Security and trust

Security built into the Tecsys Elite™ platform

Tecsys’ cloud-based solutions are designed with security, privacy and resilience as foundational requirements — not add-ons. We help organizations run supply chains they can count on in critical moments by combining operational reliability with robust security architecture and controls, ensuring products move safely, accurately and confidently through regulated environments.

Our approach is simple

Protect customer data with strong technical and operational controls

Validate our controls through independent third-party audits

Provide transparency into how we secure, process and govern data

Support regulated and government environments with clearly defined security boundaries

Security and trust

May 27, 2026

Security built into the Tecsys Elite™ platform

Our approach is simple:

Protect customer data with strong technical and operational controls
Validate our controls through independent third-party audits
Provide transparency into how we secure, process and govern data
Support regulated and government environments with clearly defined security boundaries

This page outlines how Tecsys safeguards your systems, your data and your operations.

Compliance and certifications

Tecsys maintains independent certifications and audit reports to validate our security controls and operational processes.

Independent audits and certifications include:

SOC 2 Type II (security, availability and confidentiality)
ISO 27001 (information security management)
Additional certifications and attestations as applicable by environment

Each certification is independently audited and reassessed on a defined schedule.
For security review teams, the following documentation is available under an NDA

SOC 2 report
ISO certificate
Penetration testing summary
Data Processing Agreement (DPA)
Disaster recovery overview

Request documentation →

Government and regulated environments

Tecsys supports healthcare providers, distributors and public sector organizations that operate under strict regulatory requirements.

Where applicable, Tecsys maintains clearly defined environments for government or regulated customers. These environments may include:

Hosting within approved cloud regions
Logical and operational separation from commercial SaaS environments
Alignment with NIST security frameworks
Defined authorization boundaries and control baselines

If operating in a FedRAMP-authorized or FedRAMP-aligned environment, Tecsys will clearly state:

Authorization level
Covered products and services
Hosting provider and region
Security control baseline

We provide full transparency into what is in scope and what is not.

For government-specific documentation, contact our security team.

Data protection and privacy

Customer data belongs to the customer. Tecsys processes data only to deliver contracted services.

Data ownership and use

Customers retain ownership of their data
Data is used solely to provide and support the Tecsys service
Tecsys does not sell customer data

Encryption and data security

Encryption in transit using industry-standard TLS
Encryption at rest within approved cloud infrastructure
Logical tenant isolation across the platform

Data retention and deletion

Data retention policies defined by contract
Secure deletion procedures when data is no longer required
Defined offboarding processes

Privacy compliance

Tecsys supports compliance with:

GDPR
CCPA and applicable U.S. privacy laws
Industry-specific healthcare requirements where applicable, including HIPAA and SOC2

A Data Processing Agreement (DPA) is available upon request.

Subprocessors

Tecsys maintains a current list of subprocessors used to deliver services. Customers are notified of material changes in accordance with contractual terms.

View subprocessor list →

AI privacy and responsible AI

Tecsys integrates AI capabilities directly into supply chain workflows. These capabilities are governed by strict privacy and data-use controls.

Customer data and model training

Customer data is not used to train foundation models unless explicitly agreed in writing
Customer data is not shared with third-party model providers for retention or model improvement
AI features operate within defined tenant boundaries

Data handling in AI workflows

Prompts and outputs are logged in accordance with our security policy
Access to logs is restricted and audited
Administrative access is controlled and monitored

Governance and oversight

AI features undergo structured security and privacy review before release
Bias and performance testing are conducted where applicable
Changes to AI functionality follow formal change management processes

Transparency

Where AI features rely on subprocessors, those providers are listed in the subprocessor registry.

Our objective is straightforward: deliver measurable value from AI while maintaining strict control over customer data.

Platform security architecture

Security controls are embedded across the Tecsys platform.

Identity and access management

Role-based access control (RBAC)
Support for SAML and OIDC-based single sign-on
Multi-factor authentication support

Network and infrastructure security

Segmented cloud environments
Firewalling and network isolation
Hardened production infrastructure

Secure development lifecycle

Secure software development lifecycle (SSDLC)
Code review and automated security testing
Vulnerability scanning integrated into CI/CD pipelines
Regular third-party penetration testing

Vulnerability and patch management

Continuous vulnerability monitoring
Defined remediation timelines based on severity
Patch management aligned to risk level

Operational resilience and continuity

Tecsys designs for availability and continuity in environments where downtime is not acceptable.

High availability

Redundant infrastructure
Multi-zone cloud deployment
Defined uptime targets

Disaster recovery

Documented disaster recovery plan
Defined Recovery Time Objective (RTO)
Defined Recovery Point Objective (RPO)
Regular recovery testing

Business continuity

Formal business continuity plan
Periodic testing and review
Escalation and response playbooks

Monitoring and incident response

Tecsys maintains active operational security monitoring.

Continuous monitoring

24/7 monitoring of production systems
Centralized logging and audit trails
Alerting for anomalous activity

Incident response

Documented incident response process
Defined severity levels and escalation paths
Customer notification procedures aligned with contractual requirements
Post-incident review and corrective action tracking

Vendor risk and third-party management

Tecsys evaluates third-party providers that support delivery of the platform.

Formal vendor risk assessment program
Security and compliance requirements embedded in contracts
Periodic reassessment of critical vendors
Cloud provider security alignment

Third-party providers are evaluated against security, privacy and operational risk criteria before engagement.

Transparency and document access

Tecsys supports structured enterprise security review processes.

Available documentation includes:

SOC reports
ISO certifications
Penetration test summaries
Security whitepapers
DPA and contractual security exhibits

Request security documentation → security@tecsys.com
Contact security team → security@tecsys.com

Shared responsibility model

Security in cloud environments is a shared responsibility.

Tecsys is responsible for:

Platform security
Infrastructure protection
Application security controls
Operational monitoring

Customers are responsible for:

User access governance
Configuration management
Endpoint security
Internal policy enforcement

We provide guidance and best practices to help customers configure the platform securely.

Version and governance

This Security and Trust Center is reviewed and updated regularly to reflect current certifications, controls and operational practices.