Spell QMSPro
Back to home

Legal

Trust & Security

Effective May 1, 2026

Spell QMS Pro stores controlled-quality records — risks, audits, CAPAs, signed reviews, regulated documents. We treat that data like a regulator would: minimum viable access, encryption everywhere, and a clear audit trail for every change. Here is how we operate.

Hosting and architecture

Spell QMS Pro runs on AWS in the US East (N. Virginia) region. The application sits inside a private VPC with no direct internet ingress: a single internet-facing Application Load Balancer terminates TLS and forwards to ECS Fargate tasks running in private subnets that have no public IPs and no NAT route. Container images are pulled, secrets are fetched, and logs are written through VPC interface endpoints — not over the public internet.

Each release is a signed, immutable container image. The image registry blocks tag mutation and runs scan-on-push.

Encryption

In transit. All public traffic is HTTPS using TLS 1.2 or TLS 1.3 with modern ciphers. HTTP requests are 301-redirected to HTTPS. Database connections require TLS.

At rest. Application data is stored in Amazon RDS Postgres with AWS-managed encryption (AES-256). Documents and evidence files are stored in Amazon S3 with AES-256 server-side encryption, public-access blocked, and versioning enabled. EBS volumes attached to compute are encrypted.

Access control

For your users. Authentication uses JWT access + refresh tokens with short-lived access tokens. Tenant administrators define roles and permissions. Every create / update / delete is associated with a specific user and timestamped.

For our operators. Production access requires SSO, hardware MFA, and short-lived role-assumed credentials. We never use long-lived access keys. Direct database access is logged and used only to diagnose incidents.

Network and edge protection

The public ALB is fronted by AWS WAF with the AWS-managed Common Rule Set, Known Bad Inputs rule set, and Amazon IP Reputation list, plus a per-IP rate limit. Only the ALB security group accepts inbound 443 from the internet. The application’s task security group only accepts inbound from the ALB. The database security group only accepts inbound from the task security group. There are no “0.0.0.0/0” ingress rules anywhere except on the ALB on ports 80/443.

Application security

  • HSTS, X-Content-Type-Options, Referrer-Policy, X-Frame-Options DENY, secure cookies.
  • CSRF allow-list scoped to your custom domain.
  • CORS allow-list (no wildcards).
  • Input validation on every API endpoint via Django REST Framework serializers.
  • JWT signing key, database credentials, and integration tokens stored in AWS Secrets Manager — never in container images, env files, or git.
  • Dependencies are pinned and scanned; container images are rebuilt on patch availability.

Backups and durability

Database snapshots run automatically with 7-day point-in-time recovery and a longer weekly snapshot retained per the configured plan. S3 buckets have versioning enabled. Deletion-protected resources require explicit operator confirmation. We test restore procedures regularly.

Monitoring and incident response

We collect application logs, infrastructure logs, and CloudWatch metrics. Critical alarms (5xx error rate, target health, database CPU, certificate expiry) page the on-call engineer.

Suspected security incidents are triaged within 1 hour of detection. We notify affected customers without undue delay (and within applicable legal timelines) when their data is implicated. Post-incident, we publish a written root-cause analysis and remediation plan.

Regulatory alignment

Spell QMS Pro is designed to align with the controls required by ISO 13485, ISO 9001, and analogous quality standards: full audit trail of data changes, controlled documents with version history, electronic-signature-ready approvals on management reviews, and CAPA effectiveness verification. The system is a tool to support compliance — your formal regulatory standing remains your responsibility.

Data retention and deletion

Customer Content is retained for the lifetime of your subscription plus a wind-down period described in our Privacy Policy. On termination you may export your data; thereafter we delete it. Server logs retain typically 30 days.

Sub-processors

A current list of sub-processors (cloud hosting, email delivery, error monitoring) is available on request to security@spell.solutions. Each sub-processor is engaged under a written data-processing agreement.

Responsible disclosure

If you believe you have found a security vulnerability, please email security@spell.solutions with reproduction steps. Do not access data that is not yours, do not run automated tests against production without prior coordination, and give us a reasonable window to remediate before public disclosure. We acknowledge in good faith and will not pursue legal action against researchers who follow this policy.

Contact

Spell Solutions, 1000 Main Street, Suite 2300, Houston, TX 77002, USA. security@spell.solutions.