Security & data handling overview
1. Purpose of this document
This document provides a high-level overview of security and data handling principles applied to Hoodin Compliance Studio.
Its purpose is to support procurement, IT security, legal, and management reviews by explaining how security and data protection are approached at vendor level. The document is intentionally high-level and non-technical.
It does not constitute a security whitepaper, penetration test report, or data processing agreement.
2. System classification and scope
Hoodin Compliance Studio is provided as a cloud-hosted Software as a Service (SaaS) platform supporting regulatory intelligence and compliance-related decision-support activities.
The system is not intended to:
process or store patient records,
manage clinical trial subject data,
control production, manufacturing, or batch release activities,
function as a system of record for regulated quality documentation.
This classification informs the security and data handling approach described below.
3. Data categories handled
Hoodin Compliance Studio primarily handles the following categories of information:
user account and access information,
organisational and product configuration data entered by users,
regulatory intelligence content sourced from public or licensed sources,
system usage and operational metadata.
The system is not designed to process special category personal data or sensitive health information.
4. Hosting and infrastructure
Hoodin Compliance Studio is hosted on Amazon Web Services (AWS) within the European Union.
The service relies on standard, managed cloud infrastructure provided by AWS. Production environments are operated within the EU, and cloud-native mechanisms are used to support resilience, availability, and controlled operations.
5. Encryption and data protection
Data protection measures include encryption of data in transit and at rest using standard, widely adopted mechanisms provided by the underlying cloud infrastructure.
Hoodin does not offer customer-managed encryption keys. Encryption is implemented as part of the platform’s standard security configuration.
6. Backup, recovery, and continuity
Regular backups are performed, and restoration procedures are defined and tested.
Hoodin maintains operational preparedness for service interruptions, including scenarios related to cloud service disruptions or force majeure events. Continuity measures are designed to support controlled recovery and minimise service impact.
7. Incident and breach management
Defined processes are in place to detect, assess, and manage security incidents.
Responsibilities for incident handling are assigned internally, and communication with customers is handled in a structured manner when incidents may affect service availability or data protection obligations.
8. Internal security governance
Security responsibilities are embedded within Hoodin’s internal governance and operational practices.
Internal guidelines, onboarding practices, and ongoing awareness activities are used to promote appropriate handling of information security and data protection across the organisation. Security considerations are integrated into change management and release processes.
9. Data handling principles
Hoodin applies data handling principles focused on necessity, proportionality, and purpose limitation.
Data processed within the system is limited to what is required to provide the service and support its intended use. Customers remain in control of the content and context they introduce into the system.
Retention and deletion practices are defined at vendor level and aligned with contractual and legal requirements.
10. Security responsibilities and controls
Hoodin maintains responsibility for implementing and maintaining appropriate technical and organisational security measures to protect system availability, integrity, and confidentiality.
Security controls are applied at vendor level and include access control, segregation of environments, monitoring, and controlled change management.
Customers are responsible for managing user access within their organisation and ensuring appropriate use of the system in accordance with internal policies.
11. Hosting and third-party services
Hoodin Compliance Studio is operated using cloud infrastructure and third-party service providers selected based on security and reliability considerations.
Where third-party services are used, Hoodin applies contractual and organisational measures to ensure that security and data protection obligations are maintained.
Details regarding infrastructure location, international data transfers, and legal safeguards are addressed in Hoodin’s privacy and data protection documentation.
11.1 Subprocessors
Sub-processor: AWS
Purpose: Databases
Location: Ireland
Safeguards: Standard Contractual Clauses and/or EU-U.S. Data Privacy Framework (as applicable)Sub-processor: Lemon Squeezy, LLC
Purpose: Payment processing and invoicing
Location: United States
Safeguards: Standard Contractual Clauses and/or EU-U.S. Data Privacy Framework (as applicable)
12. Availability, continuity, and incident handling
Hoodin applies measures to support system availability and operational continuity.
Processes are in place to detect, manage, and communicate security incidents and service disruptions in a controlled manner.
Incident communication follows defined procedures and is coordinated through established support channels.
13. Relationship to other governance documents
This document should be read in conjunction with:
and applicable privacy and data protection documentation.
Together, these documents provide a consolidated view of security, data handling, governance, and responsibility allocation for Hoodin Compliance Studio.