Skip to main content
PVgenix
Security & Compliance

Built for regulated pharmacovigilance

PVgenix is engineered around GxP, GAMP 5, and 21 CFR Part 11 — pairing the security controls, audit traceability, and validation documentation that regulated safety operations expect with a continuously-monitored, fully-managed platform.

Review compliance postureView documentation set
21 CFR Part 11EU GVPGAMP 5ICH E2B(R3)GDPR
Validation-readyAudit-ready by design
Part 11AES-256IQ / OQ / PQ
PVgenix / Trust CenterLive posture
Compliance posture
0/100
Healthy
Controls met142 / 145
Open findings0
Last assessmentMay 2026
Control families
Access control (RBAC)100%
Encryption — transit & rest100%
Audit logging100%
Backup & disaster recovery96%
Vulnerability management98%
Change control97%
Live audit stream
UPD
Case DE-03980narrative · field-level diff captured
now
NEW
Case US-04412created · intake → review queue
4s
RD
Audit exportFR-04501 · inspector read-only
12s
UPD
Signal SR-118threshold change · e-signature
31s
DEL
Attachment v1superseded · retained & logged
1m
0%
Managed uptime SLA
AES-256
Encryption standard
0%
Audit coverage
24 / 7
Security monitoring
How we protect regulated data

Three layers, one connected case record

Regulatory alignment, data security, and end-to-end traceability work together so every regulated action is permitted, protected, and provable.

Regulatory alignment
  • 21 CFR Part 11 — electronic records & signatures
  • EU GVP modules for pharmacovigilance obligations
  • GAMP 5 computerised-system validation lifecycle
  • GxP operational compliance throughout
Part 11EU GVPGxP
Data security
  • Role-based access control with least-privilege design
  • Tenant isolation — logical for SaaS, physical for dedicated
  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Secrets management for credentials & keys
RBACTLS 1.2+AES-256
Audit & traceability
  • Full audit logging — every create / read / update / delete
  • Detailed audit trail — who, what, when, before / after
  • Tamper-evident logging with a hash-chained record
  • Electronic signatures captured & verified
CRUD logBefore/afterE-sig
Validation documentation package

A complete GAMP 5 evidence set, ready for your qualification

PVgenix ships with the full computerised-system validation lifecycle — specifications on the way down, qualification on the way up, and a Requirements Traceability Matrix linking every requirement to its proof.

The validation V-model

Each specification on the left is verified by a matching qualification on the right; the RTM (dashed) maintains the trace.

SpecificationQualificationRTM trace
Specification ↓Qualification ↑VMPValidation Master PlanURSUser RequirementsFSFunctional SpecDSDesign SpecBUILDConfiguration & buildIQInstallation Qual.OQOperational Qual.PQPerformance Qual.GO-LIVEReleased to production
VMPValidation Master Plan
URSUser Requirement Spec
FSFunctional Specification
DSDesign Specification
IQ / OQ / PQInstallation · Operational · Performance
RTMRequirements Traceability Matrix
SOPsStandard Operating Procedures
Trace summaryCoverage & test evidence

PVgenix is validation-ready and audit-ready: it ships with a complete IQ/OQ/PQ documentation package to support client-led validation. "Validated" is a state achieved only after qualification is executed in a specific client environment.

Bright Infonet develops and delivers the software, environment setup, and supporting documentation. The client and their qualified PV personnel own PV decisions, regulatory interpretation, validation execution, and compliance obligations.

Audit & traceability

Every action recorded, every record provable

Each create, read, update, and delete is written to an append-only audit trail. Entries are hash-chained, so any retroactive change to history breaks the chain and is detectable on inspection.

Who, what, when — and before/after

Field-level diffs capture the prior and new value of every changed attribute, with the acting user and UTC timestamp.

Tamper-evident by hash chain

Each entry embeds the hash of the one before it, making the log verifiable end-to-end during an inspection.

Electronic signatures, Part 11

Signed actions capture meaning, signer identity, and timestamp — bound to the record and re-verifiable.

Case createdCREATE
US-04412 · intake-bot → m.koll · 16:20:41 UTC
hash 9f3a…c1 · prev 0000…00
Narrative editedUPDATE
field "narrative" · "—" → "Patient reported…" · s.adeyemi
hash 4b71…e8 · prev 9f3a…c1
Medical review signedE-SIGN
meaning "Reviewed & approved" · dr.okafor · 16:24:09 UTC
hash d20c…7f · prev 4b71…e8
Access control

Least-privilege, enforced by role

Roles grant only the permissions a function requires. Every grant is configurable per tenant, and every change to a role is written to the audit trail.

Role / Permission
Intake
Review
QC / Approve
Submit
Configure
Audit export
Intake OperatorMulti-channel intake
Medical ReviewerClinical assessment
QA / ApproverQuality & release
PV AdminTenant configuration
AuditorRead-only inspection
Full access Read-only No accessRoles & grants are configurable per tenant
Shared-responsibility model

Clear lines between platform and PV ownership

Bright Infonet delivers and operates the software; your qualified PV personnel own the regulated decisions. Knowing where each line sits is itself part of an audit-ready posture.

Provider · Bright Infonet

We build & operate

  • Platform software development & continuous delivery
  • Cloud-native hosting, environment setup & patching
  • Security controls, encryption & 24/7 monitoring
  • IQ/OQ/PQ package & SOP templates for validation
Owner · Client PV team

You decide & validate

  • PV decisions & regulatory interpretation
  • Validation execution in your environment
  • Compliance obligations & regulatory reporting
  • User access governance & SOP adoption

Review the compliance posture with our team

Request a demo to walk through the security controls, audit trail, and documentation package with your QA / CSV team.

Request a demoExplore the platform