Q&A Document

MasterControl Cloud Platform:

Frequently Asked Questions (FAQ)
TABLE OF CONTENTS PAGE

Executive Summary 3

MasterControl Cloud Platform 3

Q1: Is MasterControl a SaaS model? 3

Q2: How is the MasterControl Cloud Platform architected? 3

Q3: Are all of MasterControl’s solutions built on the same platform? 4

Q4: What is the difference between MasterControl Cloud, on-premise, and hosted? 4

MasterControl Cloud Benefits 4

Q5: What are some of the key benefits of SaaS? 5

Q6: Is the SaaS model proven and reliable in highly regulated industries? 5

Q7: Will MasterControl Cloud cost me more than my on-premise software? 5

Configuration and Integrations 5

Q8: Can I configure MasterControl SaaS to my unique requirements? 6

Q9: Can I integrate MasterControl with my IT and enterprise applications? 6

Q10: Does MasterControl integrate or partner with third-party service providers? 6

Q11: What are your guidelines for customizations and who can perform the 7
customizations?

Application Availability 7

Q12: In what geographies/data centers is MasterControl deployed? 7

Q13: We are a 24x7 operation. Can we expect around-the-clock support globally? 7

Q14: Does MasterControl have a single point of failure? 8

Data Security 8

Q15: Who owns my data and how much control do I have over the data? 8

Q16: How does MasterControl’s technology platform safeguard my data? 8

Q17: What does MasterControl’s HIPAA compliance mean for customers? 9

 Q&A Document

Q18: How does MasterControl handle data segregation? 10

Q19: What happens to our data upon termination? 10

Q20: Our company needs to adhere to strict internal and external regulatory controls. 10
Does that limit us to on-premise software?

System Security 10

Q21: How does MasterControl handle system security? 10

Software Security 11

Q22: How does MasterControl handle software security practices and secure 11
software development?

Q23: How does MasterControl handle application vulnerability assessments? 11

User Credentials and Access Management 12

Q24: How does MasterControl handle user password management and login policies? 12

Q25: How does MasterControl handle user authentication and single sign-on (SSO)? 12

Q26: How does MasterControl handle audit trails? 13

Infrastructure Security 13

Q27: How is data center access handled? 13

Human Resources Security 13

Q28: How is human resource security managed? 13

Backup, Continuity, and Recovery 14

Q29: Does MasterControl have a business continuity and disaster recovery program? 14

Q30: How does MasterControl manage data backups? 14

Maintenance and Upgrades 15

Q31: How will MasterControl make sure my applications are up to date? 15

Q32: How will the upgrade process impact my configurations? 15

Q33: How will the upgrade process impact my system validation? 15

Validation (For more information, view the MasterControl Validation Strategy FAQ.) 16

Q34 What are MasterControl’s principles for its SaaS validation strategy? 16

Q35: What tests does MasterControl perform before validation? 17

Compliance 17

Q36: What types of quality, security, and/or third-party audits does MasterControl’s 17
technology platform follow or undergo?

About MasterControl 18

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 2

 Q&A Document

Executive Summary
Companies worldwide are transitioning traditional enterprise systems to
Software as a Service (SaaS) application solutions for core business functions
and advanced data, analytics, and artificial intelligence applications. SaaS
solutions more effectively address customers’ needs and enable more agility,
scalability, and adaptability to market opportunities. With MasterControl SaaS
offerings, regulated customers derive even greater value by reducing operational
cost and minimizing risk.

This frequently asked questions (FAQ) document provides an overview of

MasterControl’s general approach to its SaaS model. It addresses the most common
questions received from customers and prospects, across all industry verticals.

MasterControl Cloud Platform

Q1: Is MasterControl a SaaS model?
Yes. MasterControl’s solutions are built on the MasterControl Platform™,
which is one integrated platform deployed as a SaaS model with managed
upgrades on a quarterly or annual basis determined by the customer.

Q2: How is the MasterControl Cloud Platform architected?

The architecture meets the most rigorous usability, scalability, performance,
validation, and security requirements demanded by our customers that do
business in regulated environments. Customers can automate their operations
and accelerate outcomes while reducing the total cost of ownership.

Isolated Shared
Services Resources Cloud
Analytics Publishing Database
Database Reverse Resource
EFP Storage Proxy
Dev
Presentation SMTP Relay EFP
Storage

001 002 003 ... Publishing

Resource

Database
Production Resource

EFP
Storage

Client Internet Firewall 001 002 003 ... Publishing

Resource

Database
Test Resource

EFP
Storage

001 002 003 ... Publishing

Resource

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 3

 Q&A Document

The platform solutions are built in Java/Angular with an MS SQL database — all
delivered in the cloud to meet a variety of customer situations and environments.
Most customers are deployed on Amazon Web Services (AWS). Each customer
receives a dedicated instance of MasterControl that is specifically assigned
to the customer. Each customer also has their own database, EFP (electronic
file path), and associated service accounts and permissions, fully isolating
customers from one another. We operate in a single-tenant model with a shared
back-end infrastructure, data isolation, and associated controls.

MasterControl uses S3 (Amazon Simple Storage Service) buckets for file

storage. S3 buckets, which are similar to file folders, store data and its
descriptive metadata. Each customer has a dedicated S3 bucket.

Q3: Are all of MasterControl’s solutions built on the same platform?

Yes. MasterControl solutions have always been built from the ground up on one
connected platform, not through acquisition like many SaaS solutions today.
The MasterControl Platform gives our highly regulated customers a modern,
scalable architecture to automate (digitize) and improve critical business
processes (CBP) across the product life cycle from product conception to
commercialization and beyond.

Q4: What is the difference between MasterControl Cloud,

on-premise, and hosted?
We firmly believe that the cloud is the future. It is the optimal model for delivering
innovation and customer value.

• Cloud: Customers running MasterControl on the cloud platform, hosted by

AWS. The upgrade cadence is automatic on a quarterly or annual basis, which is
managed and performed by MasterControl.
• On-premise: Customers running MasterControl at their own facility, on their
internal IT infrastructure. The upgrade cadence is determined by the customer
and the upgrade process is assisted by MasterControl.
• Hosted: Customers running their own instance of MasterControl on the cloud
platform, hosted by AWS. The upgrade cadence is determined by the customer
and assisted by MasterControl.

Currently, MasterControl maintains two code bases:

• Cloud: For customers operating MasterControl on the cloud platform. Upgrades

are automatic and are managed and performed by MasterControl. Customers
select the cadence for their upgrades (annual or quarterly), but the heavy lifting of
completing the upgrade falls on MasterControl.
• Classic: Classic is for customers who choose to continue using MasterControl
on-premise or in a non-cloud, hosted environment. They choose to upgrade at
their discretion. Classic releases occur on a slower cadence than Cloud, following
a mainstream support plan. The support commitment for Classic ends in 2023
and the extended support ends in 2025.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 4

 Q&A Document

MasterControl Cloud Platform

Q5: What are some of the key benefits of SaaS?
Benefits for businesses that deploy SaaS solutions include:

• Accelerated scalability and adaptability.

• Better security, as security measures and technologies are frequently updated.
• Faster access to the most recent product innovations.
• Rapid deployment and faster time-to-value with lower upfront costs.
• Accessibility from virtually anywhere.
• Reduced risk with quarterly upgrades, compared to longer release cadences.
• Automatic upgrades with no customer involvement other than validation.
• Much faster validation than on-premise systems — in many cases, cutting the
validation time from months and weeks to days, and in some situations, hours.

Q6: Is the SaaS model proven and reliable in highly regulated industries?
When companies consider implementing cloud-based solutions, data security is
a prominent concern. MasterControl is committed to ensuring the confidentiality,
integrity, and availability of customer data by using AWS, an industry-proven
provider, as the foundation for the MasterControl Platform and solutions. Agencies
like the U.S. Food and Drug Administration (FDA) and the Department of Health and
Human Services National Institute of Health (NIH) are using AWS as a platform for
their SaaS-based solutions.

The most highly regulated companies in the world (pharmaceutical and medical
device manufacturers, blood and biologics organizations, etc.) rely daily on
MasterControl’s cloud solutions to improve efficiencies and accelerate time to
market. MasterControl uses tools and services for testing, monitoring, and reacting
quickly to potential data and security threats while ensuring utmost security beyond
what most organizations can with their internal staff.

MasterControl is designed to be compliant with regulations such as FDA’s 21 CFR

Part 11 and European Commission’s Annex 11. MasterControl has certified to
the ISO 27001, ISO 9001, and ISO 27017 (information security specific to cloud
computing) standards and integrates these frameworks into daily operations.
Certification and adherence to these ISO standards have been verified through
hundreds of customer audits.

Q7: Will MasterControl Cloud cost me more than my on-premise software?

When comparing the short- and long-term costs of deploying and using SaaS
solutions vs. on-premise systems, the overall short-term SaaS costs are slightly
higher. However, SaaS allows for greater customer benefits and fewer expenses in
the long-term because of the following cost-saving benefits:

• No hardware/infrastructure costs: SaaS systems are already installed and

running by MasterControl system infrastructure and security architects, so
there is no need for purchasing or upgrading internal hardware and paying for
specialized IT maintenance and support.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 5

 Q&A Document

• Less time and labor costs: In a cloud infrastructure, hosting, data security, and
hardware maintenance are managed by MasterControl instead of the customer.
• Opportunity costs and scalability: By relying on MasterControl’s expertise,
customers are free to channel their resources toward what they do best.
MasterControl eliminates the headaches, labor time, and costs required to scale
an internal infrastructure.

Configuration and Integrations

Q8: Can I customize MasterControl SaaS to my unique requirements?
MasterControl SaaS solutions are designed to configure rather than customize
code. Our implementation experts can shape the software to support critical
business requirements through configuration parameters, so customers can switch
on or off options that previously would require custom coding. These best-practice
configurations are reliable and can be validated rapidly.

Customizing MasterControl, rather than running it out-of-the-box as written,

can cause validation and performance testing problems. With customizations,
customers are unable to align with the quarterly update schedules, which delays
them in getting the newest features and functionality — a significant advantage with
implementing SaaS.

Q9: Can I integrate MasterControl with my IT and enterprise applications?

Yes. The MasterControl Application Programming Interface (API) framework and
integration ecosystem enable connections that drive today’s digital, data-driven
businesses. An array of custom integrations has been performed with proven
enterprise solutions, including SAP, Oracle, Workday, ADP, and others.

Q10: Does MasterControl integrate or partner with third-party

service providers?
Yes. While MasterControl designs, develops, and deploys world-class software,
we recognize that key partnerships help us ensure that the platform delivers
exceptional value and a productive customer experience. Two of our many third-
party partners include Elasticsearch and Logi Analytics’ JReport. MasterControl
provides industry-leading searching through Elasticsearch’s distributed ReSTful
search, which is a SaaS service for full-text searches. The JReport analytics engine
delivers business insights to executives and users with its analytics reporting and
dashboarding solutions.

Another third-party is Okta, an industry-leading identity management service.

With Okta, passwords are no longer stored in the MasterControl database.
This adds another layer of system security. Login passwords can be used as an
e-signature for Security Assertion Markup Language (SAML), Active Directory
(AD) and local authentication.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 6

 Q&A Document

Q11: What are your guidelines for customizations and who can
perform the customizations?
As discussed earlier, MasterControl follows a “configure, not customize” paradigm.
(See Q8.)

Application Availability
Q12: In what geographies/data centers is MasterControl deployed?
MasterControl uses AWS as its cloud infrastructure provider based on its global
footprint, industry-defining performance, and ability to deliver high-performing,
secure environments. Data centers are ISO 27001 and ISO 27017 certified and use
Statement of Standards for Attestation of Controls (SSAE)16/Service Organization
Controls (SOC)1 Type II reports.

All customer data — primary and backup — is stored in primary and secondary
data centers in the region specified. (See list below.) Data is stored only on devices
that are attached to the applicable server and not on devices such as flash drives,
compact discs (CDs), or tape. Data is backed up and retained per the data retention
policies defined in the MasterControl Service Level Agreement (SLA). Access to
data is limited to individuals whose roles require such access.

AWS
• North America – United States, Canada
• EMEA – Germany
• APAC – Japan, Singapore, Australia

Q13: We are a 24x7 operation. Can we expect around-the-clock

support globally?
Yes. MasterControl provides extended global support for non-business hours for
an additional fee. Standard support hours are provided throughout the following
geographies:

North America
Monday – Friday 6:00 a.m. to 6:00 p.m. Mountain time (GMT – 7:00)
Phone: 1 (800) 825-9177
Email: [email protected]

EMEA
Monday – Friday 9:00 a.m. to 5:30 p.m. GMT
United Kingdom: +44 (0)1256 325 949
United Kingdom (Toll Free): +44 (0)800 138 3534
Germany: 0800-180-0228
Email: [email protected]

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 7

 Q&A Document

APAC
Monday – Friday 10:00 a.m. to 6:00 p.m. AEST time (GMT +10:00)
Australia: +61-38518467
New Zealand: 0800-451110
China: 10-800-130-1830
Hong Kong: +852-300-85785
Email: [email protected]

Japan
Monday–Friday 9:00 a.m. to 5:30 p.m. Japan time (GMT +9:00)
Email: [email protected]

Q14: Does MasterControl have a single point of failure?

Your data and operations are at the heart of our mission. We manage our systems to
meet a 99.95% uptime guarantee, which is above industry standards for enterprise
quality management systems. We employ redundancies, failovers, and other site
reliability engineering practices to keep your systems operational as we continue to
improve our architecture and processes.

Data Security
Q15: Who owns my data and how much control do I have over the data?
Customers reserve all rights, titles, and interests, including all intellectual property
and proprietary rights, in and to their content. Customers determine how the data
is used, who has the right to access, amend and delete it, and how the data is to be
downloaded and stored locally anytime desired. Customers can request to stop
using the solution at any point and the data can be securely extracted and returned.

MasterControl has policies and procedures in place designed to protect the security,
integrity, and confidentiality of our customers’ data. This includes having access to
data for troubleshooting purposes. All changes made by MasterControl are tracked
through a change management/change control process and undergo internal review
and approval. Our adherence to these policies is validated through regular, external
third-party audits.

Q16: How does MasterControl’s technology platform safeguard my data?

MasterControl is ISO 27001:2013 and ISO 27017:2015 certified and incorporates
very stringent security policies. (See Q6.) Detailed procedures are in place to ensure
the necessary levels of physical security, network security, application security,
internal system security, operating system security, and third-party certifications.
MasterControl also has a quality and compliance team that sets the policies and
coordinates internal audits and third-party audits to ensure that the requirements
are continuously being met.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 8

 Q&A Document

MasterControl ensures data security by using the industry-standard data

encryption technology called Transport Layer Security (TLS). TLS provides a high
degree of data protection by encrypting all data. To encrypt data in transit, TLS uses
a symmetric-key algorithm that generates unique keys set up for each connection —
not each customer site. The identity is verified using public-key cryptography for the
server. Hackers cannot obtain or modify the keys for symmetric encryption at any
point without being detected. To ensure data integrity, TLS checks each message
using a message authentication code to prevent tampering and data loss.

Q17: What does MasterControl’s HIPAA compliance mean for customers?

The Health Insurance Portability and Accountability Act (HIPAA) is a law that
requires the creation of specific standards for protecting sensitive patient health
information (PHI) from being disclosed without the patient’s consent or knowledge.

HIPAA compliance involves extensive data protection and system security

measures where the PHI is stored and maintained. To remain HIPAA compliant,
companies that store PHI data with a third-party organization are required to sign
a Business Associate Agreement (BAA) with that organization. A BAA is a written
arrangement that specifies each party’s responsibilities when it comes to PHI.

MasterControl is HIPAA compliant, which means we can ensure the necessary

protection of PHI. Customers who want the HIPAA-level of data protection must
purchase the HIPAA compliance option and sign a BAA with MasterControl.

The types of data protection under HIPAA include data at rest, in transit (including
PDF communication), and in use (see explanations below).

• Data at rest: To protect data at rest, MasterControl uses an advanced encryption

standard (AES) technique for its TLS digital certificates. Customer data is stored
and encrypted using AES 256-bit encryption, which is the most secure level of
data encryption.
• Data in transit: MasterControl uses an industry-leading, external certificate
authority for its TLS digital certificates with 2048-bit keys and secure hash
algorithm (SHA)-256 signatures and enforces a minimum of 128-bit symmetric
key encryption.
• Data in use: MasterControl tightly controls data in the database and the file
system — no data is cached on your system. We also secure this data with
authentication and controls that are implemented with our Okta integration.

If your company doesn’t need HIPAA-level data protection, you will not have to pay
for it. However, that means you should not store PHI in your system.

If you’re interested in learning more about HIPAA and having a HIPAA compliant
system, talk to your customer account representative.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 9

 Q&A Document

Q18: How does MasterControl handle data segregation?

MasterControl uses a single-tenant infrastructure with dedicated instances for
each customer. Data is segregated into unique repositories that are controlled by
customer-assigned access rights. These are also combined with dedicated database
instances specific to each customer.

Q19: What happens to our data upon termination?

Upon expiration or early termination, the customer needs to request that
MasterControl provide the most recent and relevant data backup and an
export of document files. MasterControl will provide data export services (i.e.,
the provision of the data files in a non-standard format) per the customer’s
specification (which specification shall be subject to MasterControl’s agreement
and confirmation of feasibility).

Q20: Our company needs to adhere to strict internal and external regulatory
controls. Does that limit us to on-premise software?
No. Regulatory controls apply to infrastructure and software operations, regardless
of on-premise or SaaS deployment. Most enterprises are distributed and use
dedicated hosting centers. Even on-premise system servers are not typically
located within the building or even operators sitting at the console when interfacing
with the servers.

System Security
Q21: How does MasterControl handle system security?
MasterControl invests in the most advanced and modern system security available
to provide a secure environment. The following are ways MasterControl provides
proven system security:

• Change management: Changes to IT facilities and systems are managed using

a documented change control process that requires testing, review, and approval
before releasing the changes to production servers. Servers use file integrity
monitoring tools to detect unauthorized changes to critical system files.
• Vulnerability management and penetration testing: Systems undergo periodic
vulnerability and penetration testing in two ways:
– Industry-recognized third-party security specialists who use multiple
overlapping enterprise security solutions to swiftly handle any vulnerabilities.
– Internal experts using additional vulnerability and penetration testing.
• Third-party service delivery management: All security requirements, ongoing
monitoring, and change management clauses are in place for MasterControl
SLAs. MasterControl’s internal quality team audits each third-party supplier.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 10

 Q&A Document

• Monitoring: Application, database, and system monitoring are in place. Personnel

responsible for monitoring are notified when alerts are triggered. Logs are
secured for only authorized personnel to access. Performance monitoring is
employed at all locations throughout the world.
• Database security: MasterControl encrypts database data-at-rest at multiple
levels. (See Q17.) We encrypt all database data. Transparent data encryption
(TDE), which is similar to encrypting data at rest, is enabled on each customer’s
database. We also add an extra layer of encryption at the application level.
Software Security
Q22: How does MasterControl handle software security practices and secure
software development?
MasterControl performs automated and manual code reviews, and developers are
trained on secure software development principles. MasterControl also procures
software from other software vendors with software licensing agreements
that ensure prompt security patches and updates. MasterControl tests security
measures throughout the following software development life cycle phases to
ensure system protection:

• Design phase: Automated and manual security control requirements are

analyzed and documented. This includes assessment of data risk and resulting
encryption requirements.
• Coding phase: Practices of secure coding are defined and reviewed, and access
to source code and test data is controlled. Secure coding practices include
session management security, as well as the prevention of Open Web Application
Security Project (OWASP) Top 10 software vulnerabilities, including malformed
XML or HTTP requests, XSS, CSRF, and SQL injection. Automated and manual
code reviews are also performed in this phase.
• Testing phase: Application software is tested for security vulnerabilities during
the testing phase using static and dynamic code analysis tools. Vulnerabilities
are documented and a remediation plan is developed. Also, the vulnerabilities
are monitored to ensure each is addressed appropriately. A complete application
penetration testing is conducted for each major release.

Q23: How does MasterControl handle application vulnerability assessments?

MasterControl follows industry best practices for application vulnerability
assessments, these include guidelines outlined by OWASP to identify and defend
against any vulnerability. (See Q22.)

MasterControl conducts periodic vulnerability assessments on its production

systems and tests contemporary attack vectors using automated and manual
methods like threat modeling, vulnerability classification, and automated scanning
to find potential SQL, AD, XPATH, or JQUERY injection paths and prevent against
distributed denial of service (DDoS) attacks. Vulnerability testing examples include
spoofing of user identity, tampering, repudiation, information disclosure, denial of
service, and elevation of privileges.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 11

 Q&A Document

User Credentials and Access Management

Q24: How does MasterControl handle user password management
and login policies?
MasterControl enables strict user authentication and permission enforcement
at every access point, ensuring that only users with the proper credentials can
access data. MasterControl provides configurable password policies for length,
complexity (alphanumeric), expiration and lockouts, intruder alerts, forgotten
password helps, etc.

Customer administrators (sysadmins) can configure user application rights and

content access rights via roles. Role rights are additive. Users can be in a single
role or multiple roles. Best-practice templates are built into the system for roles
and standardized controls. Customer administrators can customize those to meet
specific needs.

External users can be added to the system as “guest users” to allow them to
collaborate on specific documents, add audit findings, or view specific reports.
Access can be revoked at any time. Guests can only see the tasks that they are
specifically invited to by a power user.

Q25: How does MasterControl handle user authentication and

single sign-on (SSO)?
User accounts are set up and maintained by customer administrators.
MasterControl supports user authentications directly in the application as well as
via integration with Active Directory (AD) servers or Security Assertion Markup
Language (SAML) 2.0 providers. Most customers use a combination of direct
authentication (local) and AD or SAML.

Authentication E-Signature
(Login) Approval

MasterControl Local Uses a Unique Password Unique Password – Uses login as E-signature
Settings controlled by Uses Network Credentials
Password settings controlled System Administrator
by the System Administrator

Active Directory (AD) 1 Uses Network Credentials Password controlled by Uses Network Credentials
System Administrator

SAML (SSO) 2 Uses Network Credentials Password controlled by Exploring business and
for login via idP System Administrator technical feasibility.

1 – Requires system administrator to configure connection from MasterControl to AD server (SSL).

2 – Uses any SAML 2.0 compliant identity provider (IdP), including ADFS.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 12

 Q&A Document

Q26: How does MasterControl handle audit trails?

MasterControl automatically logs all document and user activity. Audit logs provide
the administrator visibility into system activity and are a component of compliance
with electronic records and electronic signature regulations. The logs contain
detailed information such as date and time stamp, username, and the event.

Infrastructure Security
Q27: How is data center access handled?
AWS monitors the data centers using their global Security Operations Centers,
which are responsible for monitoring, triaging, and executing security programs.
They provide 24/7 international support by managing and monitoring data center
access activities, equipping local teams and other support teams to respond to
security incidents by triaging, consulting, analyzing, and dispatching responses.

Human Resources Security

Q28: How is human resource security managed?
MasterControl gives employees and contractors system access during onboarding
and promptly removes it during the exit process. This system access is reviewed
when any employee changes job functions. Additional security processes include:

• Background checks: All MasterControl personnel undergo criminal background

checks and identity verification.
• Awareness training: All MasterControl personnel are regularly assigned
and complete training tasks and training competency testing on policies and
procedures.
• Asset management: MasterControl tracks all critical information assets
and applications that process sensitive data. Employees go through security
awareness training during onboarding and repeat it annually.
• Malware protection: All laptops have malware protection and are managed and
monitored by MasterControl’s IT department. All users are trained on security
best practices and malware prevention as part of their security awareness
training during new hire orientation.
• Media handling: MasterControl has created procedures that are designed to
protect documents and computer media containing customer data or other
sensitive information. Media is properly sanitized or securely disposed of.
• Mobile device security: Customer data is stored on laptops only for specific
purposes such as implementation or troubleshooting. All files are encrypted
using AES 256-bit keys.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 13

 Q&A Document

Backup, Continuity, and Recovery

Q29: Does MasterControl have a business continuity and
disaster recovery program?
Yes. MasterControl responds to unplanned business interruptions that affect the
availability of CBPs and the IT services that support those processes. To maintain
business continuity, we have a Recovery Point Objective (RPO) of four hours and a
Recovery Time Objective (RTO) of eight hours that is agreed upon contractually.

With the S3 file storage (see Q2), we can recover files in the event of data loss. This
includes facility utility disruption (not caused by environmental disaster), electronic
file loss, electronic database record loss, data corruption, accidentally overwriting
file system, etc. We also have multiple versions of every file and can preserve every
version of every customer EFP files for 13 months.

Q30: How does MasterControl manage data backups?

The S3 file storage provides near real-time backup and disaster recovery. All EFP
files are automatically replicated to the disaster recovery location and are retained
for 13 months. SQL backups still occur every four hours.

Primary Location Failover Location

Production 1 Replicate Production 1

Every 4 Hours

001 002 003 ... 001 002 003 ...

Production 2 Replicate Production 2

Every 4 Hours

001 002 003 ... 001 002 003 ...

Production 3 Replicate Production 3

Every 4 Hours

001 002 003 ... 001 002 003 ...

Backup Every 4 Hours Keep for 13 Months

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 14

 Q&A Document

Maintenance and Upgrades

Q31: How will MasterControl make sure my applications are up to date?
A significant benefit of SaaS is that MasterControl manages all updates and
upgrades, instead of the customer. We regularly perform the following maintenance
to ensure applications are up to date:

• Scheduled maintenance: Operating system and infrastructure maintenance

follows a regular schedule — system availability will be interrupted during this
time. Maintenance windows can happen any weekend, but they generally occur
twice a month.
– Second weekend: MasterControl application patch.
– Last weekend: Cloud infrastructure.
This schedule is subject to change. If there is a change, we notify customers with
a pop-up reminder directly in the app (Pendo) for the cloud and via email for those
on MasterControl hosted.
• Critical planned: MasterControl may need to make critical updates to address
security, privacy, legal, regulatory, or third-party hardware and software issues
that are not reasonably foreseeable. In these cases, MasterControl will apply
the update as soon as possible. MasterControl may also determine that certain
updates are mandatory based on the severity of the service issue. In these cases,
MasterControl will apply the update as soon as commercially practical.
• Unplanned: This may include systemic disruption of internet carrier
telecommunications or equipment as well as other interruptions of service on the
backbone (core network), on the client’s portion of the network, or interruptions or
significant degradations of service caused by denial of service or similar attacks.

Network unavailability beyond the power of MasterControl is considered

excusable downtime for the duration of the outage and takes precedence over any
other cause of downtime with respect to calculating service availability.

The MasterControl SLA provides more detailed maintenance information.

Q32: How will the upgrade and patch process impact my configurations?
Upgrades or patches will not impact customer configurations. The data and
configurations are stored in the database tables, independently of the code.

Q33: How will the upgrade and patch process impact my system validation?
At MasterControl, we provide fully executed functional testing and recommended
usage testing for every software release. We include a full validation package for
each release, so customers can trace the requirements to the executed testing and
review a final summary report of any internal deviations we find.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 15

 Q&A Document

One of the many advantages of our automated testing is that we can validate
changes daily and weekly. Because of how thorough our functional testing is,
clients don’t have to perform any functional-level testing for their instance of
MasterControl.

With upgrades and patches, it’s important to ensure that you are adequately
evaluating the risk of each software change. The breadth and depth of the validation
effort for a software change should be commensurate to the risks imposed by the
software change. Based on the scope of the changes, it may be beneficial to do a full
system risk assessment. Most often, however, only new features as well as high and
critical defects need to be assessed for risk.

We provide usage testing protocol templates that are customized to a client’s

specific usage and risks. These customized, risk-based protocols are driven through
the Risk Assessment feature of the MasterControl Validation Excellence Tool
(VxT)™ (U.S. Pat. 10,324,830).

Once your assessment is done, the risk assessment and pertinent validation
documentation are exported into a customized change control form. (See “8 Best
Practices for Compliant and Quick Software Validation in the Cloud.”)

Validation
(For more information, view the MasterControl Validation Strategy FAQ.)

Q34: What are MasterControl’s principles for its SaaS validation strategy?
Companies regulated by the FDA or the European Medicines Agency (EMA)
are required to validate their electronic systems. Outside of the FDA and EMA
environments, validation is valuable because it reinforces the importance of product
quality and safety.

Companies in other regulated environments go through the validation process

because they adhere to international guidelines and standards that will help
them sell their products globally or increase the value of their products in their
customers’ eyes.

MasterControl has been validating computer and software systems since 1999. A best-
practice testing and software life cycle approach is used with an innovative, patented
risk-evaluation tool that focuses on the company’s critical business processes.

This proven validation process eliminates wasted revalidation efforts, which

helps companies accelerate their time-to-value objectives. Unlike other software
providers, MasterControl doesn’t just hand out its own validation documentation as
a shortcut — this would only increase the risk of noncompliance.

MasterControl’s approach generates all the information needed to understand

the true risk of software adoption to validate CBPs. Our validation tools help our
customers complete the process with less time and effort.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 16

 Q&A Document

MasterControl adheres to the following guiding principles for SaaS validation:

• Validation should be part of change control.
• Validation should be risk-based.
• Validation should leverage as much work of trusted vendors as possible.
• Customer performance qualification (PQ)-level testing should focus on CBPs.

Q35: What tests does MasterControl perform before validation?

MasterControl completes the following extensive testing before validation:
• Hourly unit, integration, and functional testing of thousands of individual tests —
Includes direct code testing and user interface testing.
• Daily manual code inspection and verification.
• Regular manual usage testing of hundreds of complex tests.
• Daily automated functional (operational qualification (OQ)) regression testing.
• Daily automated usage (performance qualification (PQ)) regression testing.
• Regular scalability testing assessing high usage and system responsiveness.
• Regular security testing.
• Regular manual investigative testing.
• Regular system upgrade testing.

Compliance
Q36: What types of quality, security, and/or third-party audits does
MasterControl’s technology platform follow or undergo?
As a one-to-many SaaS provider, MasterControl cannot feasibly meet the specific
requirements of any one customer. Instead, our approach is to offer quality, security,
and/or data privacy certifications and measures that meet the needs of the majority
of the market for our products. Thereafter, it is incumbent upon customers to utilize
the solution in a manner that fits with their own risk assessment and that complies
with relevant regulations. Here are some of the quality, regulatory, and IT standards
that MasterControl addresses:

• ISO 27001:2013: MasterControl is certified to this standard.

• ISO 27017: MasterControl is certified to this standard.
• ISO 9001:2015: MasterControl is certified to this standard.
• 21 CFR Part 11: MasterControl software is 21 CFR Part 11 compliant when used
and configured correctly.
• EU Annex 11: MasterControl software is Annex 11 compliant when used and
configured correctly.
• General Data Protection Regulation (GDPR): MasterControl has implemented
items to comply with GDPR.
• SSAE 16 Type II SOC 1 and SSAE 16 Type II SOC 2: Service Organization
Controls (SOC), previously known as SAS70 Type II, is an audit report from the
Statement of Standards for Attestation of Controls (SSAE), a well-recognized
auditing standard developed by the American Institute of Certified Public
Accountants (AICPA) and applicable to service providers like MasterControl.

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 17

 Q&A Document

The range of controls is broad and covers everything from hiring, setting
up servers, granting and revoking access to secure systems, retention and
review of logs, customer onboarding, and change management. SOC 2 shows
adherence to the set of controls covered in SOC 1 and provides an attestation
from auditors on the effectiveness of the controls for meeting the Trust
Services Principles: security, availability, processing integrity, confidentiality,
and privacy. MasterControl has not obtained SOC certification; we utilize third-
party data centers that adhere to SOC 2.

About MasterControl
MasterControl Inc. is a leading provider of cloud-based quality and compliance
software for life sciences and other regulated industries. Our mission is the same
as that of our customers – to bring life-changing products to more people sooner.
The MasterControl Platform helps organizations digitize, automate, and connect
quality and compliance processes across the regulated product development
life cycle. Over 1,000 companies worldwide rely on MasterControl solutions to
achieve new levels of operational excellence across product development, clinical
trials, regulatory affairs, quality management, supply chain, manufacturing, and
postmarket surveillance.

For more information, visit www.mastercontrol.com.

Dx Cx Rx Qx Sx Mx Px
Development Clinical Regulatory Quality Supplier Manufacturing Postmarket

© 2020 MasterControl Inc. All rights reserved. DSFAQXX0USENLT-04/20

MasterControl Cloud Platform: Frequently Asked Questions (FAQ) 18