Security & data protection

Nothing to install

100% browser-based. No agent, no desktop app, no software deployed on your network or devices.

No sensitive data

We hold no patient data, no manufacturing or batch records, and nothing used for GMP release decisions.

Not a GxP system

A training & self-assessment tool — outside the scope of CSV validation (EU GMP Annex 11 / 21 CFR Part 11).

EU hosting, GDPR

Hosted on EU infrastructure, GDPR-compliant, with a Data Processing Agreement (DPA) available on request.

Encrypted

All traffic over TLS/HTTPS; data encrypted at rest by our infrastructure providers.

Weekly email

Each week we email your team a one-click link to that week's 3 expert questions — no password to manage and no software to install.

The usual concern with new software is a system that ingests confidential data or must be installed and validated. EMP² is neither:

• It is a training tool, not a quality system. It is not used to make, record or support any GMP decision, so it does not fall under computerised-system validation (EU GMP Annex 11 / 21 CFR Part 11).
• The only personal data is a work email and quiz scores. No patient data, no product/batch data, no documents from your environment.
• No footprint on your estate. It runs in the browser — there is nothing to deploy, patch or maintain on your side.

• Email — to send the weekly questions and/or run your account.
• Display name & encrypted password — only if an account is created (managed by Supabase Auth; passwords are hashed, never stored in clear).
• Training activity — quiz answers, scores and streaks, to show progress and leaderboards.
• No card data — payments are handled entirely by Stripe.
• Retention — account data and training activity are kept while your account is active. On deletion request, all personal data is removed within 30 days.

Full detail in our Privacy Policy (GDPR).

We rely on a short list of established providers, each bound by a GDPR data-processing agreement and maintaining recognised security certifications:

Data in transit is protected with TLS/HTTPS; data at rest is encrypted by the providers above. We use no advertising trackers or third-party analytics cookies.

• HTTPS everywhere with HSTS (HTTP Strict Transport Security) enforced.
• Hardened HTTP headers on every response: Content-Security-Policy, anti-clickjacking (X-Frame-Options / frame-ancestors), MIME-sniffing protection, and a strict referrer & permissions policy.
• Authenticated email — our sending domain is protected with SPF, DKIM and DMARC, so recipients can verify that messages genuinely come from us and spoofed mail is rejected.
• Least-privilege data access — database row-level security; server-only secrets; payments delegated to Stripe (PCI-DSS).
• Incident response — in the unlikely event of a personal data breach, affected customers are notified without undue delay and within 72 hours, in line with GDPR Art. 33–34.

• Weekly email — every week we email your team a secure one-click link to that week's 3 expert questions. No password and no software to set up: the link opens the questions in the web app, and any email can be unsubscribed in one click.
• DPA & security questionnaire — a signed GDPR Data Processing Agreement and answers to your vendor security questionnaire (CAIQ / SIG-lite) are available on request.
• SSO & enterprise options — single sign-on (SAML) and dedicated hosting are on our enterprise roadmap. If this is a requirement for your organisation, contact us to discuss timelines.