Trust & sovereignty

Engineered in Europe. AWS-deployed worldwide. Trusted by global pharma.

CEX Solutions is built and operated from Europe by Binovate Labs SRL, with more than 15 years of AWS engineering experience. GDPR is our home regulation and our minimum privacy bar across every deployment — including MENA, where we are also live today. The same platform deploys on AWS in the Americas (HIPAA-aware), Asia-Pacific including mainland China (PIPL/MLPS-aware), Oceania, and Africa on demand — without compromising the controls our European and MENA customers depend on.

Request our DPARequest the security whitepaper

Sovereign deployment

Engineered in Europe. AWS-deployed worldwide.

Live across Europe and MENA. Deployable on AWS in the Americas, Asia-Pacific, Oceania, and Africa — fully managed by us, or installed on your own AWS account and run as your internal cloud. Your data stays in your jurisdiction.

EULIVEMENALIVEAMRON DEMANDAPACON DEMANDAFRON DEMANDCEX360ON AWS
EULive today

Europe

GDPR-native

Live across European affiliates of tier-1 pharma. Customer data stays in European AWS regions; sub-processors are limited to the EU/EEA where the law requires it.

MENALive today

Middle East & North Africa

GDPR-baseline

Live across MENA markets on AWS regions in the Middle East. GDPR controls apply by default as our minimum privacy bar; local frameworks (e.g. PDPL, NDMO) layered per market.

AMROn demand

Americas

HIPAA-aware (US)

Deployable on AWS regions across North and Latin America for organisations extending commercial operations into the Americas.

APACOn demand

Asia-Pacific & Oceania

PIPL / MLPS-aware (CN)

Deployable on AWS regions across Asia-Pacific and Oceania — Singapore, Tokyo, Seoul, Mumbai, Sydney — and inside mainland China under PIPL and MLPS expectations.

AFROn demand

Sub-Saharan Africa

GDPR-baseline

Deployable on AWS Cape Town and partner regions for tier-1 pharma extending into Sub-Saharan markets.

Customer-selectable AWS region at contract time. Sub-processor lists, DPAs, and architecture summaries are available on request — see the Trust page.

AWS-deployed

15+ years on AWS. Available on the AWS Marketplace.

The CEX360 Platform is AWS-native and has been operated on AWS for more than fifteen years. That depth shows up in the things procurement and security actually care about — well-understood region selection, multi-AZ resilience, KMS-backed encryption, fine-grained IAM, and operational runbooks that have been exercised through hundreds of customer cycles.

We are listed on the AWS Marketplace, where qualifying customers can sign up, validate the platform, and procure under their existing AWS spend commitments — shortening procurement cycles for buyers who already run on AWS.

Procure via AWS Marketplace →

Delivery model

Cloud-preferred, fully managed — or installed on your own AWS account.

  • Managed cloud (recommended)

    We host and operate the platform on AWS. You consume it as SaaS, in the AWS region you select at contract time. SLA, patching, monitoring, and incident response are ours.

  • Customer-AWS deployment (on-prem-style)

    For organisations whose internal cloud is their AWS account, we deploy the platform inside your AWS environment and operate it under a shared-responsibility model. Data, network, and identity stay inside your perimeter — we ship the software, you keep the keys.

Compliance posture

The frameworks our customers care about, with honest status.

We label every framework with its true status — what we are certified against today, what we are aligned to in our processes, and what is actively in our roadmap. No marketing inflation.

ISO 27001

Certified

Information security management certified — controls for confidentiality, integrity, and availability of customer data.

GDPR

Certified

GDPR-native architecture. Lawful basis tracking, data-subject rights workflows, and resident processing by default. Applied as the minimum privacy baseline across every deployment, including MENA and beyond.

Global privacy baseline (EU regulation by origin)

GxP

Aligned

Validation-ready posture aligned with computer-system-validation expectations for pharma commercial systems.

Pharma quality

EU AI Act

Aligned

Auditability, explainability, and human-oversight controls aligned with EU AI Act obligations for limited-risk systems.

EU regulation

NIS2

Aligned

Operational resilience and incident-response posture aligned with NIS2 expectations for essential and important entities.

EU regulation

Customer evidence packages, sub-processor lists, audit reports, and our latest pen-test summary are available to qualified prospects under mutual NDA. Request access →

Security controls

The controls your CISO is going to ask about.

Encryption everywhere

AES-256 at rest and TLS 1.2+ in transit. Customer-tenant key separation. Optional customer-managed keys for advanced procurement.

Single sign-on by default

SAML 2.0 and OIDC SSO with customer IdPs. SCIM provisioning. Granular role-based access aligned with your job-function model.

Comprehensive audit trails

Immutable audit logs across configuration, plan approvals, payouts, and admin actions. Retention configurable per jurisdiction.

Operational resilience

Multi-AZ deployment, automated backups, documented RTO/RPO targets, regular DR exercises. Tested for NIS2-aligned continuity.

Independent assurance

ISO/IEC 27001 certified. Annual third-party penetration testing. Customer-evidenced controls package available under NDA.

Incident response

24/7 on-call, documented breach-notification process aligned with GDPR Article 33 timelines, customer communication SLAs in contract.

Data residency

Your data stays in your jurisdiction.

Customer production data is stored and processed in the AWS region selected at contract time. For European customers, that is an AWS region inside Europe — sub-processors operating outside the EEA are not used for customer-data processing without explicit, documented contractual safeguards.

For MENA deployments, data resides in AWS Middle East regions, with GDPR-grade controls applied as the minimum baseline and local frameworks (PDPL, NDMO, and equivalents) layered on top per market. For deployments in the Americas, Asia-Pacific, Oceania, or Africa, data resides in the corresponding AWS region — including on-shore mainland China under a partnership architecture compatible with PIPL and MLPS expectations.

Sub-processors

A short, audited list.

Our sub-processor list is short by design. Every entry has a documented purpose, a signed DPA where applicable, and a customer-notice obligation when material changes occur.

The current list, with locations and processing scope, is available with our DPA package.Request the package →

Working through procurement?

We've been through enough pharma security reviews to know what you need. Tell us your jurisdiction and we'll send the right evidence pack within one business day.

Talk to security & legal