Supplier Assurance

TraceLink customers have engaged two leading industry organizations, Rx-360 and Rephine (formerly known as Agrupación Forum Auditorías [AFA]) , to conduct independent quality audits of TraceLink’s operations, processes, and records. The results of these audits are leveraged by existing and prospective TraceLink customers to establish trust in TraceLink’s Quality Management System (QMS) maturity and alignment with applicable global laws, regulations, and industry standards and guidances, including but not limited to US FDA 21 CFR Part 11 and EU Annex 11. Rx-360 and AFA’s reports and ongoing oversight provide our customers evidence that satisfies regulatory vendor assurance requirements, lessening the burden on the life sciences industry by minimizing audit-related costs and dedicated resources. See below for more information about these organizations and the available TraceLink audit reports.

TraceLink's commitment to maintaining a high-quality industry-leading supply chain software is exemplified through our comprehensive Quality Management System (QMS) and Information Security Management System (ISMS). Together, these systems govern the development, deployment, maintenance, security, and support of TraceLink’s products and services.

TraceLink has achieved and maintained certification to ISO 9001:2015 and ISO 27001:2013 (inclusive of ISO 27017:2015 controls), and achieved SOC 2 / ISAE 3000 Type II attestation. These, along with other achievements and certifications, can be viewed on TraceLink's Certifications and Attestations webpage.

TraceLink’s Information Security Management System is certified against ISO/IEC 27001:2022, the world’s best-known standard for information security management systems, inclusive of the additional cloud security controls in ISO/IEC 27017:2015. TraceLink has achieved a SOC 2 / ISAE 3000 Type II attestation for controls covering the Security, Availability, and Confidentiality Trust Services Criteria. To obtain evidence of these certificates and attestations, please visit the following webpage: https://www.tracelink.com/legal-and-trust/certifications.

TraceLink also offers a robust set of security controls and practices as outlined in the Security Annex which can be reviewed on the following webpage: https://www.tracelink.com/legal-and-trust/security-annex. Security measures outlined in the Annex outline the controls TraceLink has in place for ensuring the ongoing confidentiality, integrity, and availability of Customer Data in order to prevent unauthorized access, use, modification, or disclosure of Customer Data.

TraceLink is committed to our customers' global track & trace and compliance requirements by continuously monitoring the global regulatory landscape, as laws and regulations are introduced or modified, and by actively engaging in the definition of industry standards for newly emerging markets or as previously established regulations are modified. TraceLink products and services are enhanced to align with regulatory and industry requirements, thereby ensuring customers continue to adhere to compliance requirements and industry standards.

TraceLink’s Quality Management System (QMS) document MGT06 Data Integrity Policy requires that TraceLink workforce members document work in an Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Accurate (ALCOA+) manner that meets company requirements and industry standards, and in accordance with relevant laws, regulations, or legislative directives of regulatory authorities. TraceLink workforce members are trained to gather, analyze, report, and retain information and data in a manner that represents what occurred in accordance with TraceLink policies and procedures, Good Documentation Practices, and applicable laws.

TraceLink Quality Management System (QMS) document MGT06 Data Integrity Policy outlines the elements necessary to ensure the reliability and integrity of data within the TraceLink Products and TraceLink’s software development lifecycle (SDLC). 
TraceLink activities associated with preserving the integrity of information and data throughout the SDLC include gathering, documenting, reporting, and/or retaining data and information in a manner that accurately, truthfully, and completely represents what occurred as it relates to the design, development, qualification, and maintenance of TraceLink Products includes, but is not limited to:

• Assigning roles and responsibilities for meeting the objectives defined in the TraceLink Quality Manual, including document owners responsible for reviewing and maintaining processes related to data integrity, and identifying associated training requirements;
• Ensuring ownership throughout the SDLC, considering design, operation, and monitoring or process to comply with the principles of data integrity;
• Ensuring data derived, entered, or obtained throughout the SDLC and within TraceLink internal business systems meets the requirements of ALCOA+;
• Establishing document management system and practices for maintaining data integrity, and providing mechanisms for preventing data integrity lapses and detecting / recording instances of nonconformance;
• Evaluating, configuring, qualifying, and maintaining TraceLink internal business systems and tools in accordance with applicable industry standards and guides (e.g., US FDA Computer System Assurance [CSA] Guidance; ISPE GAMP 5 Guide);
• Maintaining processes that confirm the proper use, correction, and movement of data which can be traced throughout the SDLC and data lifecycle;
• Ensuring TraceLink’s internal business systems and tools capture, process, and store data electronically for the defined retention period and system audit trails and/or logs adhere to applicable regulations and industry standards (e.g., US FDA 21 CFR Part 11, EU Annex 11, US FDA CSA, ISPE GAMP5 guide)

TraceLink's commitment to providing its customers with high-quality, secure, industry-leading supply chain software is the foundation of its software development lifecycle (SDLC). Structured to respond to the requirements of the regulatory landscape and the needs of TraceLink's customer base, the SDLC takes an agile approach to product quality with defined processes for requirements gathering, code building, testing, and installation.

TraceLink’s software Quality Assurance (QA) team is responsible for establishing robust processes and practices across the software development lifecycle (SDLC) with the goal of producing high quality software. These processes operate in accordance with defined internal procedures and applicable industry standards and include concepts such as risk management, separation of duties, independent reviews, and software testing.

TraceLink’s Test Plans describe the test strategy, along with applicable use-cases, data requirements, configuration needs and the test automation approach. The Test Plans are informed by Requirements, Functional Specifications, Acceptance Criteria, and High-Level Designs, and employ a Risk Management approach outlining mitigation plans for impacts such as data integrity, security, performance, regression, among others.

Defined change management procedures govern change requests that may affect the qualified and intended use state of TraceLink Products. TraceLink’s software development lifecycle (SDLC) and change management processes govern product development through requirements, design, testing, and deployment of new versions, and address three main sources of potential change:

• Roadmap Changes – TraceLink maintains a well-defined ongoing product roadmap that is overseen by a cross-functional team that evaluates potential changes to the roadmap. To support customer planning, we provide Release Preview documentation for committed roadmap updates at least fifty-five (55) days prior to releases.
• Product Changes – TraceLink follows a detailed software deployment process for application changes, including patch and acceptance criteria, within our software development lifecycle (SDLC). From defining requirements through to design, testing, and implementation, processes include cross-functional representation to confirm appropriate review. Planned product changes are documented and reviewed to confirm design, acceptance criteria, testing plans, and security requirements are satisfied prior to deployment. For further detail on TraceLink’s testing strategy please refer to the section Software Quality Assurance on the Supplier Assurance webpage.  Details of product changes are included in the Release Summary document published to the Product Release Documentation website, accessible by customers through the TraceLink Customer Success Portal. TraceLink will notify customers of changes in accordance with the TraceLink Service Level Agreement (SLA) and applicable procedures.
• Infrastructure Changes – Infrastructure change requests are logged within TraceLink’s internal ticketing system by authorized individuals. Changes are implemented after obtaining appropriate approvals, as applicable, and are verified after the change action is committed. TraceLink adheres to a clear separation of duties and controls to restrict who can deploy changes and perform a risk assessment for non-routine changes. Test and rollback plans are created, and security is evaluated as part of change requests for the underlying infrastructure.

Change Management-related TraceLink QMS Documentation

Processes related to product changes are found in the following TraceLink procedures:

• Software Development Lifecycle
• Software Release
• Software Defect Management
• Software Testing
• Infrastructure Change Management

TraceLink protects the quality, reliability, and data integrity of its services and product offerings by following defined supplier management policies, including risk evaluation, based on intended use, data in scope, security, and reliability.

TraceLink's Quality Management System (QMS) governs the selection, management, oversight, termination, and replacement of approved third-party suppliers which are essential to or impact TraceLink services and product offerings. All suppliers are reviewed and qualified through collaborative processes between TraceLink Regulatory and Quality Compliance (RQC), Security, Legal, and Finance teams, and the internal business partner.

TraceLink's dedication to continuous improvement of our Quality Management System (QMS) and Information Security Management System (ISMS) is driven through processes such as the internal audit program. Through internal audits of our policies, procedures, processes, and controls, TraceLink identifies opportunities to improve, establishes periodic review results for policies and procedures, and verifies continuous adherence to both internal and external standards, confirming our ability to provide customers with high-quality products and services.

TraceLink invests in new hire onboarding and continuous employee learning practices to ensure team members possess the necessary knowledge and skills for their defined role.

The TraceLink training program includes a defined set of core requirements across the organization, including awareness trainings for regulatory and quality, security, and data integrity. Additional training specific to an employee’s defined functional area and role responsibilities is required, including a review of applicable Quality Management System (QMS) procedures supplemented by a comprehension assessment recorded in the electronic learning management system.

This training program is designed to promote compliance with applicable internal and external requirements, and produce high quality products with service delivery excellence.

TraceLink's dedication to maintenance of our Quality Management System (QMS) and Information Security Management System (ISMS) is driven through document management processes such as authoring new procedures, revision control, archiving superseded versions, and confirming availability of effective quality documentation to TraceLink workforce members to promote accurate and consistent quality records.