Home / Trust Centre
Vendor due diligence
A Trust Centre built to be forwarded.
Residency, encryption, access control, audit and regulatory scope — the facts your governance team will ask for, written to be quoted in a due-diligence response.
This Trust Centre is the short version of how Catenix handles clinical data. Each section stands alone, so you can lift it straight into a vendor questionnaire. For the engineering detail behind each control, see Security & compliance.
Data residency
Catenix offers regional data residency. Clinical data is hosted in the region where it is collected and is not moved out of region for processing. Where a customer's regulatory environment requires it, deployment in your jurisdiction is available on request, scoped with the quote.
Encryption
Data is encrypted in transit using TLS and encrypted at rest on the hosting platform. Connections from the clinic edge gateway to the platform are key-authenticated, and secrets are managed centrally rather than embedded in software or configuration.
Access control and operator sign-off
Access is role-based: each user sees only the modules and records their role permits, and tenant isolation between organisations is enforced at both the application and data layers. Operators authenticate individually — there are no shared accounts — and results are released against a named operator's identity, with failed-login lockout built in. Roles and permissions are managed by your own administrators in the administration module.
Audit trail
Every state-changing action — who, when, from where and what changed — is recorded in a tamper-evident audit trail designed along 21 CFR Part 11-style expectations for electronic records: unique identity, attributable actions, controlled change. The trail is built for the inspection day, not reconstructed for it.
Wire-level traceability
Beyond the audit trail, every result is traceable to the exact device message that produced it — the original HL7, POCT-1A or ASTM frame captured at the device connectivity layer. If a value is ever questioned, you can show precisely what the analyser transmitted, byte for byte.
GDPR-aligned processing
Catenix processes personal data on a GDPR-aligned basis: documented processing activities, support for data-subject rights, and a Data Processing Agreement available to customers. A current list of service providers is available on request, and our privacy notice describes processing on this website.
Service providers
Catenix keeps its supplier surface deliberately small. The platform and this website rely on the following providers:
| Provider | Purpose | Region |
|---|---|---|
| Microsoft Azure | Platform hosting and storage | EU/UK regions |
| formsubmit.co | Website contact-form delivery | Website only — no clinical data |
| PostHog | Cookieless website analytics, when enabled | EU |
Certifications and assessments
Catenix is engineered around the control families that recognised security and quality frameworks expect — information-security management, electronic-record integrity and medical-laboratory quality practice. Formal assessment status is shared directly with prospective customers as part of due diligence.
Responsible disclosure
If you believe you have found a security vulnerability in Catenix, email security@catenix.com. We acknowledge reports, investigate promptly, and ask for reasonable time to remediate before public disclosure.
Regulatory scope
Not a medical device.
Catenix performs connectivity, workflow, record-keeping and data display. It transports, stores and presents results exactly as the analyser produced them. It does not interpret clinical results, calculates no clinical values, and provides no clinical decision support. Quality-control features perform statistical data-quality monitoring — they make no clinical judgement. Clinical interpretation remains with the qualified professional and the analyser that generated the result.
Questions, answered
Trust Centre FAQ — what due diligence asks first.
Where is our data hosted?
On Microsoft Azure, in-region. Catenix offers regional data residency — clinical data is hosted in the region where it is collected, and deployment in your jurisdiction is available on request.
Is Catenix GDPR compliant?
Catenix is GDPR-aligned, with lawful processing, support for data-subject rights and a Data Processing Agreement available to customers. Processing activities are documented, and a service-provider list is available on request.
Who can access our data?
Only the people you authorise. Access is role-based, every operator authenticates individually, tenant isolation is enforced at the application and data layers, and access-relevant actions are recorded in the audit trail.
Is Catenix a medical device?
No. Catenix performs connectivity, workflow, record-keeping and data display. It does not interpret clinical results, calculates no clinical values and provides no clinical decision support.
Due diligence, without the chase.
Send your security questionnaire — or see the controls live on a working platform.