Security & Trust

Governance, Controls & Audit Readiness

Version 2.16

Effective February 23rd 2026

Security and Trust — Scope, Applicability, and Document Hierarchy Customer-facing security and trust summary for V5 Traceability, intended to support supplier qualification, enterprise risk review, and regulated-use discussions.

Scope. This page summarizes SG Systems Global’s security and trust posture for V5 Traceability and related services, including Hosted Services and On-Premise Installations as elected in an applicable Order Form / Signed Proposal.

Document hierarchy (order of precedence). If there is a conflict, the controlling documents are:

  • (1) Order Form / Signed Proposal (scope, deployment election, tier selections, effective dates);
  • (2) Supplier Quality Addendum (SQA) (regulated/GxP operational constructs), only if incorporated by reference for the engagement; and
  • (3) Master Services Agreement (MSA) (legal/commercial framework, SLA, security obligations, customer data terms).

Contract alignment. This page is informational and does not modify contractual terms. Any service level metrics, notice timelines, and binding obligations are defined in the MSA/SLA and applicable Order Form (and SQA where incorporated).

Remote-first operations. SG Systems Global operates as a remote-first organization. Controls emphasize identity, access management, secure endpoint use, and controlled administration of systems.

References: Master Services Agreement (MSA, includes SLA) | Supplier Quality Addendum (SQA) | V5 System Requirements | Onboarding & Implementation | Independent 21 CFR Part 11 Assessment

Security contact: support@sgsystemsglobal.com

1) Security Program Governance

SG Systems Global maintains a risk-based information security program intended to protect the confidentiality, integrity, and availability of customer data and services, and to support operation in regulated manufacturing environments.

Program elements include:

  • Accountability and oversight: defined security ownership for control effectiveness, escalations, and corrective actions.
  • Risk management: identification and assessment of risks, selection of controls, and tracking of remediation activities.
  • Policy and procedure control: documented practices for security-relevant activities (access, change control, incident handling, continuity).
  • Periodic review: security practices are reviewed and updated as systems, threats, and customer expectations evolve.
Regulated customers: Supplier qualification and quality-operational constructs are addressed in the SQA when incorporated for the engagement.
2) Deployment Boundary & Shared Responsibility (Hosted vs On-Premise)

Responsibilities depend on the deployment selected in your Order Form / Signed Proposal. V5 Traceability can be delivered as Hosted Services or as an On-Premise Installation.

Control AreaHosted Services (Provider Focus)On-Premise Installation (Customer Focus)
Infrastructure securityOperates the hosted boundary consistent with the MSA/SLA and applicable Order Form.Responsible for servers, network security, patching, backups/DR, and supporting infrastructure controls.
Availability & recoveryAvailability and recovery objectives (if applicable) are defined in the MSA/SLA and Order Form.Responsible for uptime, recovery objectives, and recovery testing unless otherwise agreed in writing.
User access governanceCustomer defines roles/permissions, approves access, performs provisioning/deprovisioning, and prohibits shared credentials.
Validation & intended useCustomer is responsible for validation/qualification and intended use decisions within the Customer QMS; Provider supplies documentation and support constructs per MSA/SQA.
Change controlProvider controls deployment and publishes release documentation for Hosted Services consistent with MSA/SQA.Customer controls deployment timing and testing for On-Prem updates; Provider provides release documentation and support per MSA/SQA.

References: MSA, SQA, System Requirements.

3) Identity, Authentication & Access Control

Access control is designed to support least privilege, accountability, and controlled administration. In regulated environments, access control is a combined technical and procedural discipline.

  • Role-based access: permissions are assigned by role to align functions with job responsibilities.
  • Unique accountability: users should be uniquely identified; shared credential use should be prohibited.
  • Access governance: customers control provisioning/deprovisioning, role design, and periodic access reviews within their SOPs.
  • Privileged access: administrative access is restricted to authorized personnel for operational needs.
Customer responsibility: In regulated operations, customers should maintain procedures for account management, periodic review, training governance, and (where applicable) electronic signature authority and meaning.
4) Audit Trails, Electronic Records & Data Integrity (GxP Context)

V5 Traceability supports traceability-oriented recordkeeping and is designed to support control behaviors commonly expected for regulated electronic records, including attributable actions, audit trail behavior, record integrity controls, and electronic signature behavior where applicable and configured.

Independent assessment (21 CFR Part 11 context). V5 Traceability has an independent assessment artifact intended to support supplier qualification and CSV discussions. See: Independent 21 CFR Part 11 Assessment.

Regulatory boundary: Independent assessment artifacts support supplier qualification and control evaluation. They do not replace customer validation, intended use determination, or customer procedural controls.
5) Data Protection & Confidentiality

SG Systems Global safeguards customer information using administrative, technical, and contractual controls aligned to confidentiality, integrity, and availability objectives. Contractual confidentiality, customer data rights, and privacy processing terms (where applicable) are governed by the MSA and related documents.

  • Confidentiality: controls intended to prevent unauthorized disclosure of customer information.
  • Integrity: controls intended to preserve record integrity and support audit-ready traceability.
  • Availability: operational controls appropriate to the elected deployment type; Hosted Service objectives (if applicable) are defined in the MSA/SLA.

For binding confidentiality and customer data terms, refer to the MSA.

6) Secure Development Lifecycle (SDLC) & Release Discipline

V5 Traceability is developed and maintained using controlled practices intended to support a reliable and auditable release posture for regulated customers.

SDLC control summaries include:

  • Controlled change introduction: changes are planned, implemented, and reviewed before release.
  • Review discipline: code and configuration changes are subject to review prior to deployment.
  • Environment separation: development/testing and production activities are controlled to reduce unauthorized change risk.
  • Release documentation: release notes describe material changes and, where relevant, validation considerations.
Regulated customers: Change control obligations and release practices are governed by the MSA and, where incorporated, the SQA.
7) Change Management (Customer-Facing Control Summary)

SG Systems Global operates a controlled change management approach to support predictable service delivery and regulated-use expectations.

Change management control summaries include:

  • Change evaluation: changes are assessed for potential customer impact, including regulated-impact considerations where applicable.
  • Approval discipline: production changes are subject to documented authorization prior to release.
  • Deployment control: Hosted Services deployment is controlled by Provider; On-Prem deployments are controlled by Customer.
  • Emergency changes: emergency security changes may be performed when required to address active threats; such changes are documented and communicated consistent with contractual terms.

Binding change control terms are defined in the MSA and, where incorporated, SQA.

8) Vulnerability Management

SG Systems Global manages vulnerabilities through identification, triage, remediation, and verification, with prioritization based on severity and exploitability.

Vulnerability management control summaries include:

  • Triage & prioritization: evaluate scope, severity, exploitability, and potential customer impact.
  • Remediation: apply fixes/patches and document material changes in release documentation where appropriate.
  • Communication: customer communications follow the contractual and operational constructs in the MSA/SQA.

To report a suspected vulnerability or security concern, email support@sgsystemsglobal.com with subject: Security Concern.

9) Incident Management & Security Incident Response

SG Systems Global maintains an incident management and security incident response process intended to support prompt triage, containment, investigation, and customer communications, including regulated-use considerations where record integrity may be impacted.

Incident management control summaries include:

  • Classification: events are assessed and classified based on severity and potential impact to confidentiality, integrity, and availability.
  • Escalation: escalation pathways are applied for higher severity events and regulated-impact concerns.
  • Investigation: investigations are documented, and material events are subject to post-incident review.
  • Corrective actions: corrective actions are tracked to reduce recurrence risk.
Hosted Services notice and reporting: Binding security incident notice and reporting obligations (including any timelines) are defined in the MSA for Hosted Services. For On-Prem deployments, Customer controls incident management for Customer-controlled infrastructure; Provider supports software-focused issues consistent with the MSA/SQA.

Reporting channel: support@sgsystemsglobal.com. For suspected regulated record/data integrity concerns, include: Potential GxP / data integrity impact.

10) Backups, Disaster Recovery & Business Continuity

Continuity and recovery expectations depend on deployment type. For Hosted Services, applicable availability and recovery objectives (if any) are defined in the MSA/SLA and Order Form. For On-Premise Installations, Customer is responsible for backups, disaster recovery, and recovery testing unless otherwise agreed in writing.

Continuity control summaries include:

  • Documented recovery approach: documented recovery procedures aligned to the elected deployment model.
  • Backup integrity intent: controls intended to support recoverability and reduce data loss risk within the defined boundary.
  • Recovery testing intent: periodic recovery readiness activities appropriate to the hosted boundary and service design.
Authoritative reference: availability commitments, exclusions, and any RTO/RPO objectives are defined in the MSA (includes SLA) and the applicable Order Form.
11) Third-Party Providers, Subprocessors & Privacy

Hosted Services may be delivered using third-party providers as specified in the Order Form / Signed Proposal. Provider use of subprocessors and privacy processing terms (where applicable) are governed by the MSA and any applicable Data Processing Addendum (DPA).

  • Subprocessors: engaged under written agreements intended to protect customer data and align with confidentiality obligations.
  • Data processing: where required by law, privacy terms are addressed via a DPA incorporated by reference and made available upon request.
  • System boundary: responsibilities vary by Hosted vs On-Prem deployment and are defined contractually.
12) Supplier Qualification, Audit Support & Evidence

SG Systems Global supports customer due diligence and supplier qualification using documentation and structured responses aligned to the system boundary and deployment type. For regulated/GxP engagements, the SQA (when incorporated) defines the quality-operational framework, including audit support constructs and regulated-use responsibilities.

  • Qualification support: responses and artifacts are provided to support customer supplier qualification workflows.
  • Audit cooperation: provided subject to confidentiality and reasonable scheduling as defined in the MSA/SQA.
  • Independent assessment: assessor-authored artifact supports Part 11 discussions and control evaluation.

References: SQA | MSA | Independent Assessment

13) Request Security Documentation

Additional security and compliance documentation may be provided to customers and qualified prospects to support due diligence and supplier qualification, subject to confidentiality obligations (MSA) and, where applicable, NDA terms.

Examples of documentation available upon request (where applicable):

  • Change management and release documentation summaries
  • Incident response summary aligned to contractual obligations
  • Backup/DR continuity summary aligned to deployment boundary
  • Independent assessment documentation (21 CFR Part 11)
  • Subprocessor list and DPA template (where applicable)
  • Structured questionnaire responses (SIG/CAIQ-style) when requested
Request: Email support@sgsystemsglobal.com and include company name, deployment type (Hosted or On-Premise), timeline, and your checklist.
14) Document Control
DocumentSecurity and Trust (Customer-Facing Summary)
Version2.16
Legal EntityS.G. Systems, LLC
Address6944 Meadowbriar Lane, Dallas, TX 75230
Approved ByStuart Hunt; Simon Hartley
Contactsupport@sgsystemsglobal.com
Reference set:

This page is provided for informational purposes and does not modify contractual terms.