Skip to main content
Manage purchasing and payments in one connected workflow.

Explore Payments

Book a Demo

Your Data, Protected.

Built for Life Science.

Prendio is purpose-built for the life science industry. We understand the sensitivity of your procurement, financial, and operational data—and we’ve designed every layer of our platform to protect it.
Visit Our Trust Center
Read Our Charter

Our Commitment

Data Protection with Intention

Life science organizations trust Prendio to manage critical procurement workflows. That trust is the foundation of everything we build.

Our philosophy is simple: We protect your data with enterprise-grade security, we're transparent about how we handle it, and we continuously validate our controls through independent audits.

We don't just meet compliance standards—we embed privacy and security into the design of our platform from the ground up, adhering to principles of data minimization, least-privilege access, and defense in depth.

icon-encrypted

Encrypted Everywhere

All data encrypted at rest and in transit using keys managed by Prendio.
icon-audited

Independently Audited

SOC 1 and SOC 2 Type II certified with annual independent audits.
icon-data-seg

Customer Data Segregation

Logical separation enforced at the API and database layer per customer. 
icon-compliance

Global Privacy Compliance

GDPR & CCPA compliant with documented records of processing activities.

OUR PRINCIPLES

Our Commitment to Responsible Data Stewardship

We hold ourselves to these principles in every decision we make about your data.

medical-scientists-are-analyzing-data-in-the-labor-2023-11-27-04-50-12-utc

 

Your Data, Protected
You retain ownership of all identifiable data you place into Prendio, and we will never sell your data to third parties. Any use of anonymized and aggregated data—from which no individual customer can be identified—is governed by our privacy policy. Your confidential business information is always safeguarded.

Radical Transparency
We maintain a public Trust Center powered by Drata where you can review our compliance posture in real time. Our privacy policy and terms of service are written in clear language and available at any time.

Security & Compliance First
We don't treat security as an afterthought. Every system change undergoes security review. Our controls are independently audited annually for SOC 1 and SOC 2 certification, and we maintain compliance with GDPR and CCPA privacy regulations.

Continuous Validation
We use automated monitoring through Drata, CloudWatch, and New Relic to continuously assess our security posture. Vulnerability scanning, intrusion detection, and file integrity monitoring run around the clock.

Detailed Audit Trails
Changes to the platform and key data attributes are logged with detail including who, what, when, and how. Logs are protected from tampering and reviewed regularly to maintain accountability and support compliance.

Compliance & Certifications

Enterprise-Grade Security.
No Exceptions.

Our compliance posture is validated by the world's most respected audit firms and regulatory frameworks.
checkmark

SOC 2 Type II Certified

Independently audited by MD Advisors for security, availability, confidentiality, processing integrity, and privacy. Examination period: December 2024 – November 2025.

AICPA Attested

checkmark

SOC 1 Type II Certified

Independently audited by Ernst & Young LLP for internal controls over financial reporting. Covers the Prendio and BioProcure procurement system.

 EY Audited 

checkmark

GDPR Compliant

Full compliance with the EU General Data Protection Regulation, including Records of Processing Activities (ROPA), data subject rights, and cross-border transfer safeguards.

 EU Privacy 

checkmark

CCPA Compliant

Full compliance with the California Consumer Privacy Act, including consumer rights, records of processing, and transparent data handling practices.

 CA Privacy 

Security Architecture

Defense in Depth, by Design

Multiple layers of protection ensure your data is secure at every stage.

Data Encryption

  • All data at rest stored on encrypted volumes using Prendio-managed encryption keys via AWS KMS

  • All data in transit encrypted end-to-end using strong protocols, key exchange, and cipher suites

  • Volume encryption keys protected by privileged-only access controls

  • Encryption key deletion renders data permanently inaccessible when required

Access Controls

  • Production access restricted to limited authorized personnel for troubleshooting purposes

  • Customer data logically separated by unique identifier, enforced at the API layer

  • All database queries scoped to authenticated account identifier

  • All production system access is logged and reviewed by the security team

Monitoring & Detection

  • CloudWatch and New Relic for real-time infrastructure and application monitoring

  • Security agents on production systems generating alerts on suspicious activities

  • Vulnerability scanning, intrusion detection/prevention (IDS/IPS), and anti-malware systems

  • File integrity monitoring and automated incident alerting via text, chat, and email

Infrastructure & Resilience

  • Hosted on Amazon Web Services (AWS) with multi-region replication for redundancy

  • Automated disaster recovery scripts with tested failover to alternate cloud environments

  • 24-hour recovery time objective with tabletop and technical DR testing conducted annually

  • Annual penetration testing (infrastructure and application) validated by independent certificates

DATA LIFECYCLE

Responsible Handling at Every Stage

Your data follows a clearly defined lifecycle with protections at every stage.

1. Collection

Data collected only as necessary for business purposes. Classified according to sensitivity. Personal data processed under a lawful basis per GDPR and CCPA.

2. Processing & Storage

Encrypted at rest and in transit. Logically segregated per customer. Stored on AWS with redundancy across multiple regions. Accessible only to authorized systems.

3. Retention

Your data is retained for the full duration of your active account. Upon account closure, personally identifiable information is handled in accordance with GDPR and CCPA requirements. Retention schedules are applied per data type, regulatory obligations, and contractual terms.

Your Rights

Privacy Rights & Customer Controls

We respect and support your privacy rights under all applicable regulations.

EU / Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data:

  • Right to access your personal data

  • Right to rectification of inaccurate data

  • Right to erasure ("right to be forgotten")

  • Right to restrict processing

  • Right to data portability

  • Right to object to processing

  • Right to withdraw consent at any time

  • Right to lodge a complaint with a supervisory authority

US / Under CCPA

If you are a California resident, you have the following rights regarding your personal information:

  • Right to know what personal information is collected

  • Right to know whether your data is sold or disclosed

  • Right to say no to the sale of personal information

  • Right to request deletion of your personal information

  • Right to equal service and price (no discrimination)

  • Right to designate an authorized agent for requests

How We Handle Your Requests

Prendio takes all privacy requests seriously. To exercise any of your rights, contact us at support@prendio.com. We will respond within the timeframes required by applicable law. We verify consumer requests to protect against unauthorized access. Prendio will not discriminate against you for exercising your privacy rights. Prendio also maintains confidentiality and non-disclosure agreements (NDAs) with all personnel who handle customer data, covering the definition of protected information, duration, required actions upon termination, and remedies for breach.

Third Parties & Sub-Processors

Transparent About Who Handles Your Data

We only work with trusted sub-processors who meet our stringent security requirements.
All sub-processors are bound by data processing agreements.

Sub-Processor Purpose Location
 Amazon Web Services (AWS)   Cloud hosting & infrastructure   United States 
 New Relic   Analytics, monitoring & performance   United States 
 Drata   Continuous compliance monitoring   United States 
 HubSpot, Inc.   Support ticket & marketing platform   United States 
For a complete and current list of sub-processors, please refer to our Privacy Policy.

Questions?

Questions About Our Data Practices?

We want you to feel confident in how we protect your data. If you have questions or would like to request our SOC reports, we're here to help.
Contact Us
Trust Center
Privacy Policy
Prendio-Logo-2022-white-2-1

Prendio is backed by years of experience working alongside researchers and industry finance leaders. We understand the unique challenges faced by biotech companies at every stage, from early-stage startups to IPO-bound organizations, and we know how to provide the support they need to succeed.

Contact

77 S Bedford St, Burlington, MA 01803

781-365-8100

info@prendio.com

Quick Links

About
Platform
Partners
Resources
Login
Book a Demo

Newsletter

soc2-light (1)Boston Globe Best Places to Work (2)

 

© Prendio. All Rights Reserved 2017-2025. Privacy Policy