Polymr
Book a demo

SOC 2 compliant. Customer data isolated. Full audit trail.

Polymr handles manufacturing operational data, drawings, BOMs, supplier commitments, pricing, and ERP transactions. We protect it with the controls enterprise IT and procurement teams expect.

Six pillars of the security posture.

Each pillar is operated against, not promised. SOC 2 reports and vendor security questionnaires available on request.

SOC 2 compliant

Polymr operates against the SOC 2 Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy. SOC 2 report available under NDA.

Customer data is isolated

Each customer environment is logically isolated with per-tenant row-level security on every operational table. No cross-tenant query path exists in production.

Encryption everywhere

Data encrypted in transit (TLS 1.2+) and at rest (AES-256). Per-tenant encryption keys managed through cloud KMS. Document attachments encrypted with customer-scoped keys.

Full audit trail

Every workflow decision, recommendation, and ERP sync action is recorded with source-linked context. Audit log is append-only and queryable for compliance reviews.

Human-approved actions

No external system write happens without an explicit human approval step on configurable workflows. ERP sync, vendor outreach, and purchasing actions require approval signatures.

No model training on customer data

Customer documents, BOMs, drawings, and operational data are never used to train shared models. All inference runs in customer-scoped contexts.

We protect customer data completely.

Six commitments that hold for every customer, on every tenant, for the life of the engagement.

  • No data sold, ever.
  • No third-party tracking on customer-tenant surfaces.
  • Documents and BOMs deleted on contract termination within 30 days.
  • Access logs available to customer admins on request.
  • Standard DPA and GDPR-aligned processor terms available.
  • PII redacted from logs at ingestion.

Need our SOC 2 report or a vendor security questionnaire?

Send a quick note to the contact form. We route security reviews same-day to the right contact.

Standards we operate against, and standards we help customers meet.

Polymr runs alongside regulated manufacturing environments. Platform-side controls (SOC 2, ISO 27001, GDPR) cover the data we hold; customer-side controls (ISO 9001, OSHA, 21 CFR Part 11, FSMA 204, ITAR, TISAX, cGMP, AS9100) are surfaced through how Polymr captures audit trails, scopes data, and gates writes so the customer audit posture stays clean.

Platform-side
  • SOC 2 Type II

    Independent annual examination against the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). Latest report available under NDA.

  • ISO 27001

    Information security management aligned to ISO/IEC 27001 controls. Risk register, access reviews, change management, and incident response operated against the standard.

  • GDPR + CCPA

    Data subject access, export, correction, and deletion served through the admin console or by request. Standard processor terms and SCCs available; UK Addendum supported.

  • NIST CSF

    Detection, response, and recovery controls mapped to the NIST Cybersecurity Framework. Used by enterprise procurement reviews as the common evaluation rubric.

Customer-side (per-vertical)
  • ISO 9001

    Quality management for discrete and process manufacturing. Polymr keeps the audit chain (drawings, BOMs, supplier confirmations, approval gates) on a queryable surface for ISO audits.

  • OSHA reporting

    Shop-floor incident, training, and PPE records captured by Polymr are exportable in the OSHA 300 / 300A / 301 formats. Pre-built columns for plant + work-center scope.

  • 21 CFR Part 11

    For pharma and specialty chemicals customers. Polymr signatures, audit log, and append-only ledger meet the electronic-records + electronic-signatures provisions out of the box.

  • FSMA Section 204

    For food and beverage customers. Lot-level traceability, recall trace, and source-linked supplier records satisfy the FDA Food Traceability Final Rule key data elements.

  • ITAR + EAR

    For defense and dual-use manufacturers. Per-tenant US-person-only data scopes available; export-classification fields tracked on items and BOMs; controlled-data egress requires explicit operator approval.

  • TISAX

    For automotive tier-1 and tier-2 suppliers. Polymr controls align to the VDA ISA assessment criteria for prototype protection, information security, and data privacy.

  • cGMP

    Current Good Manufacturing Practice support for pharma + cosmetics + food contact. Batch records, deviation logs, and CAPA chains live alongside the operational workflow that produced them.

  • AS9100

    For aerospace + defense manufacturers. Polymr keeps first-article inspection, non-conformance, and supplier scorecards traceable to the original drawing revision and PO.

Certification status varies per standard. SOC 2 is independently audited; ISO 27001 implementation is operated against the standard with formal certification scheduled. Customer-side standards are supported via the platform's data model, audit log, and approval gating; they do not certify the customer's own compliance program.