Security & Compliance at Ready Room
SOC 2 Type II certified. Hosted on Google Cloud. Single sign-on. Multi-tenant isolation. AI integration off by default. Built for the security expectations of regulated life sciences QA teams.
Looking for the full security overview?
Ready Room publishes its complete security architecture — infrastructure, application servers, database, authentication, authorization, integrations, availability, and data retention — in one document.
Read the Ready Room Security document (PDF)SOC 2 Type II, audited annually
Synclinical maintains SOC 2 Type II compliance for Ready Room continuously and is audited annually by The Johanson Group against the AICPA Trust Services Criteria for security, availability, and confidentiality. The current report is available upon request from sales@readyroom.net.
Infrastructure
Ready Room runs on Google Cloud Platform, currently in the US-Central region (Iowa). Production servers are balanced across two availability zones to minimize the risk of correlated failures from physical-infrastructure outages. Traffic enters through a dedicated ingress (router), isolating Ready Room network traffic from other Google Cloud tenants.
In front of all of that sits Cloudflare's Web Application Firewall — advanced DDoS protection against TLS and network-layer attacks, a worldwide CDN, and WAF rules for widespread vulnerabilities.
Database and file storage
Customer data lives in Google Cloud SQL (a fully managed PostgreSQL instance), encrypted both at rest and in transit. A high-availability hot-standby instance receives every database write so traffic can fail over automatically if the primary instance becomes unavailable. The database is backed up every 24 hours; backups are encrypted and retained for seven days.
Document attachments are stored in Google Cloud Storage in private (not public) buckets. The browser reads and writes attachments through cryptographically signed URLs with a fifteen-minute lifetime, so attachment URLs cannot be shared or reused outside their intended session.
Application architecture
Ready Room is built on the Elixir programming language and the Phoenix application server, which is “secure by default” against the OWASP web-application risks. Cross-site scripting and cross-site request forgery protection are built in, and the Ecto database library mitigates SQL injection at the query layer. Deployment is restricted and gated by automated tests, a staging environment, and a static security analysis pass before each release.
Authentication and access
- Single sign-on via Microsoft Azure Active Directory (Entra), Okta, and Cisco Duo, using the standard OIDC authentication flow — the recommended access pattern for every production deployment.
- Invitation-only registration. Users cannot self-register. Invitations use randomly generated, SHA-256 hashed tokens that expire after seven days.
- Application passwords (for customers who cannot use SSO) must be at least 12 characters and are stored hashed with bcrypt — no one, including database administrators, can read a plaintext password.
- Session hygiene. Sessions expire when the browser closes or the user logs out. The session ID is rotated on every login to mitigate session-fixation attacks.
Multi-tenant isolation and role-based access control
Ready Room is a multi-tenant system with four authorization contexts: Super User, Administrator, Team Member, and Inspector. Super users — currently only the Synclinical founders — have no special access or visibility into any customer account unless they are explicitly invited as an administrator or team member. Within a tenant, role-based access control with 10 default roles and 54 fine-grained permissions governs what every user can see and do. Roles are fully editable.
Network access
Ready Room is TLS-only. Any attempt to reach Ready Room over HTTP is automatically redirected to HTTPS, and Ready Room sets HTTP Strict Transport Security so browsers refuse to downgrade future requests to HTTP. This mitigates the “coffee shop attack” class of credential interception.
Video conferencing (Briefings)
Ready Room's integrated video conferencing is powered by Whereby. Meeting IDs are generated by a cryptographically strong random number generator with on the order of a septillion possible values, so meeting URLs are not guessable. Non-host participants must “knock” and be admitted by the host; their name (and, if their camera is on, their picture) is shown to the host first. Ready Room meetings are only accessible via the readyroom.net domain — they cannot be joined directly through Whereby.
AI integration: off by default, no PII
Ready Room offers two optional AI-assisted features powered by OpenAI: TMF locator embeddings and a regulatory-guidance chatbot called Reggie. OpenAI integration is disabled by default and must be enabled by an administrator on a per-inspection basis. When enabled, only request titles and explicit chatbot messages are sent — never company names, user names, or email addresses. Ready Room uses the OpenAI API, which OpenAI does not use to train future versions of its models. For life sciences QA teams who need to keep AI out of the picture entirely, the integration can simply stay off.
Availability and disaster recovery
Ready Room's contractual uptime SLA is 99.9% (about 8.7 hours of unscheduled downtime per year). Actual uptime has approached 99.999% over the last four years. In the event of catastrophic failure, the recovery point objective (RPO) is 24 hours and the recovery time objective (RTO) is approximately 8 hours.
Data retention and customer-driven deletion
By default Ready Room retains customer data indefinitely. Administrators can permanently delete individual inspections along with all related documents — this action is irrevocable and administrators must explicitly acknowledge their intent before it executes. Customers leaving the system can request a complete, irrevocable purge of all their data; Synclinical honors purge requests within 72 hours.
21 CFR Part 11 and EU Annex 11 alignment
Ready Room provides the technical controls a life sciences sponsor or CRO needs to support 21 CFR Part 11 and EU Annex 11: unique user authentication via SSO, an immutable audit trail of inspection activity, role-based access control, and secure document storage. Customers retain responsibility for the procedural controls — SOPs, validation, and signature-meaning policies — required by the regulation.
How to request the full security package
The complete security overview is published as a PDF at readyroom.net’s security document. For the current SOC 2 Type II report or any vendor-specific security questionnaire, email sales@readyroom.net.
Trusted GxP Inspection Management for Global Life Sciences Teams
From biotech startups in Boston to pharmaceutical leaders in Basel, Ready Room helps teams stay inspection-ready. Whether you're a sponsor, CRO, CMO, lab, or medical device company, our cloud-based platform simplifies inspection preparation and management across every part of your organization.