Trust Centre

Security and compliance built for regulated clinical data.

TriloDocs processes submission-critical clinical study data. Our compliance programme is independently certified, continuously monitored through internal audit checks, and covers the frameworks that matter to regulated pharma environments.

ISO/IEC 27001:2022 SOC 2 Type 2 GDPR HIPAA
Certifications

Independently certified. Continuously monitored.

All certifications are maintained through continuous control monitoring via internal audit checks. Certificates and full audit reports are available to enterprise customers on request.

ISO/IEC 27001:2022

Information Security Management System — independently certified. Full scope covering infrastructure, applications, and all systems involved in delivering the TriloDocs service.

● Current

SOC 2 Type 2

Security, Availability, and Confidentiality trust service criteria — Type 2 report covering design and operating effectiveness over a 12-month audit period.

● Current · Type 2

Penetration Testing

Annual third-party web application penetration test. All findings from the most recent engagement have been remediated and independently confirmed closed.

● Annual cadence
ISO/IEC 42001:2023 (AI Management System) certification is in progress. AI governance policies are active and passing internal audit checks — the formal certification audit has not yet been completed. We will update this page on certification. SOC 2 and ISO 27001 documentation is available to enterprise customers under NDA.
Policy & control framework

All policies and procedures, organised by control domain.

All documents are active, version-controlled, managed through internal audit checks, and reviewed on a defined cadence. Enterprise customers may request copies under NDA.

Access & Identity

Access control & HR security

Information Security Policy
Access Control Policy
HR Security Policy & Procedure
Code of Business Conduct Policy
Organisation of Information Security Policy
ISMS Roles & Responsibilities
Physical & Environmental Security Policy
Data & Privacy

Data protection & privacy

Data Protection Policy
Data Classification Policy
Data Retention Policy
Privacy by Design Policy
Encryption Policy
Media Disposal Policy
Cardholder Data Management Policy
Security Operations

Infrastructure & operations

Operations Security Policy & Procedure
Cloud Security Policy
Communications & Network Security Policy
Network Security Procedure
Endpoint Security Policy
Asset Management Policy & Procedure
Vulnerability Management Policy
AI Governance

AI management & controls

AI Security Policy
AI SDLC Policy & Procedure
AI System Impact Assessment Policy
AI System Impact Assessment Procedure
System Acquisition & Development Lifecycle Policy
SDLC Procedure
Incident & Continuity

Incident response & BCDR

Incident Management Policy & Procedure
Personal Data Breach Notification Procedure
Data Breach Notification Policy
PHI Data Breach Notification Procedure
Business Continuity & Disaster Recovery Policy
Business Continuity Plan
Governance & Risk

Risk, compliance & vendors

Risk Assessment & Management Policy
Compliance Policy & Procedure
Vendor Management Policy & Procedure
ISMS Manual & Scope Document
System Description
All policies and procedures are active, passing internal audit checks, and mapped across ISO 27001:2022, SOC 2, GDPR, and HIPAA controls. Enterprise customers and their auditors may request specific documents under NDA — contact security@trilodocs.com.
Data security

Architectural controls on clinical study data.

These are not policy commitments alone — they are enforced at the infrastructure and architecture level.

UK-hosted exclusively

All production systems processing client data are hosted in AWS eu-west-2 (London). Clinical study data does not leave the UK region.

Encrypted throughout

Encrypted in transit (TLS 1.2+) and at rest (AES-256). No unencrypted data paths exist in the production environment.

Least-privilege access

MFA enforced across all production access. Access rights reviewed regularly and revoked immediately on offboarding.

No training on client data

Clinical study data is never used for model training or improvement. Contractually enforced with all sub-processors handling client data.

Sub-processors under DPA

All third parties that may process client data are security-assessed prior to approval and operate under a Data Processing Agreement or equivalent safeguard.

Data retained only as needed

Clinical data is retained for the duration of the engagement only and deleted securely on contract conclusion or on request.

TriloDocs
See TriloDocs in Action

Book a demo, or talk to our security team.

For enterprise customers, QA leads, and security teams evaluating TriloDocs. SOC 2 reports and policy documentation are available under NDA.

We reply within one working day.