Skip to main content

Compliance Readiness Statement

This page describes FactoryThread's current security and compliance readiness posture. It is not a certification statement. FactoryThread does not currently hold SOC 2 Type II, ISO/IEC 27001, 21 CFR Part 11, or GxP certifications.

FactoryThread is a data virtualization platform and is not designed to be a system of record for customer business data. The platform processes customer data during flow execution and retains limited operational metadata needed to operate, troubleshoot, and secure the service. Two limited cases where customer-derived data may be retained — bounded samples of failing input records on the error path, and ephemeral worker-side staging during a single run — are documented explicitly because they are part of the security and compliance boundary. See the Security Overview for the full statement.

Many of FactoryThread's underlying providers — Auth0 (identity), Microsoft Azure (compute, networking, managed Postgres, RabbitMQ), Stripe (billing), and OpenAI / LangChain (AI nodes, opt-in only) — already hold relevant independent certifications. Our work is to certify the FactoryThread layer that sits on top of those providers.

The compliance roadmap focuses first on SOC 2, followed by ISO/IEC 27001 based on customer demand. Regulated workloads such as 21 CFR Part 11 and GxP are addressed through deployment-specific customer validation, typically in on-prem or customer-controlled environments.

A detailed Compliance Readiness Statement — per-criterion SOC 2 Common Criteria alignment, ISO/IEC 27001:2022 Annex A theme mapping, the operational-details readiness table, and target audit timelines — is part of the security packet available under NDA. To request it, email support@factorythread.com.

SOC 2 Type II

Scope. SOC 2 is the most natural primary framework for FactoryThread: we are a SaaS platform that processes (rather than stores) customer data, and the Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and (where applicable) Privacy — map directly to how the platform is built and operated.

Stance. Meaningful readiness alignment with the SOC 2 Common Criteria. Formal evidence collection and auditor validation are not yet complete; we have not been audited. The detailed per-criterion alignment, operational-details readiness table, and target audit timeline are in the Compliance Readiness Statement available under NDA.

ISO/IEC 27001

Scope. ISO/IEC 27001 (with the supporting ISO/IEC 27002:2022 implementation guidance) is the international counterpart to SOC 2. Customers in EU and APAC markets often prefer ISO; many large enterprises require both.

Stance. Meaningful readiness alignment with the ISO/IEC 27001:2022 Annex A themes. We have not yet established a formal Information Security Management System (ISMS) or engaged a certification body. The per-theme alignment and target audit timeline are in the Compliance Readiness Statement available under NDA.

21 CFR Part 11 (US FDA — Electronic Records and Signatures)

Applicability is conditional. 21 CFR Part 11 applies when a regulated customer uses FactoryThread to create, modify, or sign electronic records that the FDA expects to inspect. For most non-regulated customers it does not apply; for regulated customers (pharma, medical-device, biotech, food) it may, depending on the workload.

Recommended posture for 21 CFR Part 11 workloads. Deploy FactoryThread on-prem so the entire system operates inside the customer's qualified environment, under the customer's existing SOPs and validation. The on-prem release uses the same application code with reverse-proxy SSO; data and audit context never leave the customer network.

Important boundary. On-prem deployment can simplify the customer's validation effort because FactoryThread operates inside the customer's qualified environment. However, on-prem deployment alone does not make FactoryThread Part 11-compliant. Compliance depends on the customer's intended use, SOPs, validation package, audit trails, access controls, record-retention controls, and electronic-signature design. FactoryThread provides the application layer; the regulated customer owns the validation envelope around it.

A per-clause review of where FactoryThread aligns with § 11.10, § 11.50, § 11.70, § 11.100, and § 11.200, and the per-customer mapping process for on-prem deployments, is in the Compliance Readiness Statement available under NDA.

GxP (GMP / GLP / GCP)

Applicability is conditional, identical to Part 11. GxP refers to the broader family of "good practice" guidelines (Good Manufacturing, Good Laboratory, Good Clinical) — most of these reference Part 11 for electronic-record handling.

Recommended posture. On-prem deployment. GxP workloads typically demand that data and the system that processes data both stay within a qualified, customer-controlled environment. The on-prem release is the right fit; data does not leave the customer network, and the customer's existing GxP SOPs and validation lifecycle (URS / FS / DS / IQ / OQ / PQ) wrap the FactoryThread containers.

Important boundary. As with Part 11, on-prem deployment alone does not make FactoryThread GxP-validated. GxP validation is owned by the customer and depends on the customer's intended use, SOPs, change-control procedures, training records, and qualification lifecycle.

The control-matrix mapping each GxP-relevant FactoryThread feature to the customer's validation expectation is provided per-engagement; outline and process are in the Compliance Readiness Statement available under NDA.

Contact

For the NDA-gated security packet, CAIQ-Lite or SIG-Lite, a DPA, or a 30-minute walkthrough with the FactoryThread security team, email support@factorythread.com.