What GAMP 5 category is Mitigon?

Mitigon is Category 4 — a configured product. Customers configure FMEA templates, scoring scales, user roles, and workflows within the platform’s built-in capabilities. No custom code is involved. Your validation effort focuses on your specific configuration and intended use, leveraging Mitigon’s functional specifications and testing evidence, rather than validating the underlying platform code.

Do you provide IQ/OQ/PQ documentation?

Sample IQ/OQ/PQ templates adapted for Mitigon’s GAMP 5 Category 4 classification are available on request. These templates are designed to be customised to your intended use and configuration. Contact us or request the supplier assessment packet to discuss your validation requirements.

How do you handle change control and release notifications?

Every platform deployment is accompanied by release notes documenting the version identifier, date, summary of changes, and a GxP impact assessment. Changes that affect audit trail, access control, data integrity, or calculation functions are flagged explicitly. Changes that could require customer revalidation are communicated with advance notice.

Where is my data stored, and can I choose the region?

All data is stored on AWS eu-west-1 (Ireland), within the European Union. This applies to application data, audit trail events, and backups. Additional region options are not currently available. If your organisation requires a specific data residency arrangement, contact us to discuss.

Do you support 21 CFR Part 11 electronic signatures?

Electronic signatures are available on the Pro tier, activated per organisation on request. Signatures display the signer’s printed name, date and time, and meaning (§ 11.50). Approval workflows enforce separation of duties — the approver must be a different user from the author (§ 11.10(f)). On the free tier, Subpart B controls (audit trails, access controls, record integrity, session management) are included, but Subpart C electronic signature capabilities require the Pro tier.

What happens to my data if we terminate the contract?

A complete data export is available for a minimum of 90 days after termination. The export includes all FMEAs (all versions), audit trail events with full metadata, comments, library entries, and configuration data in open, non-proprietary formats. The export schema is documented so your organisation can reconstruct the full audit history independently.

Do you hold SOC 2 or ISO 27001 certification?

Mitigon does not currently hold SOC 2, ISO 27001, or other third-party security certifications. Security controls — encryption, access management, audit trail architecture, and backup procedures — are documented in the supplier assessment packet for your independent evaluation.

How do we validate Mitigon for use in our CSV programme?

Classify Mitigon as GAMP 5 Category 4. Perform a risk-based supplier assessment using the supplier assessment packet. Define your intended use and configuration requirements. Execute IQ/OQ/PQ (or a CSA-aligned approach per FDA’s September 2025 guidance) against your specific configuration, focusing on risk-critical functions: scoring calculations, role-based access enforcement, audit trail integrity, and data export accuracy.

Built for GxP-Regulated Quality Teams

GAMP 5 Category 4 configured software for pharmaceutical and medical device quality risk management.

Adopting any SaaS tool in a GxP environment requires your organisation to validate the system for its intended use. That obligation does not change because the tool is cloud-hosted. Mitigon is designed against the regulatory frameworks your quality team already works within and provides the technical controls, audit trail architecture, and supplier documentation to make your validation defensible and efficient.

Regulatory Alignment

Framework-by-framework mapping

Every claim below is grounded in the specific regulation or guidance document referenced. Where a capability is limited to the Pro tier, this is stated explicitly.

Regulation	What It Requires	How Mitigon Supports It
21 CFR Part 11Electronic records and electronic signatures (FDA)	Subpart B (§11.10): validated systems, immutable audit trails, access controls, authority checks, operational system checks, record protection, and accurate record copies. Subpart C (§§11.50–11.300): electronic signatures must display signer name, date/time, and meaning; signatures must be unique to one individual and use two-component authentication.	Subpart B controls are included on all tiers: append-only audit trail (§11.10(e)), role-based access control (§11.10(d), (g)) with 5 assignable roles (Approver and Consultant roles available on Pro tier), configurable session timeout (§11.200(a)(1)), password complexity and lockout (§11.300), TLS 1.2+ and AES-256 encryption (§11.30), export with metadata and verification hash (§11.10(b)). Subpart C (electronic signatures) is available on the Pro tier, activated per organisation on request.
EU GMP Annex 11Computerised systems in EU GMP environments	Clause 4: validation based on risk assessment. Clause 7: data secured, accessible, readable throughout retention. Clause 8: printouts indicating changes since original entry. Clause 9: audit trails recording who, what, when, and why. Clause 12: access restricted to authorised persons. Clause 17: archived data checked for accessibility, readability, and integrity.	Clause 4: validation support package for GAMP 5 Category 4 risk-based qualification. Clause 7: data stored on AWS eu-west-1 with automated backups and documented RPO/RTO. Clause 8: Excel exports include per-row “Modified” indicators and audit event counts. Clause 9: append-only event store with who, what, when, before-state, after-state; reason-for-change field available (optional by default, mandatory enforcement on Pro tier). Clause 12: individual accounts only, role-based access, all access changes logged. Clause 17: completed FMEAs archivable to read-only state. MFA (referenced in the 2025 draft revision, Section 11.6) is available on the Pro tier.
ICH Q9(R1)Quality Risk Management (finalised January 2023)	Section 4: formal QRM process (risk assessment, control, communication, review). Section 5: recognised tools including FMEA (Annex I.2); Section 5.3 warns against “poorly designed risk scoring scales” as a source of unacceptable subjectivity. Section 6: integration of QRM into industry operations.	Mitigon implements FMEA per ICH Q9(R1) Annex I.2 and FMECA (Annex I.3), with configurable severity, occurrence, and detection scoring. Default scale descriptors include clearly differentiated, objective criteria at each level per Section 5.3. Structured review workflows support the Section 4 lifecycle. Cross-functional collaboration supports the Section 4.1 requirement for appropriate expertise.
GAMP 5 Second EditionValidation of computerised systems (July 2022)	Software categorisation scaling validation effort to risk. Category 4 (configured products): risk-based IQ/OQ/PQ leveraging vendor documentation. Appendix M2: supplier assessment. Appendix M11: cloud/SaaS infrastructure. Shared responsibility model for SaaS.	Mitigon is classified as Category 4 (configured product). Customers configure templates, scoring scales, roles, and workflows within built-in capabilities — no custom code. Supplier assessment packet, configuration specifications, and validation support documentation are provided. See the dedicated section below.
ALCOA+Data integrity principles	Nine principles: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available. Enforced through predicate rules and data integrity guidance (FDA 2018, MHRA 2018, PIC/S PI 041-1).	Mitigon’s audit trail architecture satisfies all nine principles. Every action is attributed to a unique user with server-generated timestamps. Records are exportable in open formats with verification hashes. Soft-delete-only enforcement prevents permanent data loss. See the detailed ALCOA+ mapping in the Audit Trail section below.
ISO 13485:2016Quality management systems for medical devices	Clause 4.1.6: organisations must validate computer software used in their QMS prior to initial use and after changes. Clause 7.4: supplier evaluation and monitoring.	Clause 4.1.6 is the primary clause obligating medical device customers to validate Mitigon. Validation support documentation (functional specifications, test scripts, release notes with impact assessments) is provided to reduce validation burden. Supplier assessment documentation is available for Clause 7.4 qualification.
21 CFR Part 820 / QMSRFDA device quality system (effective 2 February 2026)	The QMSR incorporates ISO 13485:2016 by reference into Part 820. Risk management is referenced over 25 times across the QMS, up from a single mention in the legacy QSR.	Mitigon’s alignment to ISO 13485 — particularly Clause 4.1.6 (software validation), Clause 4.2.4 (document control), and Clause 4.2.5 (record control) — supports QMSR readiness.
EU MDRRegulation (EU) 2017/745 — Medical device regulation	Annex I, GSPR 3: manufacturers must establish a risk management system as a continuous iterative process. ISO 14971:2019 is the harmonised standard for risk management.	Medical device manufacturers subject to EU MDR use Mitigon as part of their risk management activities under Annex I GSPR 3. Process FMEA workflows are supported. Full ISO 14971 risk management file framework support (hazard analysis, benefit-risk, risk trace matrix) is on the product roadmap.

Validation

GAMP 5 Category 4 classification

What this means for your validation effort.

Mitigon is a GAMP 5 Category 4 configured product — commercial software that customers configure to their business needs without writing custom code. Users set up FMEA templates, define scoring scales and descriptors, configure user roles and permissions, and customise workflows within the platform's built-in capabilities. This is distinct from Category 5 (custom/bespoke software), where the customer or a third party writes code to create or substantially modify the application.

For Category 4 software, GAMP 5 Second Edition (Appendix D5) prescribes a risk-based approach: your organisation performs IQ/OQ/PQ against your specific configuration and intended use, leveraging the vendor's functional specifications and testing evidence rather than re-testing the underlying platform code. The FDA's Computer Software Assurance guidance (finalised September 2025) reinforces this — it endorses leveraging vendor evidence to reduce duplicate validation work.

Mitigon provides the following to support your validation:

Supplier assessment packet covering development practices, quality management, security, and data handling.
Configuration specifications documenting your organisation's roles, permissions, templates, and scoring scales.
Audit trail samples demonstrating event capture of who, what, when, and before/after state.
Release notes with GxP impact assessments for every platform update.

Documentation

Supplier assessment packet

The documentation your procurement, quality, or CSV team needs to evaluate Mitigon as a vendor.

Company overview and organisational structure
Software development lifecycle summary
Quality management approach
Security controls and architecture
Data handling, storage, and residency details
Incident response and breach notification procedures
Change management and release process
Business continuity posture with documented RPO/RTO
Current subprocessors list
Supporting evidence for GAMP 5 Category 4 positioning

Available under NDA to organisations running a supplier qualification, CSV vendor assessment, or procurement review.

Supplier assessment and validation materials are walked through on a scoping call, so we can map them to your CSV programme and framework.

Book a Scoping Call

Data Integrity

Audit trail and ALCOA+ mapping

Mitigon's audit trail is an append-only event store, logically separated from mutable application data and restricted to INSERT-only permissions at the database level.

No user — including organisation owners or platform administrators — can modify, delete, or disable audit records through the application. Every create, update, and soft-delete of FMEA records, rows, and scoring data is captured. Every import, export, login, logout, failed login attempt, password change, account lockout, role assignment, and permission change is logged.

Each event records:

User identity — the authenticated user who performed the action
Timestamp — server-generated, NTP-synchronised, UTC (displayed in local timezone with UTC offset)
Before-state and after-state — complete old and new values
Resource identification — what was changed, in which FMEA, in which organisation
Session and access metadata — IP address and user agent

ALCOA+ principle mapping

Principle	How Mitigon Satisfies It
Attributable	Every action is tied to a unique, authenticated user. Shared accounts are technically impossible (duplicate emails rejected at database level). Audit events record user identity, timestamp, and action.
Legible	Records are exportable as Excel and CSV with metadata headers including FMEA title, version, export date/time (with UTC offset), exporting user’s full legal name, and record count. Exports include a SHA-256 verification hash.
Contemporaneous	All timestamps are server-generated using NTP-synchronised clocks. Client-side timestamps are never authoritative. Timestamps display with UTC offset for timezone transparency.
Original	The database record in Mitigon is the original. Record changes do not obscure previously recorded information — old values are preserved in the audit trail. All deletions are soft deletes; hard deletion of GxP records is technically impossible.
Accurate	Scoring calculations (RPN, AP lookup) are deterministic and covered by automated tests against known reference values. Input validation enforces range and format constraints. Export integrity is verifiable via SHA-256 hash.
Complete	No GxP record can be permanently deleted. All versions, including superseded risk assessments, are retained and accessible. If an audit event write fails, the triggering data change also fails (transactional coupling).
Consistent	Event IDs and version numbers are system-generated sequential identifiers. Sequence gaps (from transaction rollbacks) are detectable via audit trail query. All system components use synchronised NTP time sources.
Enduring	Audit events are retained for a minimum of 7 years (configurable up to 30 years per organisation). Automated backups with documented restore testing. Business continuity plan includes data escrow provisions.
Available	The audit log is accessible to all organisation roles with date-range filtering and CSV export. Regulatory inspectors can be granted time-limited read-only access. Data export on contract termination is available for a minimum of 90 days.

Free and Pro tier capabilities

Basic audit trail functionality — date-range filtering and CSV export — is available on all tiers. Advanced capabilities available on the Pro tier include: full-text search across audit events, anomaly highlighting, user and action type filtering, PDF export of audit reports, and full audit trail history embedded within FMEA exports.

Shared Responsibility

Validation support and customer responsibilities

What Mitigon provides

Supplier assessment packet covering development practices, quality management, security architecture, and data handling documentation.
Configuration specifications and user role definitions documenting how your organisation has configured the platform.
IQ/OQ/PQ scope and templates walked through on scoping call, adapted to your CSV or CSA approach.
Change notifications for material platform updates, with advance notice for changes that could require customer revalidation.
Release notes with every deployment, including version identifier, date, change summary, and GxP impact assessment.

What the customer is responsible for

Defining intended use and validating Mitigon against that intended use per your organisation’s CSV programme or CSA approach.
Configuring user roles, permissions, and workflows appropriate to your organisation’s quality system and regulatory obligations.
Training end users on your organisation’s SOPs for using Mitigon within your quality system.
Periodic review of the system in accordance with your CSV programme, typically annually, covering validation status, change history, and audit trail integrity.

This shared-responsibility model is standard for GAMP 5 Category 4 SaaS tools. Mitigon provides the platform controls and documentation; your organisation validates the configuration and owns the compliance determination.

Infrastructure

Security and data handling

Hosting and data residency

Hosted on AWS eu-west-1 (Ireland). All application data, audit trail events, and backups are stored within the European Union.

Encryption

All data in transit encrypted using TLS 1.2 or higher. All data at rest encrypted using AES-256. Password hashes use bcrypt with cost factor 12+.

Authentication

Email and password with enforced complexity (8+ characters, mixed case, number, special character). Accounts lock after 5 failed attempts for 30 minutes. Session timeout: 30 minutes inactivity, 8-hour absolute maximum. MFA and SSO available on the Pro tier.

Backups

Automated backups of all data including audit trail events. Defined RPO and RTO targets. Backup integrity verified through documented restore testing at minimum annually.

Data on termination

Complete data export available for a minimum of 90 days after termination, in open, non-proprietary, documented formats.

Subprocessors

Subprocessor list shared under NDA on scoping call.

FAQ

Common questions from quality and CSV teams

If you are evaluating Mitigon as part of a supplier qualification or CSV assessment, book a call to walk through your specific requirements.

Book a Call