Compliance/Vendor Audit Questionnaire
GxP Vendor Qualification

Vendor Audit Questionnaire — NoxReg Responses

Reference: NXR-VAQ-001Version: 1.0Date: April 2026

Company Information

Question

Company name and registration?

Response

NoxReg S.à r.l. — software company incorporated in Luxembourg, Grand Duchy of Luxembourg.

Question

Primary contact for quality matters?

Response

security@noxreg.com

Question

Website?

Response

https://www.noxreg.com

Quality Management

Question

Do you have a Quality Management System?

Response

Yes. NoxReg operates a quality management system aligned with ICH Q10 principles for software-as-a-service operations. Key elements: change control, incident management, supplier management, and document control.

Question

Do you have documented SOPs?

Response

Yes. Internal SOPs cover: software development and release, AI model change control, incident response, data breach response, and customer change notification.

Question

How are changes to the system controlled?

Response

All changes go through an internal change control process. Material changes affecting GxP-relevant functionality are documented, tested, and communicated to subscribers with advance notice.

Data & Security

Question

Where is data stored?

Response

EU West (Ireland) via Supabase PostgreSQL. No data stored outside the EEA.

Question

Is data encrypted?

Response

Yes. TLS 1.3 in transit, AES-256 at rest.

Question

Who has access to customer data?

Response

Row-level security ensures subscribers access only their own data. NoxReg staff access requires auditable justification.

Question

Do you have a data breach procedure?

Response

Yes. Incidents reported to affected customers within 72 hours per GDPR Article 33 requirements.

Question

Do you have penetration testing?

Response

Vercel platform security reviewed annually. Application-level penetration test scheduled for H2 2026; results and remediation logged internally.

AI & Automation

Question

What AI systems do you use?

Response

Claude (Anthropic) for classification, summarisation, and action recommendations. Prompt version v1.2. Model: Claude Haiku.

Question

Are AI outputs validated?

Response

AI outputs are labeled as AI-generated. Classification accuracy reviewed quarterly. Subscribers must review AI outputs before use in regulated activities.

Question

How do you handle AI errors?

Response

In-application AI error reporting mechanism available. Reports investigated within 48 hours. Material errors trigger subscriber notification.

Business Continuity

Question

What is your RTO/RPO?

Response

RTO 4 hours, RPO 24 hours.

Question

Do you have a business continuity plan?

Response

Yes. Hosted on Vercel's enterprise infrastructure with 99.9% SLA. Daily database backups via Supabase.

Request full signed questionnaire← Back to Compliance