Your Security. Your Compliance. Your Trust.

Welcome to the
xLM Trust Center

At xLM, we firmly believe that trust is the cornerstone of every successful partnership. This conviction drives us to maintain the highest standards in security, GxP compliance, and operational integrity. Our unwavering commitment to data protection, IT security, change management, GxP compliance, and client trust ensures that your business remains secure, resilient, and compliant.

Explore our 

Trust Pillars

Clear, verifiable transparency across security, compliance, and operation backed by certifications, encryption and detailed controls.

Overview
Overview
Resources
Controls
FAQs
SOC2 Type 2 compliance certification
SOC2
ISO logo
ISO
GDPR Logo
GDPR
Encrypted logo
NIST-E2500
21 CFR Part 11
Annex 11/Annex 22
*SOC2 / ISO27001 certification in progress; expected Q1 2026

Controls

View all controls
Infrastructure Security
Overview card green tick
Unique account authentication enforced
Production database access restricted
Access revoked upon termination
+ 8 more
Data & Privacy
Information classification policy implemented
Data classification levels defined
Access controls applied based on classification
+ 6 more
Organizational Security
Employee background checks performed
Code of Conduct acknowledged by employees and enforced
Code of Conduct acknowledged by contractors
+ 3 more
Internal Security Procedures
Risk management program implemented
Annual risk assessments and penetration testing conducted
Risk register and treatment tracking maintained
+ 8 more
Resources
White Papers

White Papers

21 CFR Part 11
Continuous Intelligent Validation (cIV)
Download
Continuous Temperature Mapping (cTM)
Download
Annex 11
Continuous Intelligent Validation (cIV)
Download
Continuous Temperature Mapping (cTM)
Download
Annex 22
Continuous Intelligent Validation (cIV)
Download
ISO 42001
Continuous Intelligent Validation (cIV)
Download
NIST
Continuous Intelligent Validation (cIV)
Download
Controls
Infrastructure SecurityOrganizational SecurityInternal Security ProceduresData & Privacy
Infrastructure Security
Controls
Status
Unique production database authentication enforced
xLM requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.
Unique account authentication enforced
xLM requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.
Production application access restricted
System access restricted to authorized access only.
Production database access restricted
xLM restricts privileged access to database to authorized users with a business need.
Production network access restricted
xLM restricts privileged access to the production network to authorized users with a business need.
Access revoked system authentication enforced
xLM completes termination checklists to ensure that access is revoked for terminated employees within SLAs.
Unique network system authentication enforced
xLM requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.
Remote access MFA enforced
xLM's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.
Remote access encrypted enforced
xLM's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
Log management utilized
xLM utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.
Network segmentation implemented
xLM's network is segmented to prevent unauthorized access to customer data.
Organizational Security
Controls
Status
Employee background checks performed
xLM conducts background checks on all new employees, verifying identity, employment, education, criminal records, and references to ensure a safe workplace.
Code of Conduct acknowledged by employees and enforced
xLM requires employees to review and acknowledge the Code of Conduct at hire. Violations receive formal disciplinary action per company policy.
Code of Conduct acknowledged by contractors
Contractor agreements include acknowledgement or reference to the company’s Code of Conduct, ensuring consistent ethical and professional standards.
Security awareness and training conducted
xLM provides mandatory security awareness training during onboarding and on a continuous basis.
Internal Security Procedures
Controls
Status
Risk management program implemented
xLM maintains a formal risk management program aligned with ISO 27005 and NIST 800-30/37, identifying, assessing, and mitigating security risks via a documented Risk Register and Treatment Plan.
Annual risk assessments and vulnerability testing conducted
Comprehensive risk assessments are performed at least annually across all business systems, incorporating results from regular vulnerability scans to evaluate potential weaknesses along with their likelihood and impact.
Risk register and treatment tracking maintained
All identified risks are ranked by severity and tracked in a centralized Risk Register. Treatment actions—mitigate, accept, transfer, or avoid—are approved by the CISO and reviewed by leadership.
Cybersecurity framework operationalized
xLM operates an integrated cybersecurity framework covering prevention, detection, response, recovery, and forensics, ensuring 24/7 protection across its digital environment.
Vulnerability and patch management performed
Regular vulnerability assessments and phased patch deployments to minimize attack surfaces and maintain endpoint security.
Threat detection and endpoint protection deployed
MTR, anti-phishing, and URL filtering continuously monitor for malicious behavior, blocking intrusions and isolating compromised devices in real time.
Incident response and alerting procedures established
Automated alerts, escalation workflows, and incident response playbooks ensure rapid containment and communication during security events.
Disaster recovery and business continuity plan maintained
A comprehensive IT Disaster Recovery Plan defines recovery processes, roles, and escalation procedures to ensure continuity of critical services after disruption.
Disaster recovery testing and review conducted
The DR plan is reviewed and tested every six months in simulated environments, with findings reported to leadership and updates applied through formal change control.
Defined recovery time objectives (RTOs) established
Clear recovery targets are defined: critical services restore within 6 hours and full operations within 24 hours, backed by SLA guaranteeing 99.99% uptime.
Data & Privacy
Controls
Status
Information classification policy implemented
xLM has a formal Information Classification Policy defining data categorization, handling, and protection by sensitivity and impact to ensure confidentiality, integrity, and availability.
Data classification levels defined
All company data is classified into five categories: confidential, restricted, private, internal use, and public, based on business impact and risk sensitivity for consistent handling and control.
Access controls applied based on classification
Access to data is restricted by classification, ensuring only authorized personnel can view, modify, or transmit sensitive and regulated information.
Confidential and restricted data encrypted
Confidential and restricted data are encrypted in transit and at rest using industry-standard protocols to prevent unauthorized access or disclosure.
Real-time review of access logs conducted
Controls are in place to monitor access logs for any abnormal activities.
Data handling and storage procedures established
Procedures govern data storage, processing, and transmission, with encryption, secure backups, and restricted network paths for sensitive information.
Privacy and regulatory compliance maintained
Data management complies with ISO 27001, ISO 27701, and SOC 2 privacy principles to meet global data protection and confidentiality standards.
Employee and vendor data protection enforced
Employees, contractors, and vendors must follow xLM’s data protection and confidentiality policies when handling company data.
Information classification training provided
Regular training ensures employees understand their responsibilities for data classification, handling, and privacy protection.
How does xLM establish the fundamental security and operational trust required for handling highly regulated data (SOC 2)?
How do xLM products ensure the integrity of electronic records and signatures required by GxP foundational regulations (21 CFR Part 11 and Annex 11)?
How does xLM ensure transparency, traceability, and explainability of AI decisions especially under Annex 22 and ISO 42001 requirements?
How is human accountability and oversight (Human-in-the-Loop) embedded within xLM's AI products?
How does xLM ensure compliance is continuous, rather than a one-time event, throughout the product lifecycle?
What does ISO/IEC 42001 compliance bring to xLM’s AI governance and why is it important?
For companies using xLM in pharma or life sciences how does compliance help them with regulatory readiness and audits?
Does compliance with international standards mean xLM supports both US and EU regulatory regimes?
SOC-2
xLM meets the AICPA SOC requirements for customer data management.
GDPR
We fully comply with GDPR and offer several data portability and management tools.
ISO:27001
xLM meets the international standard for information management security.
SSO & SCIM
Single Sign-On through trusted providers. Support for SCIM user provisioning to sync user roles and permissions.
Access & encryption
User can only access data they are authorized for AES-256 encryption is used for data at rest, and TLS 1.2 is used for data in transit.
Operational security
Safeguards against malicious code of the highest standard, as well as confidentiality agreements with staff, customers, and suppliers.
Flexible deployment options
xLM is a SaaS solution with managed hosting by default and can be deployed on your cloud infrastructure.
Server security and monitoring
xLM complies with SOC 2, ISO 27001, and HITRUST. Data stored with 24/7 threat monitoring.
No foundation model training
Contractual agreements with AI subprocessors prohibit use of customer data to train their models.
No foundation model training
Contractual agreements with AI subprocessors prohibit use of customer data to train their models.
*SOC2 / ISO27001 certification in progress; expected Q1 2026

We’re Built on Your Trust

xLM’s Quality Management System (QMS) is based on industry standards as well as applicable GxPs and enables us to deliver managed services that not only meet but exceed the expectations of regulatory standards in the United States, Europe, and Japan. The quality frameworks that form the foundation of xLM have also shaped many of our clients’ quality organizations worldwide.

FDA 21 CFR Part 11, EudraLex Annex 11
ISO 9001:2015, GAMP 5
ASTM E2500

Data Management: Protecting What Matters Most

At xLM, the security of your data is our highest priority, ensuring compliance and protection at every stage.

Secure Data Storage

All data is securely stored with audit logs in Azure/AWS environments.

Business Continuity & Disaster Recovery (BC/DR)

A robust BC/DR policy guarantees operational resilience.

Continuous Compliance & Validation

Continuously validate all our services to ensure they remain compliant at all times. Additionally, we rigorously validate the internal tools we use, ensuring they meet the highest standards of security and compliance.

Peace of Mind

Our proactive security measures instill confidence in our clients.

Human Resource Management:  Security Starts with People

Our personnel are the first line of defense. xLM adheres to strict protocols for onboarding, training, and access control to uphold security and compliance.

Pre-Hire Verification & NDAs

Comprehensive background checks and mandatory Non-Disclosure Agreements (NDAs) for all employees and contractors.

Role-Based Access Control

Strict access management, ensuring employees have permissions tailored to their roles and responsibilities.

Seamless Offboarding

Immediate revocation of access upon termination, preventing security gaps and unauthorized data exposure.

Ongoing Security Education

Regular cybersecurity training programs to enhance awareness and preparedness.

Policy Adherence & Compliance

A structured Employee Handbook and Learning Management System (LMS) to enforce security best practices.

Accountability & Performance

Proactive performance improvement programs to instill a culture of responsibility and vigilance.

Change & Incident Management:  Ensuring Stability & Compliance

We maintain a structured and transparent approach to managing changes, incidents, and audits.

Change Control Procedures

All changes are documented, reviewed, and approved by our Change Control Board (CCB).

Source Code Management

Branch protection rules, in-scope repositories, and audit trails ensure code integrity.

Incident Response

A dedicated incident management process tracks all security events, with built-in audit trails for each activity.

GxP Compliance

Validated workflows for regulatory adherence.

IT Management:  A Secure Digital Ecosystem

xLM’s IT infrastructure is built on robust security controls to ensure data protection and compliance.

Asset Register & User Privileges

Maintain a comprehensive register of assets with role-based access control for users and devices.

MFA & Restricted Access

Multi-factor authentication, VPN access, and remote security tools.

Firewall & Malware Protection

Advanced encryption, antivirus, and threat monitoring.

Log & Device Monitoring

Continuous tracking through log management and ticketing tools.

Vulnerability Scanning & Patch Management

Regular assessments to prevent security risks.

Segregated Environments

Clear separation of development, testing, and production environments.

Client Management:  Strengthening Partnerships with Trust

We maintain a structured and transparent approach to managing changes, incidents, and audits.

Client Onboarding & Agreements

Business Associate Agreements (BAAs) are signed for regulatory compliance.

Client List & Management Program

Secure handling of client data and service operations.

Client Termination Protocols

Ensuring data privacy and access revocation upon offboarding.

Client Success & Support

Proactive engagement to ensure seamless service delivery and client satisfaction.

Ready to intelligently transform your business?

Contact Us