Cloud and SaaS validation — draw the boundary right, keep the release velocity.
One boundary. Two responsibilities. Zero findings.
GxP-compliant cloud validation with a clear vendor-audit boundary, a release-regression framework that holds, and cross-stream programme leadership when IT, quality and business have to deliver at the same time.
Setting up cloud validation GxP-compliant is more than a technical update of existing CSV processes. In Pharma, Biotech and MedTech, cloud operation shifts the responsibility boundaries — and with them the validation scope. The shared responsibility model splits three clearly defined layers:
IaaS (AWS, Azure, Google Cloud) — responsible for hardware, hypervisor, network.
Customer (you)— configuration, data, processes and the GxP compliance of your use case.
Classical on-prem validation doesn't carry over 1:1 to SaaS. Four points make the difference:
01
Audit trail at the vendor
Partially held by the vendor — access and export must be contractually secured.
02
Backup responsibility shifts
What happens during vendor outage? Recovery, retention and replay are non-trivial.
03
Forensic data on demand
Findings investigations need data that isn't automatically available — clauses required.
04
Data residency
Decides EMA + GDPR compliance. EU-region hosting and transfer assessment are mandatory.
Anyone who doesn't address these shifts systematically validates formally — but not audit-secure.
02 Vendor-audit boundary
Set the vendor-audit boundary right.
The most important question in any cloud validation isn't 'how do we validate?' — it's 'what do we need to validate ourselves, and what can the vendor cover?' This is exactly where most projects fail: too little vendor scrutiny, or unnecessarily duplicated evidence.
A
SOC 2 IIISO 27001ISO 27018SOC 1
Reading vendor certificates correctly
SOC 2 Type II evidences operational controls over a period. ISO 27001 covers the information-security management system. ISO 27018 adds data-protection for personal data in the cloud. SOC 1 covers finance-relevant controls. These are important building blocks — they do not replace a GxP-specific vendor audit per Annex 11.3. They evidence security maturity, not the fit for validation-mandatory processes.
BAnnex 11.3 obligation
Vendor-audit obligation under Annex 11.3
The regulated operator stays responsible — you must formally audit your cloud vendor. Either as a Custom-Audit (your team on-site at the vendor) or via a Pool-Audit such as the Pharmaceutical Cloud Auditing Pool. Pool audits cut effort significantly but don't cover every customer-specific risk.
C
Configuration↔Customizing
Configuration vs. Customising — the most expensive line
Configuration (workflow steps, fields, roles) is validation-ready in the standard. Customising (custom code, custom objects, API extensions) leaves the vendor's validated standard path and requires your own OQ/IQ/PQ evidence. This is where costs and risks explode.
D
VeevaMasterControlAWS/Azure
Where the boundary runs — practical examples
At Veeva Vault, the line follows the Vault Configuration API. MasterControl separates standard workflows from customer-specific extensions. AWS or Azure custom solutions on IaaS basis are typically completely in customer scope.
Deep-dive · GAMP 5
How GAMP 5 structures the vendor assessment
Risk-based supplier classification, qualification depth per category, and how the vendor-audit obligation maps into the GAMP 5 lifecycle.
Cloud validation hits a structural paradox: validation demands stability and documented reproducibility — the cloud vendor ships new releases on ever-shorter cycles. Without a framework, every release becomes a fresh introduction, and you lose the validated state between two audits.
Without framework
Tage
Every release ground-up: workshops, impact analysis, new test cases, doc updates. Blocks validation capacity that's missing from your actual project.
→
With dhc framework
4–8 h
Predefined risk clusters, maintained regression test suite, clear paths for re-validation depth. Same regulatory rigour, fraction of the effort.
Platform release rhythmQ1Q2Q3Q4
Veeva Vault3 major releases per year
4–8 h / release
MasterControlContinuous hotfix releases
2–4 h / change
Custom SaaS · AWS / AzureVendor sprint cycles
Per sprint frequency
The framework is a documented process, not a tool. You take it over into self-operation at project end — independent from external support.
04 Hybrid stack
On-prem + cloud — validate together.
In Pharma 2026, no company is 'pure cloud'. Even manufacturers with aggressive cloud strategies still run on-prem systems — production-near MES, established LIMS, older ERP. Validation has to reflect that reality, not ignore it.
On-Prem
MESLIMSERP
Data flow + audit trail
Cloud
Cloud-QMSeDMSRIM
Validation follows the data, not the deployment model
Whether a batch record originates in on-prem MES and flows into cloud QMS — or the other way around — is regulatorily secondary. What matters: does data integrity hold per ALCOA+ across all system boundaries, and is the audit trail end-to-end traceable?
Hand-over points are the silent risk
Every hybrid stack has hand-over points where data can leave the validated path. Typical: a batch record passes MES → middleware → cloud QMS and loses the audit-trail link to the original batch. Invisible in daily ops — visible in the FDA audit.
Cross-system integration tests
The critical interfaces: MES ↔ cloud QMS, LIMS ↔ cloud eDMS, ERP ↔ cloud platform. Each requires documented integration tests with end-to-end data continuity — not isolated module tests.
Three streams in parallel — one owner for the interface.
Cloud and SaaS projects in Pharma rarely fail on the technology. They fail because Application, Compliance and Business stream deliver in parallel — and nobody bridges the seam between them. That bridge is what we provide.
Application stream
Configuration · Vendor releases · Interfaces
Sandbox + production setup, technical interfaces, vendor release cadence.
Process design, user training, adoption, change management in the business unit.
dhc owns this
Each stream has its own tempo, owners and success criteria. Without overarching steering they run side-by-side — until shortly before go-live, when the gaps surface.
What dhc owns in programme management
Master planwith clear phase-gates
Cross-stream risk register
Synchronous steering cadence
Clean escalation paths
Validation management and programme leadership sit in one responsibility — the E-pillar of our IVE methodology.
Cross-stream synergy strategy — the strategy guide.
On 20-odd pages we show how we synchronise Application, Compliance and Business stream in one programme — with concrete examples from cloud-validation projects in Pharma. The guide complements this service page. It includes templates you can apply in your own programme right away — independent of any consulting engagement.
No. SOC 2 Type II evidences operational security controls — it does not replace a GxP-specific supplier audit per Annex 11.3. You can bring a SOC 2 audit in as a building block, but the regulatory obligation to perform your own supplier assessment stays with the regulated operator.
ReleaseDo we have to fully re-validate at every cloud vendor release?
No. With an established release-regression framework, the effort drops to 4–8 hours per Veeva release or 2–4 hours per MasterControl change. Prerequisite: predefined risk clusters and a maintained regression test suite.
PricingWhat does a cloud/SaaS initial validation typically cost?
The effort depends on platform, configuration depth and number of interfaces. An isolated SaaS initial validation (standard configuration, no custom extensions) typically runs six to twelve weeks. Fixed prices are possible once scope is defined.
SovereigntyHow do you handle data sovereignty with US-hosted cloud under EMA audit?
Three levers: contractually secured data location in EU regions, documented transfer impact assessment per GDPR, and audit-trail access from EU jurisdiction. For US-only hosting, we check whether standard contractual clauses and supplementary measures suffice for your GxP use case.
EngagementCan we outsource programme leadership to dhc, or do you only consult?
Both. We take over programme responsibility as an interim lead — or support your internal programme leadership in an advisory role. We define the split in the initial analysis.
VAT identification number pursuant to § 27a German VAT Act (UStG): DE328451232
Consumer dispute resolution (VSBG)
In accordance with § 36 VSBG: we are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
Liability for content
We are responsible for our own content on these pages under the general laws. Under Articles 4 to 8 of Regulation (EU) 2022/2065 (Digital Services Act, DSA), as a service provider we are not obliged to monitor transmitted or stored third-party information or to investigate circumstances that indicate unlawful activity.
Note: The §§ 7–10 of the previous Telemedia Act (TMG) on the liability for digital services have not been transferred to the German Digital Services Act (DDG). Liability for digital services is now primarily regulated by Regulation (EU) 2022/2065 (DSA), in particular Articles 4–8 — referenced above. The §§ 7–10 DDG cover other subjects (limited responsibility under DSA Articles 4–8 + Wi-Fi access, blocking claims under copyright law, lists of audiovisual-media-service and video-sharing-platform providers, and information-request rights of the competent authorities under state law).
Copyright
The content and works on these pages created by the site operator are subject to German copyright law. Reproduction, processing, distribution and any kind of exploitation outside the limits of copyright require the written consent of the respective author.
Privacy Policy
1. At a glance
The following information gives a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.
2. Controller
The controller responsible for data processing on this website pursuant to Art. 4 (7) GDPR is:
Daniel Herrmann Consulting Daniel Herrmann (sole proprietor) Enzweilerweg 3a · 66709 Weiskirchen · Germany Phone: +49 170 7878065 Email: info@daniel-herrmann.io
A data protection officer has not been appointed; the controller is your point of contact for all data protection matters.
3. Server logs
When you visit this website, the hosting provider automatically collects technical information in server log files: IP address (anonymised after 7 days), date and time of access, page accessed, referrer, user agent. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in technically reliable operation. Retention: 7 days, then automatic deletion. No merger with other data sources.
4. Contact
If you contact us via form, email or phone, we store the information you provide (name, email, company, message content) to process the enquiry and for follow-up questions. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) and Art. 6 (1) (f) GDPR (legitimate interest in answering enquiries). Retention: deletion as soon as the enquiry has been finally processed, at the latest after 12 months, unless statutory retention obligations apply. Data is not shared with third parties.
5. Lead magnets (PDF downloads)
To request our practical guides (e.g. Strategy Guide, Compliance-Gap Analysis, Execution Playbook) we ask for your email address and, optionally, your name and company. The data is stored solely to provide the requested material and for documentation of consent. Legal basis: Art. 6 (1) (a) GDPR (consent). Retention: until your withdrawal, at most 24 months. The newsletter subscription is offered as a separate, opt-in checkbox on the lead-magnet form (no coupling — you can request the material without subscribing). No marketing emails are sent without separate consent.
5a. Newsletter (Double-Opt-In)
If you sign up for our newsletter, we use the double-opt-in procedure: after entering your email and name you receive a confirmation email with a verification link. Only after you click the link do we activate the subscription and document your consent. Data: email, name, consent timestamp, confirmation IP. Purpose: sending the monthly dhc newsletter with practice insights, plus documentation of the consent process (Art. 7 (1) GDPR). Legal basis: Art. 6 (1) (a) GDPR (consent), § 7 (2) Nr. 3 UWG. Retention: for as long as your subscription is active; consent logs retained for 3 years after the end of the subscription as evidence in the event of complaints. Withdrawal: every newsletter contains a one-click unsubscribe link in the footer. Alternatively a short email to info@daniel-herrmann.io is sufficient. Processor: the newsletter is sent via our hosting provider's SMTP infrastructure; we currently do not use a third-party email-marketing tool. As soon as we transition to a dedicated newsletter-tool (e.g. Brevo), we will update this section and conclude an additional data-processing agreement.
5c. Link-click tracking in our emails
To understand which content in our lead-magnet emails and newsletter issues is actually useful, we route outbound links through an internal redirect endpoint (`/t/`). Each link in each send gets an aggregate click counter — but we do NOT store an identifier of the individual recipient, NO IP address and NO user agent. The data we keep is comparable to anonymous server logs (e.g.: ‘link X in send Y was clicked 42 times in total’). It does not allow us to infer who clicked. Therefore no separate consent or cookie banner is required (recital 26 GDPR — anonymous data, no personal-data processing per Art. 4 (1) GDPR). Legal basis for the redirect itself: Art. 6 (1) (f) GDPR (legitimate interest in measuring content effectiveness for our own communications). Legal pages (Impressum, Datenschutz) and the unsubscribe link are NEVER routed through the redirect, so the click behaviour on legally relevant links is never measured.
5b. Retention overview & justifications
A consolidated view of all retention periods with the rationale behind each one — the principle: minimal storage, clear purpose, documented basis.
Data categoryRetentionJustification
Server logs7 daysSufficient for technical fault analysis & security forensics — Art. 6 (1) (f) GDPR. IP anonymisation kicks in immediately on log close.
Contact enquiries12 monthsB2B sales cycle in pharma typically runs 6–9 months. 12 months covers follow-ups without unnecessary stockpiling. Statutory retention (e.g. § 257 HGB) only applies once a contract is concluded.
Lead magnetsup to 24 monthsUntil withdrawal of consent; 24-month cap covers documentation of consent (Art. 7 GDPR) and re-engagement cycle. Withdrawal at any time, deletion within 7 days of request.
Newsletter subscriptionactive subscription + 3 yrs consent logEmail + name only as long as the subscription is active. Consent log (timestamp + IP) retained 3 years to cover statutory limitation period (§ 195 BGB) for complaints under § 7 UWG.
Cookies (incl. analytics)30 min – 14 monthsPer-tool detailed in 6.9. GA4 capped at 14 months (the GA4 minimum, shorter possible only via property reset); all other tools below or equal to industry standard.
Cookiebot consent12 monthsMaximum window the EDPB considers reasonable for repeat-consent requests. After 12 months a fresh banner appears.
6. Cookies, analytics & tracking
This website uses analytics and tracking tools that go beyond pure reach measurement and create usage profiles. Personal data may be processed (in particular IP address, device and browser information, behaviour data) and transferred to third countries (including the USA). Legal basis is your consent pursuant to § 25 (1) TTDSG and Art. 6 (1) (a) GDPR. The consent is granted on first visit via our cookie banner and can be withdrawn at any time with effect for the future — see section 6.10 below. Withdrawal is as simple as granting consent (Art. 7 (3) GDPR); the lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected.
6.0 Consent management (Cookiebot)
Provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (a Usercentrics company) — EU-based. Purpose: Cookiebot is the consent management platform (CMP) we use to document your consent in line with § 25 TTDSG and Art. 7 GDPR and to block analytics / tracking tools until you opt in. Data: Cookiebot stores a ‘CookieConsent’ cookie containing your consent state (categories, timestamp, anonymous identifier) and a server-side consent log. Retention: up to 12 months from the moment consent is given; renewed on each new visit after expiry. Legal basis: the processing of consent itself rests on Art. 6 (1) (c) GDPR (legal obligation to document consent). Third-country transfer: primary processing in the EU; sub-processors may include service providers outside the EEA under EU Standard Contractual Clauses. Data processing agreement: concluded with Cybot A/S. More info:Cookiebot Privacy Policy.
6.1 Google Analytics 4
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). Purpose: Tracking tool that goes beyond pure reach measurement. Google uses the collected data for the operation of GA4 and partly for its own purposes (no commissioned processing in the narrow sense for these purposes). Data: pseudonymous identifiers (client ID), IP address (shortened on EU server, see below), page views, dwell time, scroll depth, click events, device and browser information, approximate location (country / region from IP). Retention: up to 14 months for event-level data, then automatic deletion. IP shortening: The IP address is shortened on an EU server before being forwarded to the USA (‘_anonymizeIp’ equivalent in GA4 is active by default). Third-country transfer: data is processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Note that the supervisory authorities point out that the legal certainty gained may only be temporary; previous adequacy regimes (Safe Harbor, Privacy Shield) were invalidated by the CJEU. Data processing agreement: concluded with Google Ireland Ltd. More info:Google Privacy Policy, Browser opt-out.
6.2 Microsoft Clarity
Provider: Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent: Microsoft Corporation, USA). Purpose: Session recordings and heatmaps to improve usability. Note: session recordings are a particularly intensive form of processing — they can capture sensitive content even though input fields are masked by default. We have configured the strictest masking level (‘Strict’) for all form fields. Data: mouse movements, clicks, scroll behaviour, page views, device and browser information, shortened IP address, country. Retention: up to 12 months from the last recorded session. Third-country transfer: Microsoft is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The reservations noted above for GA4 apply analogously. Data processing agreement: Microsoft Online Services DPA concluded. More info:Microsoft Privacy Statement.
6.3 Leadfeeder (Dealfront)
Provider: Dealfront Germany GmbH (Leadfeeder), Markgrafenstraße 36, 10117 Berlin, Germany — EU-based provider. Purpose: B2B identification of visiting companies based on commercially licensed IP-address databases (e.g. RIPE, ARIN, public corporate IP ranges). We use this to inform our sales outreach. The aim is identification of the company, not of an individual user. Important note from a data protection perspective: IP addresses can constitute personal data, particularly when combined with other data. We therefore treat Leadfeeder processing as relevant under GDPR. Data: IP address, page views, timestamp, dwell time, referrer. Data sources: Dealfront enriches IP data with publicly available company information and licensed B2B databases. Retention: up to 12 months on visit level; aggregated reports may be retained longer. Third-country transfer: Dealfront operates primarily on EU infrastructure; sub-processors may include US service providers under EU Standard Contractual Clauses. Data processing agreement: concluded with Dealfront Germany GmbH. More info:Dealfront Privacy Policy.
6.4 Google Ads
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA). Purpose: We use Google Ads conversion tracking and (where activated) remarketing to measure the success of advertising campaigns and to address visitors with relevant ads. Data: pseudonymous click ID (gclid), conversion event, conversion timestamp, device and browser information. Cookies used include `_gcl_au` (conversion linker) and `test_cookie` (doubleclick.net technical test cookie). Retention: `_gcl_au` up to 90 days, conversion logs in the Google Ads account according to Google retention settings. Third-country transfer: data is processed on Google servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement: concluded with Google Ireland Ltd. More info:Google Privacy Policy, Ad personalisation settings.
6.5 LinkedIn Insight Tag
Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (parent: LinkedIn Corporation, USA). Purpose: The LinkedIn Insight Tag enables campaign measurement, audience analytics and (where activated) retargeting for LinkedIn ad campaigns. Data: IP address (truncated), timestamp, page URL, device characteristics, LinkedIn member ID where the visitor has been logged in to LinkedIn. Cookies used include `bcookie`, `lidc`, `bscookie`. Retention: up to 6 months for direct identifiers; aggregated campaign reports may be retained longer. Third-country transfer: data is processed on LinkedIn servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement: concluded with LinkedIn Ireland Unlimited Company. More info:LinkedIn Privacy Policy, LinkedIn opt-out.
6.6 Google Tag Manager
Provider: Google Ireland Limited (see 6.1). Purpose: Google Tag Manager (GTM) is a tag-management system that loads other tracking tags (e.g. Google Analytics, Google Ads, LinkedIn Insight Tag) on this website. GTM itself does not set any cookies and does not collect personal data per se; it only orchestrates the tags loaded after consent. Data: technical request data (IP address, timestamp, user agent) is briefly seen by Google’s GTM-loader server. No persistent identifier is set by GTM itself. Third-country transfer: the GTM loader is hosted on Google infrastructure including the USA. Safeguards as in 6.1. Note: we have configured GTM so that no measurement tag fires before you have given consent via our Cookiebot banner. More info:Google Privacy Policy.
6.7 Cloudflare (CDN & bot management)
Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, with EU representative Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich. Purpose: Cloudflare is used by our hosting provider as a Content Delivery Network (CDN) and security layer. The ‘__cf_bm’ cookie is set by Cloudflare’s bot-management to distinguish humans from automated traffic and to mitigate DDoS attacks and content scraping in real time. Why we consider this technically necessary: Without bot-mitigation our website would be vulnerable to credential-stuffing, scraping and DDoS attacks that compromise availability, integrity and the security of the personal data we process (e.g. lead-magnet form submissions, newsletter signups). Bot-mitigation is therefore a technical security measure within the meaning of Art. 32 GDPR (security of processing). Cloudflare itself classifies ‘__cf_bm’ as ‘strictly necessary’ (Cloudflare cookie documentation). Replacing Cloudflare bot-management would weaken the security of personal data on this site. Data: IP address, request headers, technical fingerprint of the request. No persistent identifier across sites. Retention: ‘__cf_bm’ cookie expires after at most 30 minutes of inactivity. Aggregated security logs at Cloudflare are retained briefly under Cloudflare’s standard retention. Legal basis: § 25 (2) Nr. 2 TTDSG (technically required to operate the requested service) and Art. 6 (1) (f) GDPR (overriding legitimate interest in a secure, available website). Third-country transfer: Cloudflare is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Please note that the legal certainty of the framework may be limited; the General Court of the EU has annulment proceedings pending (case T-553/23). Data processing agreement: concluded as part of the hosting contract. More info:Cloudflare Privacy Policy.
6.8 Google Search Console
Provider: Google Ireland Limited (see 6.1). Purpose: Google Search Console (GSC) lets us monitor how the site performs in Google’s search results — indexing status, search queries that lead to the site, click-through rates, technical crawl errors. Cookies / tracking on visitors: GSC itself sets no cookies on visitors of this website and runs no client-side script. The site ownership is verified by a static HTML meta tag and / or a DNS TXT record. Data: aggregated search analytics from Google’s side (search queries, impressions, clicks); these are not directly linked to individual visitors. The data is made available to us only in aggregated form. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in monitoring the site’s search visibility. Third-country transfer: the aggregated reporting is generated on Google infrastructure including the USA. Safeguards as in 6.1. More info:Google Privacy Policy.
6.9 Cookie storage durations
Session cookies are deleted when the browser is closed. Permanent cookies have the following maximum lifetimes: Google Analytics 4 — up to 14 months (data retention shortened to 14 months in GA4 settings); Microsoft Clarity — up to 12 months; Google Ads (`_gcl_au`) — up to 90 days; LinkedIn (`bcookie`) — up to 6 months; Cloudflare (`__cf_bm`) — at most 30 minutes of inactivity; Leadfeeder — typically session-based, not stored on the device; CookieConsent (Cookiebot) — up to 12 months from the moment consent is given.
6.10 Withdrawal of consent
You can withdraw your consent at any time with effect for the future — withdrawal is as easy as granting consent:
1. Open cookie settings: click the ‘Cookie settings’ link in the footer to re-open the banner and adjust your choice (this controls all of GA4, Clarity, Google Ads, LinkedIn and Leadfeeder). 2. By email: send a short message to info@daniel-herrmann.io — we will block the relevant tools for you. 3. Per tool: for Google Analytics the official browser opt-out is available; for Google Ads under Ad personalisation settings; for LinkedIn under LinkedIn opt-out. Microsoft Clarity and Leadfeeder are controlled exclusively via our cookie banner.
The lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected (Art. 7 (3) GDPR).
7. Web fonts
This website loads Google Fonts. Connection data (in particular the IP address) is transmitted to Google. Provider: Google Ireland Limited (see section 6.1). Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in a consistent typographic presentation. As an alternative, fonts are also held in a local fallback so that font loading can fail safely without breaking the layout.
8. Technical and organisational measures (TOM)
To protect your data we implement appropriate technical and organisational measures pursuant to Art. 32 GDPR — among them: TLS encryption (HTTPS) for the entire site, encrypted database connections, server hosting in the EU (Kinsta / GCP Frankfurt), restricted admin access via individual accounts with strong passwords and 2FA, regular automatic backups, role-based access controls, a documented record of processing activities pursuant to Art. 30 GDPR, and data minimisation at the application level. We continuously review and update these measures.
9. Your rights
Under the GDPR you have the following rights:
Right of access (Art. 15 GDPR) — information about which of your personal data we process.
Right to rectification (Art. 16 GDPR) — correction of inaccurate data.
Right to erasure (Art. 17 GDPR) — deletion of your data where the legal conditions are met.
Right to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR) — receipt of your data in a structured, common, machine-readable format.
Right to object (Art. 21 GDPR) — to processing based on legitimate interest, including for direct marketing. See highlighted box below.
Right to withdraw consent (Art. 7 (3) GDPR) — at any time with effect for the future, see section 6.10.
Right to lodge a complaint (Art. 77 GDPR) — with a supervisory authority, in particular in the EU member state of your residence, your workplace or the location of the alleged infringement. Competent supervisory authority for our office location: Independent Data Protection Centre Saarland (Unabhängiges Datenschutzzentrum Saarland), Fritz-Dobisch-Straße 12, 66111 Saarbrücken.
Requests regarding these rights are to be directed to: info@daniel-herrmann.io. We will respond within the statutory period (usually one month).
10. Currency of this Privacy Policy
Last updated: 29 May 2026. We reserve the right to adapt this policy so that it always meets current legal requirements. The current version is always retrievable from this website.
Callback
When should we call you back?
Tell us when fits you and what it's about — we'll call back within the next business day.
Got it. We'll call you back.
You'll receive a confirmation email shortly. Daniel calls back within one business day.
Free material by email
Your material is on the way.
Enter your name and email — we send the material directly to your inbox, with a short personal note from Daniel.
Thanks — check your inbox.
We just sent the material to your email. If it doesn't arrive within a few minutes, please check your spam folder.
Once a month · CSV practice
CSV insights from real Pharma projects.
What you get next: the GAMP 5 2nd Edition impact, what the FDA CSA Final Guidance means for your validation strategy, and the 8-week CSV sprint we deliver in 60+ projects. Unsubscribe anytime in one click.
Almost done.
Confirm your email via the link we just sent to your inbox. After confirmation we'll send the latest newsletter issue right away.
We use your data exclusively for the newsletter. No sharing with third parties. Privacy policy.
