RegulatoryAlerts Logo
RegulatoryAlerts
InsightsBlogPricingSign InStart Free Trial
Security & Compliance

Enterprise-Grade Security for Pharmaceutical Data

We take security seriously. Learn about our technical safeguards, data privacy practices, and compliance standards designed to protect your regulatory intelligence.

How We Protect Your Data

Encryption in Transit & At Rest

All data transmitted between your browser and our servers is encrypted using industry-standard TLS 1.3. Database and file storage use AES-256 encryption at rest.

Technical Implementation:

  • TLS 1.3 for all connections
  • AES-256 encryption at rest
  • Encrypted database backups
Secure Authentication

OAuth 2.0 authentication via Google. No passwords stored in our database. All sessions use secure, httpOnly cookies with CSRF protection.

Technical Implementation:

  • Google OAuth 2.0
  • No password storage
  • CSRF token protection
  • Secure session management
Data Privacy

We only collect data necessary for service operation. Your reading history, saved documents, and notes are private and never shared with third parties.

Technical Implementation:

  • Minimal data collection
  • No selling of user data
  • Private notes and annotations
  • GDPR-compliant data handling
Infrastructure Security

Hosted on Vercel's secure cloud infrastructure with automated security patching and DDoS protection.

Technical Implementation:

  • Vercel enterprise infrastructure
  • DDoS protection via Cloudflare
  • Automated security patching
  • PostgreSQL database encryption
Regulatory Content Security

All regulatory documents are sourced directly from official government agency websites (FDA.gov, EMA.europa.eu, etc.). We never modify or alter source documents.

Technical Implementation:

  • Direct agency sourcing
  • Verified document integrity
  • Audit trail for all updates
  • Source attribution maintained
Incident Response

24/7 monitoring, automated alerting for security events, and documented incident response procedures to ensure rapid response to any security concerns.

Technical Implementation:

  • 24/7 security monitoring
  • Automated threat detection
  • Incident response plan
  • Breach notification procedures

Compliance Standards & Certifications

GDPR

General Data Protection Regulation

Following Guidelines

We follow GDPR principles: data minimization, user consent, right to deletion, and transparent data handling

SOC 2 Type II

Service Organization Control

Via Infrastructure

Our hosting providers (Vercel, Neon) maintain SOC 2 Type II certification for their infrastructure

HIPAA

Health Insurance Portability and Accountability Act

Not Applicable

RegulatoryAlerts does not process Protected Health Information (PHI)

CCPA

California Consumer Privacy Act

Following Guidelines

We follow CCPA principles: data disclosure, deletion rights, and opt-out mechanisms

What Data We Collect & Why

Account Information

Email address, name, and OAuth credentials (via Google).

Purpose: Authentication, account management, and service communications.

Preferences & Settings

Therapeutic areas, agencies, notification preferences, timezone.

Purpose: Personalize content delivery and filter updates to your needs.

Usage Data

Pages viewed, searches performed, documents saved, reading history.

Purpose: Improve service quality, identify popular content, and provide personalized recommendations.

Payment Information

Processed by Stripe. We never store credit card numbers.

Purpose: Subscription billing. Handled by PCI-compliant payment processor.

What We DO NOT Collect:

  • • We do not collect sensitive health information (PHI)
  • • We do not sell or share your data with third parties
  • • We do not track you across other websites
  • • We do not use your data for advertising purposes

Security FAQs

Where is my data stored?

Data is stored on Vercel's edge infrastructure and Neon's PostgreSQL databases, both hosted in secure US data centers with SOC 2 certification at the infrastructure level.

Can I request data deletion?

Yes. You can delete your account at any time from Settings, which will permanently remove all your personal data within 30 days.

Do you have a data processing agreement (DPA)?

Yes. Enterprise customers can request a custom DPA for GDPR compliance. Contact us for details.

What happens if there's a security breach?

We have documented incident response procedures and will notify affected users within 72 hours in accordance with GDPR requirements.

Is my reading history visible to my company?

For individual accounts: No. For team/enterprise accounts: Administrators can view aggregate team analytics but not individual reading history unless explicitly configured.

Security Concerns or Questions?

If you have security questions, need a security white paper, or want to report a vulnerability, please contact our security team.

Contact Security Team

For security vulnerabilities: Please email directly instead of creating public issues

© 2025 RegulatoryAlerts. All rights reserved.