Skip to main content
Seal is hosted on Google Cloud Platform (GCP), leveraging enterprise-grade infrastructure with SOC 2 Type II, ISO 27001, and HIPAA certifications. Seal also maintains its own SOC 2 Type II certification—viewable at our Security Portal. For hosting regions and infrastructure details, see Infrastructure. For backup policies, see Backup and disaster recovery.

Data retention

Customer data (including scientific records, audit trails, electronic signatures, and uploaded files) is retained for the lifetime of your subscription, plus a minimum of three years after termination. For pharmaceutical and regulated customers who require longer retention periods (e.g., lifetime of product + X years), extended retention terms can be agreed contractually. Archived records remain fully accessible in the database with their complete audit trail. GxP records and audit trails are immutable — they cannot be deleted or overwritten by any user or administrator. See Data backup and disaster recovery for backup and recovery details.

Data access

Seal employees are bound by strict confidentiality agreements. Access to customer data is granted only when necessary for implementation or support, and is logged and auditable.

Security controls

Customer data is protected through multiple layers:
  • Encryption: Data encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • Network isolation: Private VPC with no public database access
  • Monitoring: Continuous security monitoring and annual third-party penetration testing
  • Incident response: Defined response procedures with rapid notification

Independent assurance

Seal maintains a SOC 2 Type II certification, independently audited annually. The SOC 2 report and the most recent third-party penetration test report are available to customers and prospective customers under NDA — request them through your account representative or via our Security Portal. Seal supports vendor audits. Customers can review internal SOPs, quality management documentation, and development practices as part of their supplier qualification process. Contact your account representative to schedule.

Shared responsibility

Seal secures the infrastructure and application. Customers are responsible for:
  • Credentials: Enable 2FA and enforce strong password policies
  • Device security: Secure devices used to access Seal
  • Access management: Regularly review and revoke access for users who no longer need it

Why cloud?

Seal is a fully managed cloud platform. There are no servers to provision, no software to install, and no infrastructure to maintain. Updates and security patches are applied automatically without disrupting your work. This approach provides real-time access from any device, automatic scaling, and enterprise-grade reliability—without the overhead of managing on-premise infrastructure.