Entelik
Book Demo
Security

Security.

Last updated: 2026-05-27

The short version

Entelik handles pharmaceutical batch records, deviation logs, and e-signed approvals — material that has to survive a regulatory inspection without modification. Security is not a feature here; it's the substrate.

Data protection

In transit

All connections to Entelik are encrypted with TLS 1.2 or higher. We do not accept connections over older protocols. Modern cipher suites only; weak ciphers are disabled at the load balancer.

At rest

Production data is encrypted at rest using AES-256. Database backups are encrypted with the same standard. Encryption keys are managed by the underlying cloud provider's key management service and rotated on the provider's standard cadence.

Backups

Automated daily backups with point-in-time recovery for the prior 30 days. Backups are stored in a separate region from the production database.

Infrastructure

Entelik runs on AWS / GCP infrastructure in regions selected for proximity to Indian and Southeast Asian customers. We use managed services where possible to limit our attack surface: managed Postgres, managed Kubernetes, managed object storage. We do not run our own datacenters.

Access controls

  • Role-based access enforced at every API boundary. Six roles: operator, supervisor, qa_reviewer, qa_approver, admin, plus site-admin scoping.
  • Critical e-signatures re-prompt for username and password every single time. No SSO passthrough for GMP-significant signatures. No PIN. No checkbox.
  • Three-strike lockout on signature attempts, enforced server-side. Administrator override requires a separate signed event.
  • All authentication events are audit-logged and immutable.
  • Administrator access to production infrastructure is restricted to a named list, requires MFA, and is logged.

Audit trail

Every record-modifying event is captured in an append-only audit log: who, when, what, why, before, after. Audit entries cannot be deleted or edited. Records themselves cannot be deleted — amendments create a new version while preserving the original. This is the same posture required by 21 CFR Part 11.

Vulnerability management

Dependencies are scanned continuously; high-severity issues are remediated within seven days of public disclosure. Penetration testing is performed by an independent third party prior to GA and annually thereafter; the most recent summary is available on request under NDA.

Incident response

If we detect or are notified of a security incident affecting your data, we will inform your designated security contact within 72 hours of confirming the incident, share what we know, what we don't know, and what we're doing about it, and provide a written postmortem within 30 days.

Sub-processors

We use a small, named list of sub-processors (cloud infrastructure, email delivery, error reporting, analytics). The current list is available on request and is updated before any new sub-processor is added.

Reporting a vulnerability

If you believe you've found a security issue, please email security@entelik.com. We acknowledge within 48 hours. We don't have a paid bug bounty program yet; we do credit researchers on request once an issue is fixed.