations

  • Quarterly third-party penetration testing
  • Continuous dependency and container scanning
  • Annual independent security audit
  • Public vulnerability disclosure program
04Transparency

Subprocessors, disclosures, and requests.

We keep a public register of every service that processes your lab's data. Request a SOC 2 report, CAIQ, BAA template, or penetration-test summary — typical turnaround is one business day.

SubprocessorsUpdated Jan 2026

  • Amazon Web Services

    Primary hosting, object storage

    US East / West

  • Cloudflare

    CDN, DDoS mitigation, WAF

    Global edge

  • Postmark

    Transactional email delivery

    US

  • Sentry

    Error monitoring (opt-in)

    US / EU

  • Stripe

    Billing & payments

    US

  • Datadog

    Application performance monitoring

    US

Continuously audited · 99.97% uptime · 0 data incidents since 2024

Raise a concern →