Skip to main content
Skip table of contents

GxP Compliance Policy

Introduction

At Thru, we are committed to ensuring our Managed File Transfer (MFT) solutions meet the stringent requirements of Good Practice (GxP) regulations, including Good Manufacturing Practice (GMP), Good Clinical Practice (GCP), and Good Laboratory Practice (GLP).

As a trusted partner to regulated industries, we maintain a robust quality management system and implement comprehensive measures to ensure data integrity, system validation, and regulatory compliance throughout our product lifecycle.

Data Integrity and Security

Our MFT solution employs industry-leading security controls, including encryption, access controls, and audit trails, to safeguard the confidentiality, integrity, and availability of GxP data during transfer and storage.

System Validation

We follow a rigorous validation process, including Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ), to ensure our MFT solution operates as intended.

Change Control and Configuration Management

All changes to our MFT solution, including software updates and configuration changes, undergo strict change control processes to ensure traceability, risk assessment, and regulatory compliance.

Supplier and Subcontractor Management

We maintain a comprehensive supplier and subcontractor evaluation and qualification program to ensure the quality and compliance of all products and services integrated into our MFT solution.

Proactive & Continuous Testing

Thru employs frequent penetration tests across environments to validate security posture, audit configurations, and identify risks. Daily automated scans run by internal teams cover external-facing assets to detect network and application changes that expand attack surfaces and vulnerabilities. We complement regular static and dynamic analyses with annual assessments from accredited third-party agencies.

Incident Management and Corrective/Preventive Actions

We maintain robust incident management processes, including root cause analysis and corrective/preventive action plans, to address any deviations, non-conformances, or potential quality issues proactively.

GxP Validation

Thru's GxP Validation Process

Thru’s systems and software are GxP validated to ensure compliance with regulatory standards in controlled environments. Our GxP validation process guarantees that all system processes are reliable, traceable, and meet the necessary regulatory requirements. This includes:

Documenting processes and controls to verify compliance with GxP standards.
System testing, including installation, operational, and performance qualification (IQ, OQ, PQ) tests to ensure functionality.

Audit trails to track and record all system actions and data changes for full traceability.

Through our GxP validation, Thru ensures that our systems maintain product integrity, meet regulatory expectations, and support safety and compliance in regulated environments.

GxP Scope

Thru Validation

Thru's Quality Management System

Thru maintains a comprehensive quality management system featuring a structured organizational chart, documented job descriptions, and clearly defined roles and responsibilities. Our risk management process and board charter ensure proper oversight, while real-time monitoring of controls, including training, is publicly accessible via our trust portal https://trust.thruinc.com


Software Development Life Cycle (SDLC) Policy (POL-020-2024.06.25)


Change Management Policy (POL-005-2024.06.11)

Thru's formal process for training employees.

New hires are required to complete information security awareness training during onboarding, and all personnel must complete annual security and privacy training thereafter. The training covers security policies, best practices, and responsibilities.  


Information Security Policy (POL-013-2024.06.25)

Thru's knowledge of regulatory requirements, including 21 CFR Part 11 and Annex 11

All Thru staff mandatorily complete annual security awareness training.  

Thru's formal process to manage and resolve deviations, open issues and discrepancies within the quality management system.

Thru has a defined disciplinary process for policy violations, a change management policy for system changes, and an incident response plan for security incidents. These processes involve documentation, investigation, escalation, and corrective actions. A library of Thru policies can be found on our publicly available trust portal here: https://trust.thruinc.com/  

Thru's process for internal self-assessments / auditing program includes annual scheduling, Management and QA involvement, tracking and monitoring of remediation efforts and an escalation process if needed.

Thru conducts internal self-assessments and audits. This includes periodic risk assessments, continuous control monitoring, and annual policy reviews. Management is involved in performance evaluations and policy reviews, while compliance automation software is used for ongoing control monitoring.

Thru's support for regulatory authority inspections. including access to physical property by inspectors, access to documentation by inspectors, disclosure of subcontractor audit report

Thru supports regulatory authority inspections. Access to physical property and documentation is granted to authorized inspectors. Visitors, including inspectors, are authorized before entering and escorted at all times within company facilities.

Thur's process to ensure control over third-party vendors that have access to applications/platforms/databases for troubleshooting, maintenance etc.

Thru has a comprehensive process to ensure control over third-party vendors with access to applications, platforms, and databases. This includes maintaining a vendor register, executing agreements with security and privacy requirements, and conducting annual compliance reviews for critical vendors. Thru also implements access controls and periodic access reviews for third-party accounts.

Vendor Management Policy (POL-022-2024.06.25) 

Thru's traceability process for the Lifecycle documentation of the system(s)/service(s)

Thru maintains traceability throughout the lifecycle documentation of its systems and services. This is achieved through various mechanisms including maintaining records of privacy rights requests, documenting breaches or unauthorized disclosures, and providing user guides and system documentation. Thru also implements configuration management practices to track changes and maintain audit trails.

Thur's formal process for risk management which covers all parts of the services (development, validation, operation)

Thru has a formal process for risk management covering all parts of its services. The process includes identifying risks and assigning risk owners, defining risk tolerance, evaluating and treating risks, and conducting periodic risk assessments. This process applies to the entire scope of Thru's information security program, including the development, validation, and operation of services.  

Risk Assessment Policy (POL-019-2024.06.25)

Thru's process for external access to our validation life cycle documentation.

Thru provides external access to validation life cycle documentation. Documentation is available online and can be shared upon request, subject to an NDA for certain technical documents. Thru offers various formats including MS Word, HTML, XML, PDFs, and video.

Thur's formal process and methodologies used for the software development process. 

Thru uses an Agile methodology for software development. The process includes iterative development, continuous integration/continuous deployment (CI/CD), and regular sprints. This approach ensures flexibility, continuous improvement, and rapid adaptation to changing requirements.  

Software Development Life Cycle (SDLC) Policy (POL-020-2024.06.25)

Thur's formal process for source code review includes tools used, manual methods, and coding standards.

Thru has a formal process for source code review. Changes are peer-reviewed and approved before deployment by someone other than the developer. The company uses automated mechanisms like branch protection settings in the production code repository to enforce review requirements.  

Software Development Life Cycle (SDLC) Policy (POL-020-2024.06.25) 

Thru's formal process for developer testing (i.e. testing performed by software developers, e.g. unit testing, integration testing). 

Thru has a formal process for developer testing. Developers perform unit tests and end-to-end tests on all software and systems. The company uses static application security testing (SAST) tools as part of the CI/CD pipeline to detect vulnerabilities in the code base. Changes are tested in separate pre-production environments before deployment to production.  

Software Development Life Cycle (SDLC) Policy (POL-020-2024.06.25) 

Thru's formal process for the release of a software version or patch. 

Thru has a formal process for releasing software versions and patches.   Changes are peer-reviewed and approved before deployment, with automated mechanisms enforcing review requirements. The QA function is involved through testing in pre-production environments, and post-deployment QA testing is conducted to ensure changes function as intended in production.

Change Management Policy (POL-005-2024.06.11)

Software Development Life Cycle (SDLC) Policy (POL-020-2024.06.25)

Thru's product/service specification.

Thru maintains product/service specifications in a cumulative and up-to-date manner. Thru provides user guides, help articles, system documentation, and other mechanisms to share information about the design and operation of the system, including functional and non-functional requirements. These are kept current for each release.

Thru's formal process for source code control. 

Thru uses a version control system to manage source code, change documentation, release labelling, and other change management tasks. Access to the version control system is restricted to authorized personnel. Changes are peer-reviewed and approved before deployment, with review requirements enforced through automated mechanisms such as branch protection settings in the production code repository.

Thru's process for segregation of duties between software developers/system administrators and administration of customer instances.

Thru has documented the segregation of duties between software developers, system administrators, and administration of customer instances. Pre-production environments are separated from production environments with access controls. Access to deploy changes to production is restricted to authorized personnel, and developers do not have access to customer instances.  

System Access Control Policy (POL-021-2024.06.25)

Thru's formal process for qualification of data centres/computer rooms and our infrastructure systems and components needed for operation.

 Thru has a formal process for qualifying data centres and infrastructure systems. This includes maintaining physical and virtual infrastructure, implementing security controls, and ensuring compliance with industry standards. Thru relies on its cloud infrastructure service provider for physical security and environmental control of data centres.  Infrastructure systems are under the scope of the Software Development Life Cycle Policy at Thru. Thru has a policy for cloud service provider management and assessment, which is covered in the Vendor Management Policy.

Vendor Management Policy (POL-022-2024.06.25) 

Software Development Life Cycle (SDLC) Policy (POL-020-2024.06.25)

Thur's formal process for configuration management: Configuration Specifications (for standard configuration and BI configurations).

Thru's formal process for qualification of data centres/computer rooms and infrastructure systems and components needed for our operation.

Thru’s process for implementing Validation Plans and Reports for each release of system(s) and service(s) deployed to customer instances.

Thru has validation plans and reports in place for each system release. Changes are tested in separate environments before production deployment. Quality assurance testing results are reviewed and approved by appropriate representatives before moving releases to production. Changes are also monitored for success after deployment.

Thru's process for Configuration & Installation (IQ) Testing Plans and Reports for the installation or deployment of customer instances.

Thru has Configuration & Installation (IQ) Testing Plans & Reports in place for customer instances. Changes are tested in an environment separate from production before deployment. Documented evidence of testing criteria and results is retained.

Thru's Functional (OQ) Testing Plans and Reports (including test cases) for each release of system(s) and service(s).

 Thru has functional testing plans and reports in place for each system release. Changes are tested in a separate environment before deployment, with documented evidence of testing criteria and results retained. The testing covers usability, security, effects on other systems, and user-friendliness.   QA is included in the Testing Plans & Reports approvals.

Thru has a formal testing process that follows Data Integrity and Good Documentation Principles.   The process includes pre-approved test scripts, expected results, recording of actual results beyond pass/fail, and supporting evidence like screenshots.

Software Development Life Cycle (SDLC) Policy (POL-020-2024.06.25)

Thur's formalized Change Management process.

Thru has a formalized Change Management process.   Changes to all system components in the production environment are made according to established procedures that include documentation, security impact evaluation, approval, and testing. The process covers infrastructure, systems, and applications changes.

Change Management Policy (POL-005-2024.06.11)

Thru's formal process for change control. 

Thru has a formal process for change control that comprises the following steps:
·        Review and approval of changes before change initiation 
·        Formal release before delivery to customer (for SW) or implementation in production environments 
·        Link to customer’s change control process 
Changes are reviewed and approved prior to initiation, formally released before delivery or implementation, and tested in sepaate environments. The process includes documentation, security impact evaluation, and approval by authorized parties.

Change Management Policy (POL-005-2024.06.11)

Thru's formal process for access to customer data and changes of customer data which involves the customer.

Thru has a formal process for access to customer data and changes of customer data involving the customer.   Thru obtains consent from data subjects before collecting personal information. For changes to customer data, Thru notifies customers of intended changes in sub-processors that process personal information, allowing customers to object.

System Access Control Policy (POL-021-2024.06.25)

Thru's process for procedural link between problem reporting mechanism and change control for the product.

Thru has a procedural link between problem reporting and change control. Changes to system components are documented, including security impact assessments, and follow established procedures for testing and approval. Problem reports can initiate changes, which then go through the formal change management process.   Thru uses Jira to maintain traceability between problem reports and change control tickets by creating unique identifiers for each and establishing direct links between related tickets. This linking functionality ensures a complete audit trail from problem identification through change implementation, with full visibility of associated documentation and approvals throughout the process.

Thru's formal process for periodic review which covers all customer instances of the service.

Thru has a formal process for periodic review of customer instances. Management performs user access reviews periodically to validate user accounts and privileges remain appropriate based on job function. This review includes validation of logical and physical access as necessary.  
Thru conducts periodic reviews through multiple mechanisms:
Annual management review of security policies, procedures and controls
Regular security monitoring and assessment of customer instances
Periodic evaluation of:
Change management effectiveness
System development lifecycle processes
Security incidents and resolution
System performance and capacity
Customer configurations and access controls

Thru's business continuity program.

Yes, Thru has a comprehensive business continuity program. It includes a defined business continuity plan, disaster recovery plan, and redundancy strategies for critical systems and processes. Thru conducts annual tests of these plans, documenting results and updating as necessary.

Thru's disaster recovery process is tested periodically and linked with the business continuity program.

Thru has a disaster recovery process that is tested periodically and linked with the business continuity program. Thru conducts tests of the business continuity/disaster recovery plans at least annually. Results and lessons learned are documented, and updates to the plans are made as necessary.

Documentation in DR process is available here: https://trust.thruinc.com/

Thru's disengagement policy.

Thru has a disengagement policy. System and physical access is revoked within one business day of the effective termination date for terminated users, including employees, third parties, and vendors. Additionally, user IDs that have been inactive for 30 days are revoked, and user privileges are reevaluated annually.  
Thru has a formal disengagement process documented in our Data Processing Agreement (POL-DPA-2024). Upon contract termination:
Data Return Process:
Customer Data will be returned to Customer in a pre-agreed format upon request
The format and timeline for data transfer will be mutually agreed upon by both parties in the MSA.

Thru's data center operational procedures. 

Thru protects its data centres with comprehensive operational procedures. These include strict physical and logical access controls, advanced fire protection systems, and robust environmental controls to maintain optimal conditions for equipment operation.  Thru production SaaS multi-tenant environments are hosted in Microsoft Azure.

Thru's formal process for access to the cloud services (customer instances) by all providers and third-party employees.

Thru has a formal process for access to cloud services by providers and third-party employees.   This includes a documented account management process, periodic access reviews, and formal documentation and authorization for all access requests. Third-party remote access is monitored for unexpected activity.

System Access Control Policy (POL-021-2024.06.25)

Thru's  Backup & Recovery process.

Thru has a documented backup and recovery process.   Automated backups of all customer and system data are performed hourly to a separate region for protection against catastrophic loss. Backups are encrypted, monitored, and alerted by Elastic, with automated notifications sent to personnel in case of backup failures.

Backup Policy (POL-003-2024.06.06)

Thru's documented System/Service Monitoring process.

Thru has a formal process for periodic review of customer instances. Management performs user access reviews periodically to validate that user accounts and privileges remain appropriate based on job function. This review includes validation of logical and physical access as necessary.
Thru’s monitoring process involves continuous audit logging and regular reviews of system activity across all components, including applications, infrastructure, network, and security tools. The purpose is to assess system controls, operations, and security. Ongoing monitoring ensures that potential issues are identified and addressed promptly, maintaining the integrity and security of Thru’s systems and the data it handles.
Thru has a formal system monitoring process documented.

Logging and Monitoring Policy (POL-014-2024.06.25)

Thru's formal process of system maintenance, including handling of bugs, security patches etc.

Based on our Change Management Policy (POL-005-2024.06.11), at Thru Inc. we maintain our systems through our established change management process. All software changes undergo testing for usability, security, and system impacts in separate test environments before deployment. We use GitHub and Jira for configuration management, require CIO approval for production changes, and maintain an expedited process for critical security vulnerabilities. Changes are tracked via audit logs, with rollback strategies and post-deployment QA testing ensuring system stability.

Thru's formal process for error and problem management which includes notifications of customers promptly 

Thru provides external communication mechanisms for customers to report issues, and the support team responds within defined SLAs. For security breaches, Thru notifies customers without undue delay, within 72 hours of becoming aware of the incident.  

Incident Response Plan (POL-012-2024.06.25)

Thru's formal process for control of employee accounts – access to applications.

Management performs periodic user access reviews to validate user accounts, including third-party accounts, and their associated privileges. Access requests are documented and approved based on least privilege principles. Changes resulting from reviews are implemented.

System Access Control Policy (POL-021-2024.06.25)

List of documents and policies to support this validation.

Document ID

Description

All copies of referenced policies are publicly available at https://trust.thruinc.com/

POL-021-2024.06.25

System Access Control Policy

POL-012-2024.06.25

Incident Response Plan

POL-014-2024.06.25

Logging and Monitoring Policy

POL-003-2024.06.06

Backup Policy 

POL-DPA-2024

Data Processing Agreement 

POL-005-2024.06.11

Change Management Policy 

POL-022-2024.06.25

Vendor Management Policy 

POL-020-2024.06.25

Software Development Life Cycle (SDLC) Policy

POL-019-2024.06.25

Risk Assessment Policy 

POL-013-2024.06.25

Information Security Policy 

Conclusion

We continuously review and update this policy to ensure ongoing compliance with evolving GxP regulations and industry best practices.

For any GxP compliance-related inquiries or concerns, please contact our Security Operations team at helpcenter@thruinc.com

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.