Applicable Regulations: EU GMP Annex 11 (2025 Draft), Annex 22 (2025 Draft), 21 CFR Part 11, GAMP 5 Second Edition. Prepared by Vilmer Frost, Founder & CEO, BatchCortex.
1. Company Overview
BatchCortex is a Swedish software company developing GMP-compliant AI batch monitoring infrastructure for pharmaceutical manufacturers. The company is incorporated in Stockholm, Sweden, operating under Swedish law and subject to EU regulatory frameworks.
| Company Name | BatchCortex |
| Registered Country | Sweden |
| Primary Contact | Vilmer Frost — vilmer@batchcortex.com |
| Website | batchcortex.com |
| Product | BatchCortex — AI Batch Monitoring Platform |
| GAMP 5 Classification | Category 4/5 — Configurable/Custom Application with GMP Impact |
2. Quality System Declaration
BatchCortex operates under a documented quality framework aligned with GAMP 5 Second Edition principles and EU GMP Annex 11 requirements.
2.1 Software Development Controls
- Version-controlled codebase using Git with enforced branching strategy
- Change control procedure: all production releases reviewed before deployment
- Semantic versioning applied to all releases (MAJOR.MINOR.PATCH)
- Automated testing suite covering critical GMP functions
- Sentry application monitoring for real-time error detection across all critical routes
2.2 Data Integrity Controls
- Immutable audit trail — all records are insert-only; no deletion permitted
- Electronic signatures implemented per 21 CFR Part 11 and Annex 11 requirements
- ALCOA+ compliance: all data is Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available
- Cryptographic hash verification on all signed batch records
- Store-and-forward buffering (SQLite) ensures no data loss during connectivity interruption
2.3 Access Controls
- Role-based access control (RBAC) with principle of least privilege
- Multi-tenant architecture with Row-Level Security (RLS) ensuring data isolation between organisations
- All authentication via secure session tokens with expiry
- All API endpoints authenticated; escalation trigger endpoint protected by shared secret
2.4 Infrastructure & Security
- Hosted on Supabase EU region (Frankfurt) — data does not leave the EU/EEA
- All data in transit encrypted via TLS 1.3
- All data at rest encrypted (AES-256)
- AI inference via Berget AI (Swedish sovereign infrastructure) — no data leaves EU
- OPC-UA edge client operates in read-only mode — cannot write to customer production equipment
2.5 Business Continuity
- Edge agent operates continuously with automatic OPC-UA reconnection (exponential backoff)
- Local SQLite buffer prevents data gaps during cloud connectivity interruption
- Sentry monitoring alerts BatchCortex team of production incidents before customers are affected
- Supabase daily automated backups with point-in-time recovery
3. AI System Governance (Annex 22 Compliance)
BatchCortex uses AI/ML for anomaly detection in batch process data. The following governance measures comply with the EU GMP Annex 22 draft requirements:
| Requirement | BatchCortex Implementation | Status |
|---|
| Intended use defined | Anomaly detection in critical process parameters (temperature, pressure, RPM). Not for batch release decisions. | Compliant |
| Fixed/deterministic model | Isolation Forest (static, validated model). Model does not self-update in production. | Compliant |
| Human oversight | Ghost Operator architecture: AI detects and drafts, human QA approves. No autonomous batch release. | Compliant |
| Generative AI scope | Berget AI used for deviation report drafting only. Human QA reviews and electronically signs all reports. | Compliant |
| Performance monitoring | QA feedback loop records analyst decisions for model drift monitoring. | Compliant |
| Training data quality | Simulation data validated against real process parameters. Customer data used only with consent. | Compliant |
| Change control | Model version tracked. Significant model changes trigger re-validation notification to customers. | Compliant |
4. Sub-Processor Disclosure
BatchCortex engages the following sub-processors in the delivery of the platform. All sub-processors maintain EU data residency and are bound by EU Standard Contractual Clauses (SCCs).
| Supplier | Country | Role | Data Processed |
|---|
| Supabase Inc. | EU (Frankfurt) | Database & Authentication | Batch records, sensor data, user accounts |
| Berget AI | Sweden | AI Report Generation | Process parameters — no personal data |
| Twilio Inc. | EU (Ireland) | SMS/Voice Escalation | Phone numbers (with explicit consent) |
| Sentry (Functional Software) | EU (Frankfurt) | Error Monitoring | System logs, stack traces — no batch data |
| Resend Inc. | EU (Ireland) | Transactional Email | Email addresses only |
| Vercel Inc. | EU (Frankfurt) | Frontend & API Hosting | No personal or batch data stored |
5. Documentation Available to Customers
| Document | Description | Reference |
|---|
| Supplier Quality Assessment | This document | BC-SQA-001 |
| Validation Support Package | IQ/OQ template protocols for customer execution | BC-VSP-001 |
| Change Control SOP | How software updates are managed and communicated | BC-SOP-CC-001 |
| Traceability Matrix | Requirements mapped to test evidence | Included in VSP |
| EU AI Act Classification | AI Act compliance posture and classification rationale | batchcortex.com/legal/ai-act |
| Data Processing Agreement | GDPR Article 28 DPA template | batchcortex.com/legal/dpa |
6. Authorisation
| Prepared By | Vilmer Frost, Founder & CEO |
| Date | 20 February 2026 |
| Document Number | BC-SQA-001 · Version 1.0 |
| Next Review | 20 February 2027 — Annual review cycle |
This document is controlled. For the latest version, contact vilmer@batchcortex.com.