Cryptographic security built into the architecture — not bolted on as an afterthought. Every CoA exchange is encrypted, signed, and auditable.
Certificates of Analysis are quality-critical documents that travel between suppliers and pharmaceutical manufacturers. Yet today, most CoAs are exchanged via email attachments or FTP drops — with no encryption in transit, no sender authentication, and no tamper detection. A single compromised document can trigger batch recalls, regulatory findings, or patient safety incidents.
CertLink takes a different approach. Security is embedded in the architecture: every document is sealed inside an EncryptedEnvelope using modern cryptographic primitives, every sender is verified via digital signatures, and every exchange is recorded in an immutable audit trail. Organisations retain full control of their data through on-premises deployment and federated networking — no forced centralisation.
Every CoA exchanged through CertLink is sealed inside an EncryptedEnvelope — encrypted at the source and decrypted only at the destination. The broker relay never has access to plaintext content.
Authenticated encryption for envelope payloads. 256-bit keys provide confidentiality; the GCM authentication tag detects any modification of the ciphertext.
Elliptic-curve Diffie-Hellman key agreement. The sender generates an ephemeral X25519 key pair for each envelope, providing forward secrecy — compromising a long-term key does not expose past exchanges.
HMAC-based Key Derivation Function derives the AES encryption key from the shared secret. This follows NIST SP 800-56C recommendations for key derivation in key-agreement schemes.
Edwards-curve digital signatures on every envelope. The sender's host identity key signs the encrypted payload, enabling the receiver to verify authenticity and detect tampering.
Pharmaceutical companies need to control where their data lives. CertLink's architecture ensures organisations retain full ownership of their CoA data.
Deploy CertLink on your own infrastructure. CoA data never leaves your network. Ideal for organisations with strict data residency requirements or internal policies prohibiting third-party data storage.
Independent CertLink instances communicate via federation sync packages. Each host maintains its own identity (Ed25519 keypair) and exchanges encrypted envelopes with peers — no central server required.
For hosted deployments, data is stored within the European Union. Combined with on-premises options and federation, organisations can meet GDPR data residency obligations while maintaining supply chain connectivity.
Every query is scoped to the authenticated tenant. Cross-tenant visibility is controlled exclusively through active supplier relationships. No organisation can access another's data without an explicit, auditable link.
The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity framework. It classifies pharmaceutical manufacturers as essential entities, imposing binding cybersecurity risk-management and incident-reporting obligations. Denmark's implementing legislation (the NIS2 Act) entered into force on 1 July 2025.
CertLink's security architecture supports compliance with several NIS2 requirements. The table below maps specific capabilities to directive articles. Note: CertLink is a tool that supports your compliance posture — it does not by itself make an organisation NIS2-compliant.
| NIS2 Article | Requirement | CertLink Capability |
|---|---|---|
| Art 21(2)(d) | Supply chain security | End-to-end encrypted CoA exchange between suppliers and receivers. EncryptedEnvelope format with sender authentication via Ed25519 signatures. Federated architecture allows supply chain partners to exchange documents without centralised data storage. |
| Art 21(2)(h) | Cryptography & encryption | AES-256-GCM authenticated encryption, X25519 ECDH key agreement with ephemeral keys (forward secrecy), HKDF-SHA256 key derivation, Ed25519 digital signatures. Private keys encrypted at rest with AES-256-GCM. |
| Art 21(2)(i) | Access control & asset management | Role-based access control with granular permissions (view, create, edit, submit, approve, export). Multi-tenant isolation ensures data is scoped to the authenticated organisation. Session-based authentication. |
| Art 21(2)(b) | Incident handling | Immutable audit trail via event sourcing with SHA-256 hash chains. Every state change is recorded with user identity, action, and server-side timestamp. Tamper-evident chain enables forensic analysis. |
| Art 21(2)(a) | Risk analysis & information system security | On-premises deployment option for organisations requiring full infrastructure control. TLS encryption in transit. Tenant-scoped data isolation. Cryptographic integrity verification on all stored documents. |
Defence in depth across every layer of the stack.
Host private keys are encrypted with AES-256-GCM before storage. Database-level encryption protects all persisted data.
All HTTP traffic is served over TLS via Caddy with automatic certificate management. Federation sync between hosts uses TLS-encrypted connections.
Granular permissions control who can view, create, edit, submit, approve, and export CoAs. Separation of duties is enforced at the permission level.
Every database query is scoped to the authenticated tenant. Cross-organisation visibility requires an explicit, active supplier relationship.
Event sourcing with SHA-256 hash chains records every state change. Each event captures user identity, action, and server-side timestamp in a tamper-evident chain.
SHA-256 content hashes on uploaded documents, cryptographic hash chains on audit events, and Ed25519 signatures on envelopes provide layered integrity verification.
Every EncryptedEnvelope carries an Ed25519 digital signature from the sending host's identity key. This provides three guarantees:
The receiver can verify the envelope was created by the claimed sender by checking the Ed25519 signature against the sender's known public key.
Any modification to the envelope payload — even a single bit — invalidates the signature. The receiver detects tampering before decryption.
The sender cannot deny having sent the envelope. The Ed25519 signature serves as cryptographic proof of origin, supporting regulatory audit requirements.
CertLink gives your supply chain end-to-end encryption, cryptographic authentication, and full data sovereignty — with an architecture that supports NIS2 and GDPR compliance.