Security Policy

All data transmitted between your browser and the CHARSTAN platform is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption. Database connections use TLS-encrypted channels. Session cookies are marked Secure, HttpOnly, and SameSite.

The platform enforces role-based access control (RBAC) with least-privilege principles. Authentication is managed through secure session tokens with automatic expiration. Multi-provider SSO is supported (Google OAuth, with enterprise SAML/OIDC planned). Rate limiting protects authentication endpoints against brute-force attacks. Account lockout is enforced after repeated failed login attempts.

All significant actions — including logins, data access, exports, document uploads, and configuration changes — are logged in an immutable audit trail. Each entry includes actor identification, timestamp (UTC), action type, and trace ID. Audit logs cannot be modified or deleted by any user, including administrators.

The platform is hosted on managed cloud infrastructure with network isolation, automated patching, and continuous monitoring. Security headers (Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options) are applied to all responses. The platform undergoes periodic security scanning using industry-standard tools.

CHARSTAN is designed to support organisations operating under ISO 13485, FDA 21 CFR Part 11, EU GMP Annex 11, ISO 27001, LGPD, and GDPR requirements. The platform provides tools for compliance assessment, gap analysis, and audit readiness — but does not itself constitute certification. An ISO 9001 self-assessment has been conducted and is available upon request.

In the event of a security incident, CHARSTAN will: (a) investigate and contain the incident within 24 hours; (b) notify affected clients within 72 hours of confirmed data breach; (c) provide a written incident report within 14 business days; (d) implement corrective actions and update this policy as needed. All incidents are logged and tracked through the platform's internal CAPA process.

If you discover a security vulnerability in the CHARSTAN platform, please report it to security@charstan.com. We take all reports seriously and will acknowledge receipt within 48 hours. We request that you do not publicly disclose the vulnerability until we have had reasonable time to address it.

8. Contact

For security inquiries, contact security@charstan.com. For general inquiries, contact info@charstan.com.