Audit-secure on the systems your production runs on.
The systems your production runs on — LIMS, MES (PAS-X), Veeva Vault, SAP S/4HANA, MasterControl, eQMS — validated GxP-compliant, audit-secure, on budget.
The systems that run your Pharma operations — need to hold under audit.
LIMS, MES, Veeva Vault and eQMS aren't generic enterprise tools — they're the digital backbone of GxP-regulated production, lab analytics and document control. Every batch record, every quality decision, every audit trail flows through one of these systems. When the validation slips, the operation slips with it.
Pharma-Operations-Software-Validation differs sharply from classic IT validation. ALCOA+ data integrity, batch-record review-by-exception, multi-tenant cloud audits, cross-system data flow MES ↔ SAP ↔ LIMS — these specifics decide whether the next FDA or EMA inspection is a stamp or a finding.
dhc has validated exactly this set of systems for 15+ years — across global Pharma, biotech start-ups and MedTech manufacturers. 60+ systems, 100% audit-pass, 0 findings on systems under our responsibility.
02 System-by-system
Six deep specialties — plus everything that runs in your GxP stack.
Same risk-based GAMP 5 spine, but each platform brings its own audit pitfalls. Here's how we approach the six big ones — followed by a compact overview of every platform we cover.
System 01 · LIMS
LIMS validation — lab IT, GxP-compliant.
A LIMS doesn't just store sample data — it runs the analytical workflows your QC release decisions are built on. Validation has to cover the methods, the user-acceptance flow, and every interface to lab instruments. Drop one, and the audit-trail breaks.
01
LIMS
Laboratory Information Management
· Methoden-Validierung
· ALCOA+ Datenintegrität
· Geräte-Schnittstellen
What we cover
Method validation — analytical methods with the right precision, accuracy and robustness signature.
Data integrity per ALCOA+ — attributable, legible, contemporaneous, original, accurate (plus complete, consistent, enduring, available).
Instrument interfaces — HPLC, GC, dissolution baths, balances. Each connection is its own qualification scope.
Method migration — moving from legacy LIMS to a new platform without re-validating from scratch.
Plattform-neutral approach: same GAMP 5 spine no matter which LIMS runs in your lab — we validate the platform that's on your shop floor, not a specific vendor.
System 02 · MES
MES & PAS-X — validate production, not paperwork.
PAS-X (Körber/Werum) is the de-facto MES standard in Pharma production. The validation challenge isn't PAS-X itself — it's the interfaces. SAP for material flow, LIMS for analytical release, ERP for batch genealogy. We cover the whole loop.
02
MES · PAS-X
Manufacturing Execution
· Batch-Record-Review
· eMBR · Audit-Trail
· MES ↔ SAP ↔ LIMS
What we cover
Electronic master batch record (eMBR) — design, validation, deviation handling.
Review-by-exception — only deviations get reviewed, not the whole batch record. Cuts QC time by 30–50 %.
Cross-system validation MES ↔ SAP ↔ LIMS — material movements, release decisions, batch genealogy across system boundaries.
Real-time data flow + audit trail — every production step traceable to operator, equipment and parameter.
PAS-X (now part of Körber) is the most common platform we validate — the approach holds equally for Emerson Syncade, Rockwell PharmaSuite or in-house MES. Same GAMP 5 spine.
System 03 · Veeva Vault
Veeva Vault — cloud validation done right.
Cloud heißt nicht „der Anbieter validiert das schon". Der Anbieter verantwortet die Plattform — den validierten Zustand Ihrer Konfiguration, Ihrer Daten und Ihrer Prozesse halten weiterhin Sie. Die Grenze zwischen Supplier-Audit und Kunden-Validierung ist gerade das teuerste Missverständnis in der Pharma-IT.
03
Veeva Vault
Cloud eQMS & eDMS
· Cloud-Audit-Logik
· Config vs. Customizing
· Release-Validierung
What we cover
Vendor-audit boundary — what Veeva validates centrally, what you must validate per tenant.
Configuration vs. customizing — out-of-the-box objects need lighter validation than custom logic. Drawing this line right saves 40 % of effort.
Module scope — Vault QMS, Vault QualityDocs, Vault PromoMats, Vault Submissions. Each has its own validation pattern.
Release validation — Veeva pushes three releases a year. We build a regression framework so you stay validated without re-doing OQ each cycle.
Veeva's three releases a year break poorly-validated stacks silently. A 4–8h regression cycle is the difference between staying audit-ready and a multi-month re-validation panic.
System 04 · SAP
SAP S/4HANA & EWM — ERP-Backbone unter GxP.
SAP isn't an MES, but in Pharma operations it carries the material genealogy and the batch-genealogy that every GxP audit traces back to. The validation challenge sits where SAP touches the rest of the stack — and where roles and authorisations decide who can change a batch under audit.
04
SAP S/4HANA
+ EWM, MM, PP-PI
· Rollen & Berechtigungen
· Batch-Genealogie
· Audit-Trail im ERP-Core
What we cover
Material & batch genealogy — every move, every status change, traceable to operator and time-stamp.
Roles & authorisations — segregation of duties, Quality-Release-Gate, four-eyes approval. The most-found audit gap when SAP isn't validated end-to-end.
EWM warehouse flows — bin management, putaway/picking under GMP-storage conditions, deviation handling at the inbound dock.
S/4HANA migration validation — moving off ECC without losing the validated state. Risk-based gap-analysis, focused regression, parallel-run sign-off.
We've validated S/4HANA on-prem and on RISE-with-SAP cloud — same risk-based GAMP 5 spine, different vendor-audit boundary.
System 05 · MasterControl & Cloud
MasterControl & cloud-native QMS — validation under release pressure.
MasterControl, Vault QMS, AWS- and Azure-hosted GxP systems — all of them push regular vendor releases that can break your validated state silently. The right approach isn't to validate harder. It's to validate smarter: a regression framework that holds up across releases, and a clear vendor-audit boundary that doesn't let suppliers off the hook.
05
MasterControl · Cloud
QMS · AWS · Azure · Hybrid
· Vendor-Audit-Grenze
· Release-Regression
· Shared-Responsibility
What we cover
MasterControl-Validierung — Documents, Training, CAPA, Audit-Module. Configuration-as-Validation: Wir behandeln Config-Drift als Regressions-Kandidat, nicht als „kleine Änderung“.
Cloud shared-responsibility model — what AWS/Azure handles at the IaaS layer, what the SaaS vendor handles at the platform layer, what you still own at the configuration and data layer.
Release-regression framework — once-off scaffold, then 4–8 hours per release instead of full re-validation. Critical for Veeva (3 releases/year) and MasterControl (continuous).
Hybrid-stack validation — on-prem MES + cloud QMS + cloud-archive. The validation has to follow the data, not the deployment model.
If your stack mixes on-prem and cloud — that's where most current audit findings sit. Risk-mapped per data flow, not per system.
System 06 · eQMS, eDMS & more
eQMS, eDMS & whatever else runs in your GxP stack.
The four-block layout covers 80 % of what comes through. The other 20 %: LMS (training), CTMS (clinical trials), home-grown lab tools, regulated SaaS in clinical or pharmacovigilance. Same validation spine — different audit lens.
04
eQMS · eDMS
LMS · CTMS · Spezial-Systeme
· Plattform-neutral
· IVE-Standardansatz
· Hersteller-unabhängig
We apply our IVE methodology (Integrated Validation Execution) consistently across platforms. The system catalogue isn't the limit — the regulation is. If your system is GxP-touched, we can validate it.
What we also validate
LMS — Learning Management Systems — Training-Records, Schulungs-Nachweise, GxP-Qualifizierungs-Logs.
Your platform not listed? Talk to us — the IVE methodology is platform-neutral.
03 Cross-system flow
The real risk isn't within a system — it's between them.
Most audit findings we see today come from system boundaries: a batch number that drifts between MES and SAP, a sample ID that loses its audit trail when crossing into LIMS, a Veeva document version that no longer matches the GMP record. Data moves both ways — and so does the risk.
SAP
Material · genealogy
Batch number
MES
Batch Record · eMBR
Sample ID · Audit-Trail
LIMS
Analytics · QC release
Doc version
Veeva
eDMS · approval
We validate the boundaries the same way we validate the systems themselves: requirement-driven, risk-based, audit-trail-anchored. Each interface gets its own qualification scope, with mapped data fields, mapped error handling, and a documented test of what happens when one side fails. That last part — the failure test — is what most validation programmes skip, and what most auditors find first.
04 Track record
15+ years of validating exactly these systems.
Across four platforms, three regulators, one verifiable track record.
60+
Systems validated
LIMS · MES · Veeva · eQMS · weitere
15+
Years of practice
Pharma · Biotech · MedTech
100%
Audit pass rate
FDA · EMA · BfArM
0
Critical findings
On systems under our responsibility
05 FAQ
Common questions about system validation.
Can you take over a partly-validated LIMS migration?
Yes — and it's a recurring scenario. We come in, do a gap-analysis against your current validation state and the regulatory target, and pick up the migration without re-validating from scratch. Typical entry point: validation backlog from a previous consultant or in-house team that lost capacity.
How do you handle Veeva releases — three a year?
We build a regression framework once, with a defined test set against the configuration scope. On each Veeva release we run that framework — typically half a day of work, not a full revalidation. Critical changes (new modules, schema changes) get a delta-validation scope. Routine releases stay routine.
Do you validate interfaces between MES and SAP?
Yes — that's one of the highest-impact validation scopes we run. The MES↔SAP interface controls material movements, batch genealogy and release. A finding here can cascade across an entire site. We validate field-by-field, with explicit failure-mode tests.
Do you also handle method migration in LIMS?
Yes. Method migration is more analytics than IT — but the validation runs through the LIMS layer. We pair our CSV expertise with your analytical SMEs (often we work alongside your QC team's method experts) and run the cross-validation, the equivalence testing and the documentation.
What about platforms not on your list?
The four blocks cover what we see most. The IVE methodology is platform-neutral — same risk-based GAMP 5 spine, applied to whatever system runs your GxP stack. CTMS, LMS, regulated SaaS, in-house tools: talk to us, we'll tell you honestly whether we're the right fit.
VAT identification number pursuant to § 27a German VAT Act (UStG): DE328451232
Consumer dispute resolution (VSBG)
In accordance with § 36 VSBG: we are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
Liability for content
We are responsible for our own content on these pages under the general laws. Under Articles 4 to 8 of Regulation (EU) 2022/2065 (Digital Services Act, DSA), as a service provider we are not obliged to monitor transmitted or stored third-party information or to investigate circumstances that indicate unlawful activity.
Note: The §§ 7–10 of the previous Telemedia Act (TMG) on the liability for digital services have not been transferred to the German Digital Services Act (DDG). Liability for digital services is now primarily regulated by Regulation (EU) 2022/2065 (DSA), in particular Articles 4–8 — referenced above. The §§ 7–10 DDG cover other subjects (limited responsibility under DSA Articles 4–8 + Wi-Fi access, blocking claims under copyright law, lists of audiovisual-media-service and video-sharing-platform providers, and information-request rights of the competent authorities under state law).
Copyright
The content and works on these pages created by the site operator are subject to German copyright law. Reproduction, processing, distribution and any kind of exploitation outside the limits of copyright require the written consent of the respective author.
Privacy Policy
1. At a glance
The following information gives a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.
2. Controller
The controller responsible for data processing on this website pursuant to Art. 4 (7) GDPR is:
Daniel Herrmann Consulting Daniel Herrmann (sole proprietor) Enzweilerweg 3a · 66709 Weiskirchen · Germany Phone: +49 170 7878065 Email: info@daniel-herrmann.io
A data protection officer has not been appointed; the controller is your point of contact for all data protection matters.
3. Server logs
When you visit this website, the hosting provider automatically collects technical information in server log files: IP address (anonymised after 7 days), date and time of access, page accessed, referrer, user agent. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in technically reliable operation. Retention: 7 days, then automatic deletion. No merger with other data sources.
4. Contact
If you contact us via form, email or phone, we store the information you provide (name, email, company, message content) to process the enquiry and for follow-up questions. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) and Art. 6 (1) (f) GDPR (legitimate interest in answering enquiries). Retention: deletion as soon as the enquiry has been finally processed, at the latest after 12 months, unless statutory retention obligations apply. Data is not shared with third parties.
5. Lead magnets (PDF downloads)
To request our practical guides (e.g. Strategy Guide, Compliance-Gap Analysis, Execution Playbook) we ask for your email address and, optionally, your name and company. The data is stored solely to provide the requested material and for documentation of consent. Legal basis: Art. 6 (1) (a) GDPR (consent). Retention: until your withdrawal, at most 24 months. The newsletter subscription is offered as a separate, opt-in checkbox on the lead-magnet form (no coupling — you can request the material without subscribing). No marketing emails are sent without separate consent.
5a. Newsletter (Double-Opt-In)
If you sign up for our newsletter, we use the double-opt-in procedure: after entering your email and name you receive a confirmation email with a verification link. Only after you click the link do we activate the subscription and document your consent. Data: email, name, consent timestamp, confirmation IP. Purpose: sending the monthly dhc newsletter with practice insights, plus documentation of the consent process (Art. 7 (1) GDPR). Legal basis: Art. 6 (1) (a) GDPR (consent), § 7 (2) Nr. 3 UWG. Retention: for as long as your subscription is active; consent logs retained for 3 years after the end of the subscription as evidence in the event of complaints. Withdrawal: every newsletter contains a one-click unsubscribe link in the footer. Alternatively a short email to info@daniel-herrmann.io is sufficient. Processor: the newsletter is sent via our hosting provider's SMTP infrastructure; we currently do not use a third-party email-marketing tool. As soon as we transition to a dedicated newsletter-tool (e.g. Brevo), we will update this section and conclude an additional data-processing agreement.
5c. Link-click tracking in our emails
To understand which content in our lead-magnet emails and newsletter issues is actually useful, we route outbound links through an internal redirect endpoint (`/t/`). Each link in each send gets an aggregate click counter — but we do NOT store an identifier of the individual recipient, NO IP address and NO user agent. The data we keep is comparable to anonymous server logs (e.g.: ‘link X in send Y was clicked 42 times in total’). It does not allow us to infer who clicked. Therefore no separate consent or cookie banner is required (recital 26 GDPR — anonymous data, no personal-data processing per Art. 4 (1) GDPR). Legal basis for the redirect itself: Art. 6 (1) (f) GDPR (legitimate interest in measuring content effectiveness for our own communications). Legal pages (Impressum, Datenschutz) and the unsubscribe link are NEVER routed through the redirect, so the click behaviour on legally relevant links is never measured.
5b. Retention overview & justifications
A consolidated view of all retention periods with the rationale behind each one — the principle: minimal storage, clear purpose, documented basis.
Data categoryRetentionJustification
Server logs7 daysSufficient for technical fault analysis & security forensics — Art. 6 (1) (f) GDPR. IP anonymisation kicks in immediately on log close.
Contact enquiries12 monthsB2B sales cycle in pharma typically runs 6–9 months. 12 months covers follow-ups without unnecessary stockpiling. Statutory retention (e.g. § 257 HGB) only applies once a contract is concluded.
Lead magnetsup to 24 monthsUntil withdrawal of consent; 24-month cap covers documentation of consent (Art. 7 GDPR) and re-engagement cycle. Withdrawal at any time, deletion within 7 days of request.
Newsletter subscriptionactive subscription + 3 yrs consent logEmail + name only as long as the subscription is active. Consent log (timestamp + IP) retained 3 years to cover statutory limitation period (§ 195 BGB) for complaints under § 7 UWG.
Cookies (incl. analytics)30 min – 14 monthsPer-tool detailed in 6.9. GA4 capped at 14 months (the GA4 minimum, shorter possible only via property reset); all other tools below or equal to industry standard.
Cookiebot consent12 monthsMaximum window the EDPB considers reasonable for repeat-consent requests. After 12 months a fresh banner appears.
6. Cookies, analytics & tracking
This website uses analytics and tracking tools that go beyond pure reach measurement and create usage profiles. Personal data may be processed (in particular IP address, device and browser information, behaviour data) and transferred to third countries (including the USA). Legal basis is your consent pursuant to § 25 (1) TTDSG and Art. 6 (1) (a) GDPR. The consent is granted on first visit via our cookie banner and can be withdrawn at any time with effect for the future — see section 6.10 below. Withdrawal is as simple as granting consent (Art. 7 (3) GDPR); the lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected.
6.0 Consent management (Cookiebot)
Provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (a Usercentrics company) — EU-based. Purpose: Cookiebot is the consent management platform (CMP) we use to document your consent in line with § 25 TTDSG and Art. 7 GDPR and to block analytics / tracking tools until you opt in. Data: Cookiebot stores a ‘CookieConsent’ cookie containing your consent state (categories, timestamp, anonymous identifier) and a server-side consent log. Retention: up to 12 months from the moment consent is given; renewed on each new visit after expiry. Legal basis: the processing of consent itself rests on Art. 6 (1) (c) GDPR (legal obligation to document consent). Third-country transfer: primary processing in the EU; sub-processors may include service providers outside the EEA under EU Standard Contractual Clauses. Data processing agreement: concluded with Cybot A/S. More info:Cookiebot Privacy Policy.
6.1 Google Analytics 4
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). Purpose: Tracking tool that goes beyond pure reach measurement. Google uses the collected data for the operation of GA4 and partly for its own purposes (no commissioned processing in the narrow sense for these purposes). Data: pseudonymous identifiers (client ID), IP address (shortened on EU server, see below), page views, dwell time, scroll depth, click events, device and browser information, approximate location (country / region from IP). Retention: up to 14 months for event-level data, then automatic deletion. IP shortening: The IP address is shortened on an EU server before being forwarded to the USA (‘_anonymizeIp’ equivalent in GA4 is active by default). Third-country transfer: data is processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Note that the supervisory authorities point out that the legal certainty gained may only be temporary; previous adequacy regimes (Safe Harbor, Privacy Shield) were invalidated by the CJEU. Data processing agreement: concluded with Google Ireland Ltd. More info:Google Privacy Policy, Browser opt-out.
6.2 Microsoft Clarity
Provider: Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent: Microsoft Corporation, USA). Purpose: Session recordings and heatmaps to improve usability. Note: session recordings are a particularly intensive form of processing — they can capture sensitive content even though input fields are masked by default. We have configured the strictest masking level (‘Strict’) for all form fields. Data: mouse movements, clicks, scroll behaviour, page views, device and browser information, shortened IP address, country. Retention: up to 12 months from the last recorded session. Third-country transfer: Microsoft is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The reservations noted above for GA4 apply analogously. Data processing agreement: Microsoft Online Services DPA concluded. More info:Microsoft Privacy Statement.
6.3 Leadfeeder (Dealfront)
Provider: Dealfront Germany GmbH (Leadfeeder), Markgrafenstraße 36, 10117 Berlin, Germany — EU-based provider. Purpose: B2B identification of visiting companies based on commercially licensed IP-address databases (e.g. RIPE, ARIN, public corporate IP ranges). We use this to inform our sales outreach. The aim is identification of the company, not of an individual user. Important note from a data protection perspective: IP addresses can constitute personal data, particularly when combined with other data. We therefore treat Leadfeeder processing as relevant under GDPR. Data: IP address, page views, timestamp, dwell time, referrer. Data sources: Dealfront enriches IP data with publicly available company information and licensed B2B databases. Retention: up to 12 months on visit level; aggregated reports may be retained longer. Third-country transfer: Dealfront operates primarily on EU infrastructure; sub-processors may include US service providers under EU Standard Contractual Clauses. Data processing agreement: concluded with Dealfront Germany GmbH. More info:Dealfront Privacy Policy.
6.4 Google Ads
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA). Purpose: We use Google Ads conversion tracking and (where activated) remarketing to measure the success of advertising campaigns and to address visitors with relevant ads. Data: pseudonymous click ID (gclid), conversion event, conversion timestamp, device and browser information. Cookies used include `_gcl_au` (conversion linker) and `test_cookie` (doubleclick.net technical test cookie). Retention: `_gcl_au` up to 90 days, conversion logs in the Google Ads account according to Google retention settings. Third-country transfer: data is processed on Google servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement: concluded with Google Ireland Ltd. More info:Google Privacy Policy, Ad personalisation settings.
6.5 LinkedIn Insight Tag
Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (parent: LinkedIn Corporation, USA). Purpose: The LinkedIn Insight Tag enables campaign measurement, audience analytics and (where activated) retargeting for LinkedIn ad campaigns. Data: IP address (truncated), timestamp, page URL, device characteristics, LinkedIn member ID where the visitor has been logged in to LinkedIn. Cookies used include `bcookie`, `lidc`, `bscookie`. Retention: up to 6 months for direct identifiers; aggregated campaign reports may be retained longer. Third-country transfer: data is processed on LinkedIn servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement: concluded with LinkedIn Ireland Unlimited Company. More info:LinkedIn Privacy Policy, LinkedIn opt-out.
6.6 Google Tag Manager
Provider: Google Ireland Limited (see 6.1). Purpose: Google Tag Manager (GTM) is a tag-management system that loads other tracking tags (e.g. Google Analytics, Google Ads, LinkedIn Insight Tag) on this website. GTM itself does not set any cookies and does not collect personal data per se; it only orchestrates the tags loaded after consent. Data: technical request data (IP address, timestamp, user agent) is briefly seen by Google’s GTM-loader server. No persistent identifier is set by GTM itself. Third-country transfer: the GTM loader is hosted on Google infrastructure including the USA. Safeguards as in 6.1. Note: we have configured GTM so that no measurement tag fires before you have given consent via our Cookiebot banner. More info:Google Privacy Policy.
6.7 Cloudflare (CDN & bot management)
Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, with EU representative Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich. Purpose: Cloudflare is used by our hosting provider as a Content Delivery Network (CDN) and security layer. The ‘__cf_bm’ cookie is set by Cloudflare’s bot-management to distinguish humans from automated traffic and to mitigate DDoS attacks and content scraping in real time. Why we consider this technically necessary: Without bot-mitigation our website would be vulnerable to credential-stuffing, scraping and DDoS attacks that compromise availability, integrity and the security of the personal data we process (e.g. lead-magnet form submissions, newsletter signups). Bot-mitigation is therefore a technical security measure within the meaning of Art. 32 GDPR (security of processing). Cloudflare itself classifies ‘__cf_bm’ as ‘strictly necessary’ (Cloudflare cookie documentation). Replacing Cloudflare bot-management would weaken the security of personal data on this site. Data: IP address, request headers, technical fingerprint of the request. No persistent identifier across sites. Retention: ‘__cf_bm’ cookie expires after at most 30 minutes of inactivity. Aggregated security logs at Cloudflare are retained briefly under Cloudflare’s standard retention. Legal basis: § 25 (2) Nr. 2 TTDSG (technically required to operate the requested service) and Art. 6 (1) (f) GDPR (overriding legitimate interest in a secure, available website). Third-country transfer: Cloudflare is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Please note that the legal certainty of the framework may be limited; the General Court of the EU has annulment proceedings pending (case T-553/23). Data processing agreement: concluded as part of the hosting contract. More info:Cloudflare Privacy Policy.
6.8 Google Search Console
Provider: Google Ireland Limited (see 6.1). Purpose: Google Search Console (GSC) lets us monitor how the site performs in Google’s search results — indexing status, search queries that lead to the site, click-through rates, technical crawl errors. Cookies / tracking on visitors: GSC itself sets no cookies on visitors of this website and runs no client-side script. The site ownership is verified by a static HTML meta tag and / or a DNS TXT record. Data: aggregated search analytics from Google’s side (search queries, impressions, clicks); these are not directly linked to individual visitors. The data is made available to us only in aggregated form. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in monitoring the site’s search visibility. Third-country transfer: the aggregated reporting is generated on Google infrastructure including the USA. Safeguards as in 6.1. More info:Google Privacy Policy.
6.9 Cookie storage durations
Session cookies are deleted when the browser is closed. Permanent cookies have the following maximum lifetimes: Google Analytics 4 — up to 14 months (data retention shortened to 14 months in GA4 settings); Microsoft Clarity — up to 12 months; Google Ads (`_gcl_au`) — up to 90 days; LinkedIn (`bcookie`) — up to 6 months; Cloudflare (`__cf_bm`) — at most 30 minutes of inactivity; Leadfeeder — typically session-based, not stored on the device; CookieConsent (Cookiebot) — up to 12 months from the moment consent is given.
6.10 Withdrawal of consent
You can withdraw your consent at any time with effect for the future — withdrawal is as easy as granting consent:
1. Open cookie settings: click the ‘Cookie settings’ link in the footer to re-open the banner and adjust your choice (this controls all of GA4, Clarity, Google Ads, LinkedIn and Leadfeeder). 2. By email: send a short message to info@daniel-herrmann.io — we will block the relevant tools for you. 3. Per tool: for Google Analytics the official browser opt-out is available; for Google Ads under Ad personalisation settings; for LinkedIn under LinkedIn opt-out. Microsoft Clarity and Leadfeeder are controlled exclusively via our cookie banner.
The lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected (Art. 7 (3) GDPR).
7. Web fonts
This website loads Google Fonts. Connection data (in particular the IP address) is transmitted to Google. Provider: Google Ireland Limited (see section 6.1). Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in a consistent typographic presentation. As an alternative, fonts are also held in a local fallback so that font loading can fail safely without breaking the layout.
8. Technical and organisational measures (TOM)
To protect your data we implement appropriate technical and organisational measures pursuant to Art. 32 GDPR — among them: TLS encryption (HTTPS) for the entire site, encrypted database connections, server hosting in the EU (Kinsta / GCP Frankfurt), restricted admin access via individual accounts with strong passwords and 2FA, regular automatic backups, role-based access controls, a documented record of processing activities pursuant to Art. 30 GDPR, and data minimisation at the application level. We continuously review and update these measures.
9. Your rights
Under the GDPR you have the following rights:
Right of access (Art. 15 GDPR) — information about which of your personal data we process.
Right to rectification (Art. 16 GDPR) — correction of inaccurate data.
Right to erasure (Art. 17 GDPR) — deletion of your data where the legal conditions are met.
Right to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR) — receipt of your data in a structured, common, machine-readable format.
Right to object (Art. 21 GDPR) — to processing based on legitimate interest, including for direct marketing. See highlighted box below.
Right to withdraw consent (Art. 7 (3) GDPR) — at any time with effect for the future, see section 6.10.
Right to lodge a complaint (Art. 77 GDPR) — with a supervisory authority, in particular in the EU member state of your residence, your workplace or the location of the alleged infringement. Competent supervisory authority for our office location: Independent Data Protection Centre Saarland (Unabhängiges Datenschutzzentrum Saarland), Fritz-Dobisch-Straße 12, 66111 Saarbrücken.
Requests regarding these rights are to be directed to: info@daniel-herrmann.io. We will respond within the statutory period (usually one month).
10. Currency of this Privacy Policy
Last updated: 29 May 2026. We reserve the right to adapt this policy so that it always meets current legal requirements. The current version is always retrievable from this website.
Callback
When should we call you back?
Tell us when fits you and what it's about — we'll call back within the next business day.
Got it. We'll call you back.
You'll receive a confirmation email shortly. Daniel calls back within one business day.
Free material by email
Your material is on the way.
Enter your name and email — we send the material directly to your inbox, with a short personal note from Daniel.
Thanks — check your inbox.
We just sent the material to your email. If it doesn't arrive within a few minutes, please check your spam folder.
Once a month · CSV practice
CSV insights from real Pharma projects.
What you get next: the GAMP 5 2nd Edition impact, what the FDA CSA Final Guidance means for your validation strategy, and the 8-week CSV sprint we deliver in 60+ projects. Unsubscribe anytime in one click.
Almost done.
Confirm your email via the link we just sent to your inbox. After confirmation we'll send the latest newsletter issue right away.
We use your data exclusively for the newsletter. No sharing with third parties. Privacy policy.
