Q&A Document

MasterControl Cloud Platform:

Frequently Asked Questions (FAQ)
TABLE OF CONTENTS

Executive Summary 3

MasterControl Cloud Platform 3

Q1: Is MasterControl a SaaS model? 3

Q2: How is the MasterControl Cloud Platform architected? 3

Q3: Are all of MasterControl’s solutions built on the same platform? 4

Q4: What is the difference between MasterControl Cloud, on-premise, 4

and hosted?

MasterControl Cloud Benefits 4

Q5: What are some of the key benefits of SaaS? 5

Q6: Is the SaaS model proven and reliable in highly regulated industries? 5

Q7: Will MasterControl Cloud cost me more than my on-premise software? 5

Configuration and Integrations 5

Q8: Can I configure MasterControl SaaS to my unique requirements? 6

Q9: Can I integrate MasterControl with my IT and enterprise applications? 6

Q10: Does MasterControl integrate or partner with third-party service providers? 6

Q11: What are your guidelines for customisations and who can perform the 7
customisations?

Application Availability 7

Q12: In what geographies/data centres is MasterControl deployed? 7

Q13: We are a 24x7 operation. Can we expect around-the-clock support globally? 7

Q14: Does MasterControl have a single point of failure? 8

Data Security 8

Q15: Who owns my data and how much control do I have over the data? 8

Q16: How does MasterControl’s technology platform safeguard my data? 8

Q17: What does MasterControl’s HIPAA compliance mean for customers? 9

 Q&A Document

Q18: How does MasterControl handle data segregation? 10

Q19: What happens to our data upon termination? 10

Q20: Our company needs to adhere to strict internal and external regulatory 10
controls. Does that limit us to on-premise software?

System Security 10

Q21: How does MasterControl handle system security? 10

Software Security 11

Q22: How does MasterControl handle software security practices and secure 11
software development?

Q23: How does MasterControl handle application vulnerability assessments? 11

User Credentials and Access Management 12

Q24: How does MasterControl handle user password management and login 12
policies?

Q25: How does MasterControl handle user authentication and single 12

sign-on (SSO)?

Q26: How does MasterControl handle audit trails? 13

Infrastructure Security 13

Q27: How is data centre access handled? 13

Human Resources Security 13

Q28: How is human resource security managed? 13

Backup, Continuity, and Recovery 14

Q29: Does MasterControl have a business continuity and disaster 14

recovery program?

Q30: How does MasterControl manage data backups? 14

Maintenance and Upgrades 15

Q31: How will MasterControl make sure my applications are up to date? 15

Q32: How will the upgrade process impact my configurations? 15

Q33: How will the upgrade process impact my system validation? 15

Validation (For more information, view the MasterControl Validation Strategy FAQ.) 16

Q34 What are MasterControl’s principles for its SaaS validation strategy? 16

Q35: What tests does MasterControl perform before validation? 17

Compliance 17

Q36: What types of quality, security, and/or third-party audits does 17

MasterControl’s technology platform follow or undergo?

About MasterControl 18

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 2

 Q&A Document

Executive Summary
Companies worldwide are transitioning traditional enterprise systems
to Software as a Service (SaaS) application solutions for core business
functions and advanced data, analytics, and artificial intelligence applications.
SaaS solutions more effectively address customers’ needs and enable
more agility, scalability, and adaptability to market opportunities. With
MasterControl SaaS offerings, regulated customers derive even greater
value by reducing operational cost and minimising risk.

This frequently asked questions (FAQ) document provides an overview of

MasterControl’s general approach to its SaaS model. It addresses the most
common questions received from customers and prospects, across all
industry verticals.

MasterControl Cloud Platform

Q1: Is MasterControl a SaaS model?
Yes. MasterControl’s solutions are built on the MasterControl Platform™,
which is one integrated platform deployed as a SaaS model with managed
upgrades on a quarterly or annual basis determined by the customer.

Q2: How is the MasterControl Cloud Platform architected?

The architecture meets the most rigorous usability, scalability,
performance, validation, and security requirements demanded by our
customers that do business in regulated environments. Customers can
automate their operations and accelerate outcomes while reducing the total
cost of ownership.

Isolated Shared
Services Resources Cloud
Analytics Publishing Database
Database Reverse Resource
EFP Storage Proxy
Dev
Presentation SMTP Relay EFP
Storage

001 002 003 ... Publishing

Resource

Database
Production Resource

EFP
Storage

Client Internet Firewall 001 002 003 ... Publishing

Resource

Database
Test Resource

EFP
Storage

001 002 003 ... Publishing

Resource

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 3

 Q&A Document

The platform solutions are built in Java/Angular with an MS SQL database

— all delivered in the cloud to meet a variety of customer situations and
environments. Most customers are deployed on Amazon Web Services
(AWS). Each customer receives a dedicated instance of MasterControl that
is specifically assigned to the customer. Each customer also has their own
database, EFP (electronic file path), and associated service accounts and
permissions, fully isolating customers from one another. We operate in a
single-tenant model with a shared back-end infrastructure, data isolation,
and associated controls.

MasterControl uses S3 (Amazon Simple Storage Service) buckets for file

storage. S3 buckets, which are similar to file folders, store data and its
descriptive metadata. Each customer has a dedicated S3 bucket.

Q3: Are all of MasterControl’s solutions built on the same platform?

Yes. MasterControl solutions have always been built from the ground up on
one connected platform, not through acquisition like many SaaS solutions
today. The MasterControl Platform gives our highly regulated customers
a modern, scalable architecture to automate (digitise) and improve critical
business processes (CBP) across the product life cycle from product
conception to commercialisation and beyond.

Q4: What is the difference between MasterControl Cloud,

on-premise, and hosted?
We firmly believe that the cloud is the future. It is the optimal model for
delivering innovation and customer value.

• Cloud: Customers running MasterControl on the cloud platform, hosted by

AWS. The upgrade cadence is automatic on a quarterly or annual basis, which
is managed and performed by MasterControl.
• On-premise: Customers running MasterControl at their own facility, on their
internal IT infrastructure. The upgrade cadence is determined by the customer
and the upgrade process is assisted by MasterControl.
• Hosted: Customers running their own instance of MasterControl on the cloud
platform, hosted by AWS. The upgrade cadence is determined by the customer
and assisted by MasterControl.

Currently, MasterControl maintains two code bases:

• Cloud: For customers operating MasterControl on the cloud platform.

Upgrades are automatic and are managed and performed by MasterControl.
Customers select the cadence for their upgrades (annual or quarterly), but the
heavy lifting of completing the upgrade falls on MasterControl.
• Classic: Classic is for customers who choose to continue using MasterControl
on-premise or in a non-cloud, hosted environment. They choose to upgrade
at their discretion. Classic releases occur on a slower cadence than Cloud,
following a mainstream support plan. The support commitment for Classic
ends in 2023 and the extended support ends in 2025.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 4

 Q&A Document

MasterControl Cloud Platform

Q5: What are some of the key benefits of SaaS?
Benefits for businesses that deploy SaaS solutions include:

• Accelerated scalability and adaptability.

• Better security, as security measures and technologies are frequently updated.
• Faster access to the most recent product innovations.
• Rapid deployment and faster time-to-value with lower upfront costs.
• Accessibility from virtually anywhere.
• Reduced risk with quarterly upgrades, compared to longer release cadences.
• Automatic upgrades with no customer involvement other than validation.
• Much faster validation than on-premise systems — in many cases, cutting the
validation time from months and weeks to days, and in some situations, hours.

Q6: Is the SaaS model proven and reliable in highly regulated industries?
When companies consider implementing cloud-based solutions, data security is
a prominent concern. MasterControl is committed to ensuring the confidentiality,
integrity, and availability of customer data by using AWS, an industry-proven
provider, as the foundation for the MasterControl Platform and solutions.
Agencies like the U.S. Food and Drug Administration (FDA) and the Department
of Health and Human Services National Institute of Health (NIH) are using AWS
as a platform for their SaaS-based solutions.

The most highly regulated companies in the world (pharmaceutical and medical
device manufacturers, blood and biologics organisations, etc.) rely daily on
MasterControl’s cloud solutions to improve efficiencies and accelerate time
to market. MasterControl uses tools and services for testing, monitoring, and
reacting quickly to potential data and security threats while ensuring utmost
security beyond what most organisations can with their internal staff.

MasterControl is designed to be compliant with regulations such as FDA’s 21

CFR Part 11 and European Commission’s Annex 11. MasterControl has certified
to the ISO 27001, ISO 9001, and ISO 27017 (information security specific to cloud
computing) standards and integrates these frameworks into daily operations.
Certification and adherence to these ISO standards have been verified through
hundreds of customer audits.

Q7: Will MasterControl Cloud cost me more than my on-premise software?

When comparing the short- and long-term costs of deploying and using SaaS
solutions vs. on-premise systems, the overall short-term SaaS costs are slightly
higher. However, SaaS allows for greater customer benefits and fewer expenses
in the long-term because of the following cost-saving benefits:

• No hardware/infrastructure costs: SaaS systems are already installed and

running by MasterControl system infrastructure and security architects, so
there is no need for purchasing or upgrading internal hardware and paying for
specialised IT maintenance and support.
• Less time and labor costs: In a cloud infrastructure, hosting, data
security, and hardware maintenance are managed by MasterControl
instead of the customer.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 5

 Q&A Document

• Opportunity costs and scalability: By relying on MasterControl’s expertise,

customers are free to channel their resources toward what they do best.
MasterControl eliminates the headaches, labor time, and costs required to
scale an internal infrastructure.

Configuration and Integrations

Q8: Can I customise MasterControl SaaS to my unique requirements?
MasterControl SaaS solutions are designed to configure rather than customise
code. Our implementation experts can shape the software to support critical
business requirements through configuration parameters, so customers
can switch on or off options that previously would require custom coding.
These best-practice configurations are reliable and can be validated rapidly.

Customising MasterControl, rather than running it out-of-the-box as written,

can cause validation and performance testing problems. With customisations,
customers are unable to align with the quarterly update schedules, which
delays them in getting the newest features and functionality — a significant
advantage with implementing SaaS.

Q9: Can I integrate MasterControl with my IT and enterprise applications?

Yes. The MasterControl Application Programming Interface (API) framework and
integration ecosystem enable connections that drive today’s digital, data-driven
businesses. An array of custom integrations has been performed with proven
enterprise solutions, including SAP, Oracle, Workday, ADP, and others.

Q10: Does MasterControl integrate or partner with third-party

service providers?
Yes. While MasterControl designs, develops, and deploys world-class software,
we recognise that key partnerships help us ensure that the platform delivers
exceptional value and a productive customer experience. Two of our many third-
party partners include Elasticsearch and Logi Analytics’ JReport. MasterControl
provides industry-leading searching through Elasticsearch’s distributed ReSTful
search, which is a SaaS service for full-text searches. The JReport analytics
engine delivers business insights to executives and users with its analytics
reporting and dashboarding solutions.

Another third-party is Okta, an industry-leading identity management service.

With Okta, passwords are no longer stored in the MasterControl database.
This adds another layer of system security. Login passwords can be used as an
e-signature for Security Assertion Markup Language (SAML), Active Directory
(AD) and local authentication.

Q11: What are your guidelines for customisations and who can perform
the customisations?
As discussed earlier, MasterControl follows a “configure, not customise”
paradigm. (See Q8.)

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 6

 Q&A Document

Application Availability
Q12: In what geographies/data centres is MasterControl deployed?
MasterControl uses AWS as its cloud infrastructure provider based on its global
footprint, industry-defining performance, and ability to deliver high-performing,
secure environments. Data centres are ISO 27001 and ISO 27017 certified and
use Statement of Standards for Attestation of Controls (SSAE)16/Service
Organisation Controls (SOC)1 Type II reports.

All customer data — primary and backup — is stored in primary and secondary
data centres in the region specified. (See list below.) Data is stored only on
devices that are attached to the applicable server and not on devices such as
flash drives, compact discs (CDs), or tape. Data is backed up and retained per the
data retention policies defined in the MasterControl Service Level Agreement
(SLA). Access to data is limited to individuals whose roles require such access.

AWS
• North America – United States, Canada
• EMEA – Germany
• APAC – Japan, Singapore, Australia

Q13: We are a 24x7 operation. Can we expect around-the-clock

support globally?
Yes. MasterControl provides extended global support for non-business hours
for an additional fee. Standard support hours are provided throughout the
following geographies:

North America
Monday – Friday 6:00 a.m. to 6:00 p.m. Mountain time (GMT – 7:00)
Phone: 1 (800) 825-9177
Email: [email protected]

EMEA
Monday – Friday 9:00 a.m. to 5:30 p.m. GMT
United Kingdom: +44 (0)1256 325 949
United Kingdom (Toll Free): +44 (0)800 138 3534
Germany: 0800-180-0228
Email: [email protected]

APAC
Monday – Friday 10:00 a.m. to 6:00 p.m. AEST time (GMT +10:00)
Australia: +61-38518467
New Zealand: 0800-451110
China: 10-800-130-1830
Hong Kong: +852-300-85785
Email: [email protected]

Japan
Monday–Friday 9:00 a.m. to 5:30 p.m. Japan time (GMT +9:00)
Email: [email protected]

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 7

 Q&A Document

Q14: Does MasterControl have a single point of failure?

Your data and operations are at the heart of our mission. We manage our systems
to meet a 99.95% uptime guarantee, which is above industry standards for
enterprise quality management systems. We employ redundancies, failovers, and
other site reliability engineering practices to keep your systems operational as
we continue to improve our architecture and processes.

Data Security
Q15: Who owns my data and how much control do I have over the data?
Customers reserve all rights, titles, and interests, including all intellectual
property and proprietary rights, in and to their content. Customers determine
how the data is used, who has the right to access, amend and delete it, and how
the data is to be downloaded and stored locally anytime desired. Customers
can request to stop using the solution at any point and the data can be securely
extracted and returned.

MasterControl has policies and procedures in place designed to protect the

security, integrity, and confidentiality of our customers’ data. This includes having
access to data for troubleshooting purposes. All changes made by MasterControl
are tracked through a change management/change control process and undergo
internal review and approval. Our adherence to these policies is validated through
regular, external third-party audits.

Q16: How does MasterControl’s technology platform safeguard my data?

MasterControl is ISO 27001:2013 and ISO 27017:2015 certified and incorporates
very stringent security policies. (See Q6.) Detailed procedures are in place to
ensure the necessary levels of physical security, network security, application
security, internal system security, operating system security, and third-party
certifications. MasterControl also has a quality and compliance team that sets
the policies and coordinates internal audits and third-party audits to ensure that
the requirements are continuously being met.

MasterControl ensures data security by using the industry-standard data

encryption technology called Transport Layer Security (TLS). TLS provides a
high degree of data protection by encrypting all data. To encrypt data in transit,
TLS uses a symmetric-key algorithm that generates unique keys set up for
each connection — not each customer site. The identity is verified using public-
key cryptography for the server. Hackers cannot obtain or modify the keys for
symmetric encryption at any point without being detected. To ensure data
integrity, TLS checks each message using a message authentication code to
prevent tampering and data loss.

Q17: What does MasterControl’s HIPAA compliance mean for customers?

The Health Insurance Portability and Accountability Act (HIPAA) is a law that
requires the creation of specific standards for protecting sensitive patient
health information (PHI) from being disclosed without the patient’s consent
or knowledge.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 8

 Q&A Document

HIPAA compliance involves extensive data protection and system security

measures where the PHI is stored and maintained. To remain HIPAA compliant,
companies that store PHI data with a third-party organisation are required to sign
a Business Associate Agreement (BAA) with that organisation. A BAA is a written
arrangement that specifies each party’s responsibilities when it comes to PHI.

MasterControl is HIPAA compliant, which means we can ensure the necessary

protection of PHI. Customers who want the HIPAA-level of data protection must
purchase the HIPAA compliance option and sign a BAA with MasterControl.

The types of data protection under HIPAA include data at rest, in transit
(including PDF communication), and in use (see explanations below).

• Data at rest: To protect data at rest, MasterControl uses an advanced

encryption standard (AES) technique for its TLS digital certificates. Customer
data is stored and encrypted using AES 256-bit encryption, which is the most
secure level of data encryption.
• Data in transit: MasterControl uses an industry-leading, external certificate
authority for its TLS digital certificates with 2048-bit keys and secure hash
algorithm (SHA)-256 signatures and enforces a minimum of 128-bit symmetric
key encryption.
• Data in use: MasterControl tightly controls data in the database and the file
system — no data is cached on your system. We also secure this data with
authentication and controls that are implemented with our Okta integration.

If your company doesn’t need HIPAA-level data protection, you will not have to
pay for it. However, that means you should not store PHI in your system.

If you’re interested in learning more about HIPAA and having a HIPAA compliant
system, talk to your customer account representative.

Q18: How does MasterControl handle data segregation?

MasterControl uses a single-tenant infrastructure with dedicated instances for
each customer. Data is segregated into unique repositories that are controlled
by customer-assigned access rights. These are also combined with dedicated
database instances specific to each customer.

Q19: What happens to our data upon termination?

Upon expiration or early termination, the customer needs to request that
MasterControl provide the most recent and relevant data backup and an
export of document files. MasterControl will provide data export services (i.e.,
the provision of the data files in a non-standard format) per the customer’s
specification (which specification shall be subject to MasterControl’s
agreement and confirmation of feasibility).

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 9

 Q&A Document

Q20: Our company needs to adhere to strict internal and external

regulatory controls. Does that limit us to on-premise software?
No. Regulatory controls apply to infrastructure and software operations,
regardless of on-premise or SaaS deployment. Most enterprises are distributed
and use dedicated hosting centres. Even on-premise system servers are not
typically located within the building or even operators sitting at the console when
interfacing with the servers.

System Security
Q21: How does MasterControl handle system security?
MasterControl invests in the most advanced and modern system security
available to provide a secure environment. The following are ways MasterControl
provides proven system security:

• Change management: Changes to IT facilities and systems are managed using

a documented change control process that requires testing, review, and approval
before releasing the changes to production servers. Servers use file integrity
monitoring tools to detect unauthorised changes to critical system files.
• Vulnerability management and penetration testing: Systems undergo
periodic vulnerability and penetration testing in two ways:
– Industry-recognised third-party security specialists who use
multiple overlapping enterprise security solutions to swiftly handle
any vulnerabilities.
– Internal experts using additional vulnerability and penetration testing.
• Third-party service delivery management: All security requirements,
ongoing monitoring, and change management clauses are in place for
MasterControl SLAs. MasterControl’s internal quality team audits each
third-party supplier.
• Monitoring: Application, database, and system monitoring are in place.
Personnel responsible for monitoring are notified when alerts are triggered.
Logs are secured for only authorised personnel to access. Performance
monitoring is employed at all locations throughout the world.
• Database security: MasterControl encrypts database data-at-rest at
multiple levels. (See Q17.) We encrypt all database data. Transparent data
encryption (TDE), which is similar to encrypting data at rest, is enabled on
each customer’s database. We also add an extra layer of encryption at the
application level.

Software Security
Q22: How does MasterControl handle software security practices and
secure software development?

MasterControl performs automated and manual code reviews, and developers

are trained on secure software development principles. MasterControl also
procures software from other software vendors with software licencing

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 10

 Q&A Document

agreements that ensure prompt security patches and updates. MasterControl

tests security measures throughout the following software development life
cycle phases to ensure system protection:

• Design phase: Automated and manual security control requirements are

analysed and documented. This includes assessment of data risk and resulting
encryption requirements.
• Coding phase: Practices of secure coding are defined and reviewed, and
access to source code and test data is controlled. Secure coding practices
include session management security, as well as the prevention of Open
Web Application Security Project (OWASP) Top 10 software vulnerabilities,
including malformed XML or HTTP requests, XSS, CSRF, and SQL injection.
Automated and manual code reviews are also performed in this phase.
• Testing phase: Application software is tested for security vulnerabilities
during the testing phase using static and dynamic code analysis tools.
Vulnerabilities are documented and a remediation plan is developed.
Also, the vulnerabilities are monitored to ensure each is addressed
appropriately. A complete application penetration testing is conducted
for each major release.

Q23: How does MasterControl handle application vulnerability

assessments?
MasterControl follows industry best practices for application vulnerability
assessments, these include guidelines outlined by OWASP to identify and defend
against any vulnerability. (See Q22.)

MasterControl conducts periodic vulnerability assessments on its production

systems and tests contemporary attack vectors using automated and manual
methods like threat modelling, vulnerability classification, and automated
scanning to find potential SQL, AD, XPATH, or JQUERY injection paths and
prevent against distributed denial of service (DDoS) attacks. Vulnerability testing
examples include spoofing of user identity, tampering, repudiation, information
disclosure, denial of service, and elevation of privileges.

User Credentials and Access Management

Q24: How does MasterControl handle user password management
and login policies?
MasterControl enables strict user authentication and permission enforcement
at every access point, ensuring that only users with the proper credentials can
access data. MasterControl provides configurable password policies for length,
complexity (alphanumeric), expiration and lockouts, intruder alerts, forgotten
password helps, etc.

Customer administrators (sysadmins) can configure user application rights

and content access rights via roles. Role rights are additive. Users can be in a
single role or multiple roles. Best-practice templates are built into the system

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 11

 Q&A Document

for roles and standardised controls. Customer administrators can customise

those to meet specific needs.

External users can be added to the system as “guest users” to allow them to
collaborate on specific documents, add audit findings, or view specific reports.
Access can be revoked at any time. Guests can only see the tasks that they are
specifically invited to by a power user.

Q25: How does MasterControl handle user authentication and

single sign-on (SSO)?
User accounts are set up and maintained by customer administrators.
MasterControl supports user authentications directly in the application as
well as via integration with Active Directory (AD) servers or Security Assertion
Markup Language (SAML) 2.0 providers. Most customers use a combination of
direct authentication (local) and AD or SAML.

Authentication E-Signature
(Login) Approval

MasterControl Local Uses a Unique Password Unique Password – Uses login as E-signature
Settings controlled by Uses Network Credentials
Password settings controlled System Administrator
by the System Administrator

Active Directory (AD) 1 Uses Network Credentials Password controlled by Uses Network Credentials
System Administrator

SAML (SSO) 2 Uses Network Credentials Password controlled by Exploring business and
for login via idP System Administrator technical feasibility.

1 – Requires system administrator to configure connection from MasterControl to AD server (SSL).

2 – Uses any SAML 2.0 compliant identity provider (IdP), including ADFS.

Q26: How does MasterControl handle audit trails?

MasterControl automatically logs all document and user activity. Audit logs
provide the administrator visibility into system activity and are a component of
compliance with electronic records and electronic signature regulations. The
logs contain detailed information such as date and time stamp, username, and
the event.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 12

 Q&A Document

Infrastructure Security
Q27: How is data centre access handled?
AWS monitors the data centres using their global Security Operations Centres,
which are responsible for monitoring, triaging, and executing security programs.
They provide 24/7 international support by managing and monitoring data centre
access activities, equipping local teams and other support teams to respond to
security incidents by triaging, consulting, analysing, and dispatching responses.

Human Resources Security

Q28: How is human resource security managed?
MasterControl gives employees and contractors system access during
onboarding and promptly removes it during the exit process. This system access
is reviewed when any employee changes job functions. Additional security
processes include:

• Background checks: All MasterControl personnel undergo criminal

background checks and identity verification.
• Awareness training: All MasterControl personnel are regularly assigned
and complete training tasks and training competency testing on policies
and procedures.
• Asset management: MasterControl tracks all critical information assets
and applications that process sensitive data. Employees go through security
awareness training during onboarding and repeat it annually.
• Malware protection: All laptops have malware protection and are managed
and monitored by MasterControl’s IT department. All users are trained on
security best practices and malware prevention as part of their security
awareness training during new hire orientation.
• Media handling: MasterControl has created procedures that are designed to
protect documents and computer media containing customer data or other
sensitive information. Media is properly sanitised or securely disposed of.
• Mobile device security: Customer data is stored on laptops only for specific
purposes such as implementation or troubleshooting. All files are encrypted
using AES 256-bit keys.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 13

 Q&A Document

Backup, Continuity, and Recovery

Q29: Does MasterControl have a business continuity and
disaster recovery program?
Yes. MasterControl responds to unplanned business interruptions that affect the
availability of CBPs and the IT services that support those processes. To maintain
business continuity, we have a Recovery Point Objective (RPO) of four hours and a
Recovery Time Objective (RTO) of eight hours that is agreed upon contractually.
With the S3 file storage (see Q2), we can recover files in the event of data loss.
This includes facility utility disruption (not caused by environmental disaster),
electronic file loss, electronic database record loss, data corruption, accidentally
overwriting file system, etc. We also have multiple versions of every file and can
preserve every version of every customer EFP files for 13 months.

Q30: How does MasterControl manage data backups?

The S3 file storage provides near real-time backup and disaster recovery.
All EFP files are automatically replicated to the disaster recovery location
and are retained for 13 months. SQL backups still occur every four hours.

Primary Location Failover Location

Production 1 Replicate Production 1

Every 4 Hours

001 002 003 ... 001 002 003 ...

Production 2 Replicate Production 2

Every 4 Hours

001 002 003 ... 001 002 003 ...

Production 3 Replicate Production 3

Every 4 Hours

001 002 003 ... 001 002 003 ...

Backup Every 4 Hours Keep for 13 Months

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 14

 Q&A Document

Maintenance and Upgrades

Q31: How will MasterControl make sure my applications are up to date?
A significant benefit of SaaS is that MasterControl manages all updates
and upgrades, instead of the customer. We regularly perform the following
maintenance to ensure applications are up to date:

• Scheduled maintenance: Operating system and infrastructure maintenance

follows a regular schedule — system availability will be interrupted during
this time. Maintenance windows can happen any weekend, but they generally
occur twice a month.
– Second weekend: MasterControl application patch.
– Last weekend: Cloud infrastructure.
This schedule is subject to change. If there is a change, we notify customers
with a pop-up reminder directly in the app (Pendo) for the cloud and via email
for those on MasterControl hosted.
• Critical planned: MasterControl may need to make critical updates to
address security, privacy, legal, regulatory, or third-party hardware and
software issues that are not reasonably foreseeable. In these cases,
MasterControl will apply the update as soon as possible. MasterControl may
also determine that certain updates are mandatory based on the severity of
the service issue. In these cases, MasterControl will apply the update as soon
as commercially practical.
• Unplanned: This may include systemic disruption of internet carrier
telecommunications or equipment as well as other interruptions of service
on the backbone (core network), on the client’s portion of the network, or
interruptions or significant degradations of service caused by denial of service
or similar attacks.

Network unavailability beyond the power of MasterControl is considered

excusable downtime for the duration of the outage and takes precedence over
any other cause of downtime with respect to calculating service availability.

The MasterControl SLA provides more detailed maintenance information.

Q32: How will the upgrade and patch process impact my configurations?
Upgrades or patches will not impact customer configurations. The data and
configurations are stored in the database tables, independently of the code.

Q33: How will the upgrade and patch process impact my system validation?
At MasterControl, we provide fully executed functional testing and
recommended usage testing for every software release. We include a full
validation package for each release, so customers can trace the requirements
to the executed testing and review a final summary report of any internal
deviations we find.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 15

 Q&A Document

One of the many advantages of our automated testing is that we can validate
changes daily and weekly. Because of how thorough our functional testing is,
clients don’t have to perform any functional-level testing for their instance of
MasterControl.

With upgrades and patches, it’s important to ensure that you are adequately
evaluating the risk of each software change. The breadth and depth of the
validation effort for a software change should be commensurate to the risks
imposed by the software change. Based on the scope of the changes, it may be
beneficial to do a full system risk assessment. Most often, however, only new
features as well as high and critical defects need to be assessed for risk.

We provide usage testing protocol templates that are customised to a

client’s specific usage and risks. These customised, risk-based protocols are
driven through the Risk Assessment feature of the MasterControl Validation
Excellence Tool (VxT)™ (U.S. Pat. 10,324,830).

Once your assessment is done, the risk assessment and pertinent validation
documentation are exported into a customised change control form. (See “8 Best
Practices for Compliant and Quick Software Validation in the Cloud.”)

Validation
(For more information, view the MasterControl Validation Strategy FAQ.)

Q34: What are MasterControl’s principles for its SaaS validation strategy?
Companies regulated by the FDA or the European Medicines Agency (EMA)
are required to validate their electronic systems. Outside of the FDA and EMA
environments, validation is valuable because it reinforces the importance of
product quality and safety.

Companies in other regulated environments go through the validation process

because they adhere to international guidelines and standards that will help
them sell their products globally or increase the value of their products in their
customers’ eyes.

MasterControl has been validating computer and software systems since

1999. A best-practice testing and software life cycle approach is used with an
innovative, patented risk-evaluation tool that focuses on the company’s critical
business processes.

This proven validation process eliminates wasted revalidation efforts, which

helps companies accelerate their time-to-value objectives. Unlike other software
providers, MasterControl doesn’t just hand out its own validation documentation
as a shortcut — this would only increase the risk of noncompliance.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 16

 Q&A Document

MasterControl’s approach generates all the information needed to understand

the true risk of software adoption to validate CBPs. Our validation tools help
our customers complete the process with less time and effort.
MasterControl adheres to the following guiding principles for SaaS validation:

• Validation should be part of change control.

• Validation should be risk-based.
• Validation should leverage as much work of trusted vendors as possible.
• Customer performance qualification (PQ)-level testing should focus on CBPs.

Q35: What tests does MasterControl perform before validation?

MasterControl completes the following extensive testing before validation:
• Hourly unit, integration, and functional testing of thousands of individual tests
— Includes direct code testing and user interface testing.
• Daily manual code inspection and verification.
• Regular manual usage testing of hundreds of complex tests.
• Daily automated functional (operational qualification (OQ)) regression testing.
• Daily automated usage (performance qualification (PQ)) regression testing.
• Regular scalability testing assessing high usage and system responsiveness.
• Regular security testing.
• Regular manual investigative testing.
• Regular system upgrade testing.

Compliance
Q36: What types of quality, security, and/or third-party audits does
MasterControl’s technology platform follow or undergo?
As a one-to-many SaaS provider, MasterControl cannot feasibly meet the
specific requirements of any one customer. Instead, our approach is to offer
quality, security, and/or data privacy certifications and measures that meet the
needs of the majority of the market for our products. Thereafter, it is incumbent
upon customers to utilise the solution in a manner that fits with their own risk
assessment and that complies with relevant regulations. Here are some of the
quality, regulatory, and IT standards that MasterControl addresses:

• ISO 27001:2013: MasterControl is certified to this standard.

• ISO 27017: MasterControl is certified to this standard.
• ISO 9001:2015: MasterControl is certified to this standard.
• 21 CFR Part 11: MasterControl software is 21 CFR Part 11 compliant
when used and configured correctly.
• EU Annex 11: MasterControl software is Annex 11 compliant when used
and configured correctly.
• General Data Protection Regulation (GDPR): MasterControl has
implemented items to comply with GDPR.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 17

 Q&A Document

• SSAE 16 Type II SOC 1 and SSAE 16 Type II SOC 2: Service Organisation

Controls (SOC), previously known as SAS70 Type II, is an audit report
from the Statement of Standards for Attestation of Controls (SSAE), a
well-recognised auditing standard developed by the American Institute of
Certified Public Accountants (AICPA) and applicable to service providers like
MasterControl. The range of controls is broad and covers everything from
hiring, setting up servers, granting and revoking access to secure systems,
retention and review of logs, customer onboarding, and change management.
SOC 2 shows adherence to the set of controls covered in SOC 1 and
provides an attestation from auditors on the effectiveness of the controls
for meeting the Trust Services Principles: security, availability, processing
integrity, confidentiality, and privacy. MasterControl has not obtained SOC
certification; we utilise third-party data centres that adhere to SOC 2.

About MasterControl
MasterControl Inc. is a leading provider of cloud-based quality and compliance
software for life sciences and other regulated industries. Our mission is the
same as that of our customers – to bring life-changing products to more people
sooner. The MasterControl Platform helps organisations digitise, automate,
and connect quality and compliance processes across the regulated product
development life cycle. Over 1,000 companies worldwide rely on MasterControl
solutions to achieve new levels of operational excellence across product
development, clinical trials, regulatory affairs, quality management, supply
chain, manufacturing, and postmarket surveillance.

For more information, visit www.mastercontrol.com.

Dx Cx Rx Qx Sx Mx Px
Development Clinical Regulatory Quality Supplier Manufacturing Postmarket

© 2021 MasterControl Inc. All rights reserved. DSFAQXX0USENLT-04/21

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 18