Compliance & Security
Ask your Enterprise Security for Chemical Compliance Data
Your chemical inventory, Tier II submissions, SDSs, and incident records contain some of the most sensitive operational data your organization holds. SafeGenics protects it with defense-in-depth architecture, SOC 2 Type II–certified controls, and regulatory-grade retention policies — built from the ground up for EHS compliance.
🛡️
SOC 2 Type II
Certified annually
🔒
ISO 27001
Certified ISMS
🇪🇺
GDPR
Compliant · AWS DPA
🔐
AES-256 + TLS 1.3
Encryption at rest & in transit
☁️
Hosted on AWS
US data centers
Why It Matters
Chemical Compliance Data Isn't Ordinary Data
Compliance Intelligence doesn’t just tell you what — it shows you why. Every generated answer includes an evidence chain linking back through the graph entities that produced it. Click any node to see the source record.
Security-Sensitive Chemical Holdings
Chemical inventory data reveals exactly which hazardous substances exist at each facility, their quantities, and storage locations. This is the same type of information the CFATS program was designed to protect — data that, in the wrong hands, could inform threat targeting. SafeGenics treats chemical holdings data with the sensitivity it demands.
30-Year Retention Obligations
Under 29 CFR 1910.1020, employee exposure records — including SDSs — must be retained for at least 30 years. Injury and illness logs (OSHA 300) require 5 years. Tier II filings must be reproducible for audit. Your platform needs retention architecture designed for decades, not just years.
Regulatory Audit Exposure
OSHA inspectors, EPA regional offices, SERCs, LEPCs, and state agencies all have access rights to your compliance data. Every record must be complete, every submission traceable, and every modification logged. Incomplete audit trails don’t just fail inspections — they generate penalties.
SOC 2 Type II
Independently Audited Across All Five Trust Service Criteria
SafeGenics maintains SOC 2 Type II certification with annual third-party audits covering all five AICPA Trust Service Criteria. Unlike vendors who rely on their hosting provider’s certification, SafeGenics is audited at the application, infrastructure, and operations level.
🔒
Security
Protection against unauthorized access through encryption, authentication, network segmentation, and system hardening
⚡
Availability
System uptime guaranteed through redundancy, failover, disaster recovery, and continuous infrastructure monitoring
✓
Processing Integrity
Data processed completely, accurately, and without unauthorized modification — critical for Tier II threshold calculations
📁
Confidentiality
Chemical holdings, trade secret formulations, and facility data protected through access controls and encryption
👤
Privacy
Personal data collected, used, retained, and disposed of per GDPR, CCPA, and organizational privacy commitments
Defense-in-Depth Architecture
Edge Layer
Perimeter Defense
All traffic routes through a Web Application Firewall with OWASP Top 10 protection, DDoS mitigation, and geo-fencing capabilities. TLS 1.3 encryption enforced on all connections. HTTP Strict Transport Security (HSTS) prevents protocol downgrade attacks.
Application Layer
Application Security
SAML 2.0 and OAuth 2.0 enterprise SSO integration. Role-based access control (RBAC) with granular permissions down to the facility, chemical, and document level. Session management with automatic timeout. Input validation and parameterized queries prevent injection attacks. CSRF protection on all state-changing operations.
Data Layer
Data Protection
AES-256 encryption at rest for all stored data including chemical records, SDSs, audit logs, and graph relationships. Database-level encryption via AWS KMS with managed key rotation. Field-level encryption for trade secret compositions (SDS Section 3). Complete multi-tenant isolation — no customer can access another organization’s data under any circumstance.
Infrastructure
Cloud Infrastructure
Hosted on Amazon Web Services (AWS) in US data centers. Private VPC with network segmentation. AWS infrastructure is SOC 2 Type II and ISO 27001 certified with 99.99% uptime SLA. Automated backups with point-in-time recovery. Disaster recovery with cross-region replication within the US and tested failover procedures. 24/7 infrastructure monitoring with automated alerting via AWS CloudWatch.
Operations
Security Operations
Vulnerability scanning and independent penetration testing on a regular cadence. Security incident response plan with defined escalation procedures. Employee security awareness training. Background checks on all personnel with access to production systems. Change management controls with peer review requirements.
Audit Trails
Every Action Logged. Nothing Lost.
Immutable audit trails capture every create, read, update, and delete operation across the platform — with user identity, timestamp, IP address, and before/after values. Designed for regulatory inspections, litigation holds, and internal compliance reviews.
What Gets Logged
Every interaction with compliance data generates an audit event that is written to an append-only log. These events are cryptographically sealed and cannot be modified or deleted by any user — including administrators.
→
Chemical records — additions, quantity changes, location transfers, threshold crossings, and deletions with full before/after state
→
Tier II reports — drafts, edits, approvals, submissions, and acknowledgments with complete version history
→
SDS documents — uploads, version changes, downloads, access events, and label generation with user and facility context
→
Incidents — creation, investigation updates, corrective actions, OSHA form generation, and regulatory submissions
→
User activity — logins, permission changes, role assignments, SSO events, and session management
Live Audit Log — Chemical Inventory
2026-02-14 14:23:07
j.martinez@corp.com
2026-02-14 14:23:07
system:graph-engine
2026-02-14 12:47:33
j.martinez@corp.com
Record Retention
Built for 30-Year Compliance
OSHA’s record retention requirements span from 5 to 30+ years depending on the record type. SafeGenics enforces configurable retention policies automatically — so records are never purged prematurely and never lost.
30 years
Employee Exposure Records
SDSs and any records documenting the identity of substances employees were exposed to must be retained for 30 years, including where and when the chemical was used. SafeGenics maintains complete SDS version history with facility and date metadata to satisfy this requirement without manual tracking.
29 CFR 1910.1020(d)(1)(ii)
30 years
Employee Medical Records
Medical records for exposed employees must be preserved for the duration of employment plus 30 years. When integrated with SafeGenics incident records, exposure documentation and related medical referrals maintain full traceability across the entire retention period.
29 CFR 1910.1020(d)(1)(i)
5 years
OSHA 300 / 300A / 301 Logs
Injury and illness records must be retained for 5 years following the calendar year they cover. SafeGenics incident management generates these forms and enforces the 5-year minimum automatically. Forms are locked from modification after submission to preserve regulatory integrity.
29 CFR 1904.33(a)
3 years
Tier II Reports & EPCRA Records
Tier II submissions, emergency release notifications, and supporting chemical inventory documentation require minimum 3-year retention. SafeGenics retains all submissions indefinitely by default, with complete version history from draft through final filing for every reporting period.
EPCRA §§ 311–312
SafeGenics retention policies are configurable per record type and can exceed regulatory minimums. All retention periods are enforced automatically with legal hold capabilities for litigation or investigation preservation.
Access Control
Granular Permissions, Zero Guesswork
Role-based access control with facility-level, module-level, and record-level permissions. Enterprise SSO integration ensures one source of truth for user identity.
Enterprise SSO
SAML 2.0 and OAuth 2.0 integration with your identity provider — Okta, Azure AD, Google Workspace, OneLogin, and others. Centralize authentication, enforce password policies, and deactivate access instantly when employees leave. No separate SafeGenics passwords to manage.
Role-Based Access Control
Define roles by function: EHS Manager (full access), Facility Coordinator (facility-scoped), Read-Only Auditor, Incident Reporter, Tier II Reviewer, SDS Viewer. Each role maps to specific permissions across modules, facilities, and record types. Custom roles supported for complex organizational structures.
Facility-Level Scoping
Users see only the facilities they’re authorized to access. A plant manager at Facility #4 sees chemicals, incidents, and Tier II data for their site — not the corporate portfolio. Multi-site administrators can be scoped to regions. Useful for JV facilities and shared-access scenarios with contractors.
Multi-Factor Authentication
Enforce MFA across all users or by role. Supports TOTP authenticator apps, hardware security keys (FIDO2/WebAuthn), and SMS fallback. MFA requirements can be configured per role — enforce hardware keys for administrators while allowing TOTP for field reporters.
Approval Workflows
Tier II submissions, incident closures, and chemical record changes can require one or more approvals before finalization. Configurable approval chains by facility, record type, or threshold crossing. Approvers receive notifications and can review full before/after state before signing off.
Data Export Controls
Control who can export data and in what format. Bulk export permissions are separate from view permissions — a user can view chemical records without being able to download the entire inventory. Export events are logged in the audit trail with format and scope metadata.
Comparison
How SafeGenics Security Compares
EHS platforms vary widely in their security posture. Many rely on hosting provider certifications rather than application-level audits.
| Security Capability | SafeGenics | Large EHS Platforms | Spreadsheets / Manual |
|---|---|---|---|
| SOC 2 Type II (application-level) | ✔ Certified | ⚡ Some vendors | – |
| AI 5 Trust Service Criteria | ✔ Full coverage | ⚡ Security only | – |
| ISO 27001 certified ISMS | ✔ Certified | ⚡ Some vendors | – |
| AES-256 encryption at rest | ✔ Full | ✔ Full | – |
| Field-level encryption (trade secrets) | ✔ SDS Section 3 | – | – |
| Immutable audit trails (append-only) | ✔ Cryptographic | ⚡ Standard logging | – |
| Before/after state in audit events | ✔ Full diff | ⚡ Action-only | – |
| 30-year retention enforcement | ✔ Automatic | ⚡ Configurable | – |
| Facility-level access scoping | ✔ Native | ✔ Most vendors | – |
| Enterprise SSO (SAML 2.0 / OAuth) | ✔ Full | ✔ Most vendors | – |
| Graph-aware permission model | ✔ Native | – | – |
| Data export controls with logging | ✔ Granular | ⚡ Basic | – |
“Large EHS Platforms” includes VelocityEHS, Cority, Enablon, EHS Insight. Audit posture varies significantly between vendors — always request the vendor’s own SOC 2 report, not their hosting provider’s.
FAQ
Frequently Asked Questions
Does SafeGenics hold its own SOC 2 Type II certification?
Yes. SafeGenics maintains its own SOC 2 Type II certification, audited annually by an independent third-party firm. The audit covers the SafeGenics application itself, our cloud infrastructure, development practices, personnel policies, and incident response procedures — not just our hosting provider’s data center. This is an important distinction: many EHS vendors cite their cloud provider’s SOC 2 certification rather than obtaining their own. Our SOC 2 report covers all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Customers may request a copy under NDA.
Do I really need to keep SDSs for 30 years?
The nuance matters. Under 29 CFR 1910.1020(d)(1)(ii)(B), you are not technically required to retain the actual SDS for 30 years — but you must retain some record of the identity (chemical name if known) of the substance, where it was used, and when it was used for at least 30 years. In practice, retaining the original SDS is the simplest way to satisfy this requirement, and many organizations choose to do so. SafeGenics makes this easy by maintaining complete SDS version histories with facility-level usage tracking and date metadata — giving you both the document archive and the “where and when” context OSHA requires.
How does multi-tenant isolation work?
Every organization’s data is logically isolated at the database level. Queries are tenant-scoped at the application layer, meaning no API call, database query, or graph traversal can return data belonging to another organization. This isolation is enforced through a combination of row-level security policies, application-level tenant context, and independent verification in our automated testing suite. Multi-tenant isolation is a core component of our SOC 2 audit, and penetration testing specifically includes cross-tenant access attempts.
What happens if an employee leaves — how is their access revoked?
With enterprise SSO integration, access revocation is automatic. When you deactivate a user in your identity provider (Okta, Azure AD, etc.), their SafeGenics session is invalidated at next authentication check. For organizations using SafeGenics-native authentication, administrators can deactivate accounts immediately. All deactivation events are logged in the audit trail. The user’s historical actions remain in the audit log for compliance purposes — only their forward access is revoked.
How does SafeGenics handle trade secret chemical compositions?
SDS Section 3 (Composition/Information on Ingredients) may contain trade secret formulations with prescribed concentration ranges instead of exact percentages. SafeGenics applies field-level encryption to trade secret composition data, separate from the volume-level AES-256 encryption that protects all stored data. Access to trade secret fields is controlled by a dedicated permission, and every access event is logged. Under OSHA’s HazCom 2024 updates, trade secret claims now require mandatory use of prescribed concentration ranges, which SafeGenics enforces during SDS validation.
What is a "graph-aware permission model"?
In a traditional EHS platform, permissions are module-based: you can access “incidents” or “chemical inventory” or “Tier II.” SafeGenics adds a graph-aware layer. Because chemicals, SDSs, incidents, thresholds, and obligations are all connected through the Compliance Intelligence Graph, permissions must respect graph traversal. For example, a Facility #4 user can see that sulfuric acid at their site links to a Tier II obligation — but they can’t traverse the graph to see sulfuric acid quantities at Facility #7. The permission model is enforced at the graph query level, not just the UI level, ensuring that API access respects the same boundaries.
Where is my data hosted?
SafeGenics is hosted on Amazon Web Services (AWS) in US data centers. AWS infrastructure is independently SOC 2 Type II and ISO 27001 certified. All backups are encrypted via AWS KMS and stored in a geographically separate AWS region within the US for disaster recovery. Data never leaves the United States unless explicitly authorized for organizations with EU operations requiring GDPR-compliant data residency — SafeGenics supports AWS EU hosting regions with a Data Processing Addendum (DPA). AWS data centers maintain physical security controls including 24-hour staffing, biometric access, and video surveillance.
Can SafeGenics support litigation holds?
Yes. SafeGenics supports legal hold capabilities that override normal retention and deletion policies. When a litigation hold is placed on a set of records — by facility, date range, chemical, or incident — those records are preserved regardless of any automated retention actions. Legal holds are managed by authorized administrators and are themselves logged in the audit trail. This is critical for organizations facing OSHA citations, EPA enforcement actions, or personal injury litigation where chemical exposure records may be discoverable.
Get Started
Frequently Asked Questions
See how SafeGenics protects your compliance data with independently audited controls, immutable audit trails, and 30-year retention architecture.