How HiveMQ’s ISO 27001 and SOC 2 Certifications Support GxP Compliance

HiveMQ has achieved both ISO/IEC 27001:2022 certification and a SOC 2 Type 2 report covering all five trust criteria. For pharmaceutical manufacturers, biotech firms, and medical device companies, these credentials represent more than just formal recognition—they serve as concrete proof that HiveMQ operates with the rigorous security and quality controls necessary to support GxP compliance in regulated environments.

In this article, we delve into the essentials of GxP compliance, with particular emphasis on FDA 21 CFR Part 11 and EU Annex 11. We also examine how HiveMQ’s ISO 27001:2022 and SOC 2 Type 2 certifications align with these regulatory requirements. Additionally, we explore technical use cases for deploying HiveMQ’s secure MQTT Broker in GxP-regulated settings and highlight the key benefits of partnering with a technology provider that is aligned with GxP standards.

What is GxP Compliance? Understanding FDA 21 CFR Part 11, EU Annex 11, and More

In the life sciences industry, “GxP” is an umbrella term for “Good Practice” regulations that ensure product quality, safety, and efficacy across various domains (the x can stand for Manufacturing, Clinical, Laboratory, etc.). Two cornerstone regulations in this area are FDA 21 CFR Part 11 and EU GMP Annex 11, which specifically address requirements for electronic systems. Let’s look at each of these:

1. FDA 21 CFR Part 11 (Title 21 of the U.S. Code of Federal Regulations, Part 11) outlines requirements to ensure that electronic records and electronic signatures are trustworthy, reliable, and equivalent to paper records and handwritten signatures. To learn more, refer to Food and Drug Administration CFR Title 21 Part 11. In practice, Part 11 mandates that regulated companies validate their software systems, implement strict access controls, use audit trails, and maintain data integrity so that electronic data can be trusted as much as traditional paper documentation. It provides guidelines to improve the security of computer systems in FDA-regulated industries, ensuring that any GxP-governed process (GMP, GCP, GLP, etc.) using electronic systems is properly controlled and auditable. For more information, see Food and Drug Administration CFR Title 21 Part 11.

2. EU GMP Annex 11 is a parallel set of requirements in the European Union that supplements the EU’s Good Manufacturing Practice guidelines. It governs the integrity and security of electronic records and signatures associated with computerized systems. When manual processes are replaced with IT systems, Annex 11 ensures that there is no reduction in product quality or process control, and no increase in risk. It outlines expectations for system validation, data integrity, security measures, audit trails, change control, and personnel training—all designed to ensure that electronic systems are reliable and secure.

In essence, EU Annex 11 and FDA Part 11 share the same purpose, differing mainly in regional scope (EU vs. US). Both aim to ensure that electronic systems used in GxP processes are compliant, trustworthy, and secure.

GxP compliance broadly means adhering to these and related regulations, including best-practice frameworks such as ISPE GAMP 5 for system validation and data integrity. For a regulated company, this includes validating computerized systems, following strict Standard Operating Procedures (SOPs), managing changes effectively, and demonstrating to inspectors that electronic data is accurate, traceable, and protected from unauthorized access or tampering. Non-compliance can lead to serious consequences.

ISO/IEC 27001:2022: A Security Foundation Aligned with GxP Needs

ISO/IEC 27001:2022 is the latest version of the internationally recognized standard for Information Security Management Systems (ISMS). Achieving ISO 27001 certification signifies that an organization has implemented a comprehensive, audited system of controls to safeguard the confidentiality, integrity, and availability of information. These three principles—commonly referred to as the “CIA triad” in security—are also fundamental to compliance in GxP-regulated environments.

In fact, regulatory guidance frequently overlaps with ISO 27001 controls. For instance, 21 CFR Part 11 and EU Annex 11 mandate strong user authentication, access controls, and data integrity measures—core objectives of ISO 27001’s framework.

By adhering to ISO 27001, HiveMQ ensures robust policies are in place for access management, incident response, system continuity, and more—all supporting the requirements GxP regulations impose on electronic systems.

Key ISO 27001:2022 Aspects That Support GxP Compliance

• Risk Management: To begin with, ISO 27001 adopts a risk-based approach to securing systems, aligning well with the GxP requirement for risk management throughout a system’s lifecycle. Refer to Annex 11 Section 1 and Annex 11 Final 0910 for more details. HiveMQ's Information Security team takes a risk-based approach across the systems and data life cycle. The approach aligns with Good Practice (GxP) principles and Annex 11 of the European Union Good Manufacturing Practice (EU GMP) guidelines. The process begins with the determination of risks that may affect data integrity, confidentiality, and availability—core components of regulatory compliance. Risks such as unauthorized access, data loss, system failures, and operational inconsistencies are addressed proactively using a structured approach.

• Access Control and Security Policies: In addition to risk management, both ISO 27001 and GxP guidelines emphasize defined user access levels and prevention of unauthorized system access. HiveMQ provides an option for selection of strong password policies, role-based access controls, and user activity monitoring—ensuring only authorized personnel access GxP data, as required by Part 11 (e.g., §11.10(d)).

• Audit Trails and Activity Logs: FDA Part 11 explicitly requires secure, computer-generated audit trails that log who did what and when, ensuring traceability of actions affecting electronic records. ISO 27001’s Annex A controls also address logging and monitoring. By following ISO 27001, HiveMQ provides an option for detailed system logs and audit records (e.g., for its MQTT broker service) that can support customers’ compliance with audit trail requirements.

• System Validation and Change Management: Although ISO 27001 is primarily a security standard rather than a software validation guideline, it enforces disciplined operational controls—such as configuration management, change control, and proper documentation. These elements align with GxP expectations that systems be validated and changes tightly controlled as per Annex 11 Final 0910. HiveMQ’s ISO certification reflects adherence to formalized processes for software development and infrastructure changes, reducing the risk of compromising a system’s validated state or data integrity during broker updates.

Continuity and Availability: Regulators require that critical GxP systems are reliable—for instance, data should be backed up and protected against loss as indicated in Annex 11 Section 7—so that records are preserved. ISO 27001 includes robust controls for backup, disaster recovery, and business continuity. In line with these expectations, HiveMQ’s compliance ensures its secure MQTT Broker service is supported by redundant infrastructure and backup mechanisms—helping customers maintain uptime and ensure commitment to our SLA.

SOC 2 Type 2 Certification: Ensuring Trust and Operational Integrity

In addition to ISO certification, HiveMQ undergoes regular independent audits resulting in a SOC 2 Type 2 report that covers all five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 Type 2 examination is performed by third-party auditors following the AICPA standard; it evaluates the design and operating effectiveness of a service organization’s controls related to those five areas over a period of time. For more detailed information about the criteria and standards used, refer to SOC 2® - SOC for Service Organizations: Trust Services Criteria | AICPA & CIMA. In practical terms, this means HiveMQ has demonstrated with evidence that it consistently follows documented controls to keep systems secure, reliable, and trustworthy. 

Here’s how each of the SOC 2 trust criteria maps to GxP considerations:

• Security: The Security category (also called “Common Criteria”) is the baseline for SOC 2. It examines how the service protects against unauthorized access and other security threats. For GxP applications, security is critical to prevent data tampering or unauthorized changes to electronic records. HiveMQ’s SOC 2 report verifies controls like firewall configurations, vulnerability management, incident response, and access controls, which support FDA/EU requirements that only authorized individuals can use the system and that system integrity is safeguarded (Synergy between ISMS & GxP Compliance for value add in Pharma IT | Pharmaceutical Engineering).

• Availability: This criterion evaluates whether the service is available for operation and use as agreed. In regulated manufacturing or clinical environments, system downtime or data inaccessibility can halt a production line or delay a trial–impacting compliance (for example, if environmental monitoring data isn’t recorded due to an outage). HiveMQ’s SOC 2 (Availability) attests that it has measures such as redundancy, failover, and proactive monitoring to ensure high uptime. This aligns with GxP expectations for reliable infrastructure and supports business continuity plans that regulators like FDA expect for critical systems.

• Processing Integrity: Processing Integrity focuses on whether the system processes data completely, accurately, and validly. This is directly related to data integrity requirements under GxP. For instance, if HiveMQ’s MQTT broker is transmitting manufacturing data (e.g. sensor readings, batch records), the processing integrity controls ensure that messages aren’t lost, duplicated, or improperly altered in transit. SOC 2 validation of processing integrity means HiveMQ safeguards (like message queuing reliability, error handling, reconciliation procedures) to maintain accurate and consistent data flow—supporting the “completeness, consistency, and accuracy of data” that regulators demand (How ISO 27001 certification ensures data integrity - GxP-CC). 

• Confidentiality: Many GxP records involve sensitive information – whether it’s proprietary formulation data, or patient health information in a clinical trial context. The Confidentiality criterion in SOC 2 verifies controls that protect information deemed confidential. HiveMQ uses strong encryption (both in transit and at rest) for its MQTT messaging and data storage, strict need-to-know access policies, and confidentiality agreements with employees—all ensuring that sensitive GxP data is not disclosed inappropriately. While 21 CFR Part 11 is more about data integrity than secrecy, regulators still expect companies to protect trade secrets and patient privacy. HiveMQ’s confidentiality controls help customers meet those obligations (and also align with related standards like HIPAA or GDPR when applicable).

• Privacy: The Privacy category goes one step further to address personal information handling in accordance with fair privacy principles (like notice, consent, data minimization, etc.). Not all GxP data is personal data, but consider clinical trial scenarios or post-market surveillance where personal health data might be collected via devices and sent through the MQTT broker. HiveMQ’s SOC 2 Privacy criteria ensure the company has mechanisms to protect personal data and honor individuals’ privacy rights, giving regulated customers assurance that using HiveMQ’s platform won’t expose them to privacy compliance gaps. This is especially relevant for global life-science companies that must navigate laws like GDPR alongside GxP regulations.

Obtaining a SOC 2 Type 2 report for all five criteria is a rigorous process, and HiveMQ’s commitment to it signals a holistic approach to trust and compliance. In fact, Microsoft’s own GxP compliance team notes that cloud vendors making SOC Type I, SOC Type II reports and ISO 27001 certificates with ISO 27001 Statement of Applicability (SoA) available provide the evidence needed for a thorough vendor assessment as indicated in this page, GxP Compliance starts with proper vendor assessments – and here’s how you can do it effectively even remotely - Microsoft in Business Blogs). The SOC 2 report essentially packages up a detailed description of HiveMQ’s controls and independent verification of their effectiveness. For a pharma or biotech customer, this report can be used as part of the vendor qualification package to satisfy auditors that HiveMQ meets high standards for security and data integrity in its services. This goes a long way toward fulfilling the requirement that “proper assessment [be] made prior to selecting the cloud vendor” for GxP systems. Refer to GxP Cloud Compliance: Frequently Asked Questions, Answered for details.

Aligning with GxP Requirements

The adherence to the specified GxP requirements is confined solely to information security controls. The table below highlights key areas where ISO/IEC 27001:2022 and SOC 2 align with pharmaceutical regulations:

*The implementation of multiple sets of controls supports non-repudiation.

Use Cases: Deploying HiveMQ’s Secure MQTT Broker in GxP Environments

How Do These Certifications Translate into Real-World Usage? 

Let’s consider a few technical use cases where HiveMQ’s Secure MQTT Broker might be deployed in GxP-regulated environments:

• Real-Time Environmental Monitoring in GMP Manufacturing: In pharmaceutical production (GMP), companies must closely monitor environmental parameters, such as temperature, humidity, differential pressure, etc., in their manufacturing suites and storage areas. IoT sensors connected via MQTT can stream this data in real-time to a central system. By using HiveMQ’s secure MQTT Broker, the manufacturer ensures that these critical environmental data points are transmitted reliably and securely, with no loss or tampering of readings. Every sensor message is timestamped and retained, supporting compliance with record-keeping and data integrity requirements. For example, FDA and EU regulations often require proof that storage conditions remained within specification. HiveMQ’s broker, backed by ISO 27001 controls, guarantee encrypted, authenticated messaging from sensors, while its SOC 2 (Processing Integrity & Availability) gives confidence that the data will arrive intact and be available for review. An MQTT-based solution like this can even facilitate automatic alerts if a condition goes out of range, helping quality teams take immediate action and document the incident.

• Electronic Batch Record Collection and Audit Trails: Modern biotech and pharma production lines are embracing Pharma 4.0 principles, connecting machines and systems digitally. HiveMQ’s MQTT broker can serve as a middleware connecting equipments, such as mixers, bioreactors, filling machines, etc., with an electronic batch record (EBR) system. Each step in a process can publish messages, like events, process values, etc., which the broker routes to the EBR or data historian. Thanks to built-in security and audit logging, the HiveMQ MQTT broker can maintain a complete audit trail of all messages. Say, for example, what data was sent, by which device, and when. This is crucial for compliance. It means that the electronic batch record has a trustworthy underpinning, with data provenance ensured. If an inspector at the pharma production site asks to see evidence of a particular production step, the company can retrieve the record knowing it’s backed by a chain of secure, logged MQTT messages. HiveMQ’s compliance framework again helps here. ISO 27001 guarantees HiveMQ follows change control on the broker software so its behavior is consistent and validated, and SOC 2 verifies strong controls on system security so an attacker can’t intercept or alter batch data in transit.

• Clinical Trial IoT Data Gathering: In some clinical trials, such as GCP environment, patients might use connected medical devices or wearables that collect data, like a smart inhaler recording usage, or a glucose monitor. These devices could send data via a secure MQTT broker to the sponsor’s cloud database. Using HiveMQ’s MQTT broker, which supports end-to-end encryption and client authentication, ensures the privacy and integrity of patient-generated data as it travels from the device to the cloud. Moreover, HiveMQ’s SOC 2 Privacy criteria means the vendor is handling any personal data in compliance with privacy laws, an important consideration alongside GxP. All five trust principles come into play: security to prevent unauthorized access to the device data, availability to ensure the data pipeline is up when patients use it, processing integrity to avoid missing readings, confidentiality and privacy to protect patient information. This use case demonstrates how a GxP-regulated company (in this case, a pharma running a trial) can confidently leverage IoT innovations. With HiveMQ’s GxP-aligned platform, they can accelerate digital health data collection without compromising on compliance.

These examples show that a secure MQTT broker isn’t just a technical utility; in regulated contexts it becomes a validated component of the GxP system architecture. HiveMQ recognizes this, which is why its product is built and managed under an ISO 27001-certified ISMS and audited against SOC 2 criteria. In practice, customers would still perform computer system validation (CSV) or qualification on the overall solution (per FDA guidelines and GAMP5 methods), but HiveMQ’s certifications and provided audit reports significantly streamline that process. For instance, a pharma company can use HiveMQ’s SOC 2 report and ISO certificate as part of their vendor qualification dossier to demonstrate that the MQTT broker service has appropriate controls (instead of having to audit everything from scratch). This was similarly observed in a real-world Pharma 4.0 case study, where deploying an MQTT-based platform across 15 factories yielded automated data collection and storage that facilitated compliance with regulations requiring long-term data retention, with no data loss (Digital Transformation in Pharma Manufacturing With UNS, MQTT & Distributed Data Intelligence). The result was improved regulatory compliance and operational efficiency, showing how technology and compliance can advance together.

How Can HiveMQ Broker Be Further Configured?

Configuration Controls

Access Control & Authentication (Part 11 §11.10.d, §11.300, Annex 11 §2, §3.1, §7.1, §12, §17)

• Enable TLS‑mutual authentication so each MQTT client presents an X.509 certificate issued by a GxP‑managed CA.

• Configure RBAC via HiveMQ’s File ACL or External IdP (LDAP/OAuth) extension. Map least‑privilege roles (e.g., Publisher‑Only, QA‑Reviewer).

• Enforce password complexity.

Data Integrity & Message Persistence (Annex 11 §5, §6, §7)

• Activate Payload Persistence with write‑ahead logs on a redundant RAID array or SAN.

• Enable exactly‑once (QoS 2) delivery for critical GxP topics.

• Configure disk encryption (LUKS, BitLocker) or database TDE for data at rest.

Audit Trail (Part 11 §11.10(e); Annex 11 §9)

• Set log.level to INFO only and configure Audit Logs to capture:

  • Client connect/disconnect (ClientID, IP, cert CN)

  • SUBSCRIBE / UNSUBSCRIBE actions (topic filter, ACL decision)

  • PUBLISH metadata (topic, QoS, user, timestamp, checksum)

  • Configuration changes (cluster, extensions, security settings)

• Do not set log.level to DEBUG unless explicitly required for troubleshooting as this would capture additional sensitive information.

• Stream logs to an immutable store (e.g., WORM storage, Splunk with write‑once S3 bucket).

Electronic Signatures that are not based on biometrcics (Part 11 §11.200; Annex 11 §14)

• Use MQTT PUBLISH with JWT payload containing signer identity and reason code; verify via custom Signature Verification Extension.

• Leverage tools like Okta to support MFA

• Alternatively, integrate HiveMQ with an eSignature service through Webhooks.

• Ensure two distinct identification components (username + private key) and maintain signature manifestation in the record.

Time‑Stamping & Clock Sync (Part 11 §11.10(f); Annex 11 §9.6)

• Synchronize all broker nodes via NTP to a 21 CFR Part 11 validated time source; log drift alerts >1 s.

Encryption in Transit (Part 11 §11.30)

• Enforce TLS 1.3 with strong cipher suites; disable plain‐text TCP ports.

• Use Secure TCP Listener

• Implement HSTS on HTTPS on HiveMQ Control Center.

Backup & Disaster Recovery (Annex 11 §17; Part 11 §11.10(c))

• Schedule hot backups of persistence folders to validated backup software with daily incremental and weekly full cycles.

• Document and test RTO/RPO requirements; perform annual failover drills.

Change & Configuration Management (Annex 11 §7)

• Store hivemq.conf, extension JARs, and Kubernetes Helm charts in a version‑controlled repository (e.g., Git).

• Use signed artefacts and checksum verification.

System Validation & Testing (Part 11 §11.10(a); Annex 11 §4)

• Create a Validation Plan aligned to GAMP 5 Category 4 (configured product).

• Perform:

  • Installation Qualification (IQ) – Verify OS, JVM, broker install.

  • Operational Qualification (OQ) – Challenge audit trail, failover, security controls.

  • Performance Qualification (PQ) – Simulate production load and edge cases.

• Maintain Traceability Matrix linking tests to user requirements.

Monitoring, Alerts & Incident Management (Annex 11 §13)

• Forward metrics via Prometheus to validate monitoring; set alert thresholds for connection spikes, disk, and heap usage.

• Define Incident Response, describing escalation and CAPA.

Benefits of Partnering With a GxP-Aligned Technology Provider Like HiveMQ

For pharmaceutical, biotech, and medtech companies, choosing a technology partner that understands and aligns with GxP compliance yields numerous benefits. By partnering with HiveMQ, which has invested in ISO 27001:2022 and SOC 2 Type 2 certifications, regulated customers can expect:

• Reduced Compliance Risk: HiveMQ’s certified controls greatly reduce the risk of security incidents, data integrity issues, or downtime that could put a company out of compliance. The strong alignment with GxP requirements means fewer gaps or weak links in your overall compliance chain.

• Faster Vendor Qualification and Audits: Customers can leverage HiveMQ’s ISO 27001 audit certificate and detailed SOC 2 Type 2 report as evidence of control effectiveness.This supports in accelerating vendor’s qualification and can satisfy many auditor questions proactively. As Annex 11 suggests, having supplier audit information ready is invaluable (Annex 11 Final 0910). HiveMQ provides that from day one. 

• Assurance of Data Integrity and Quality: With HiveMQ’s secure MQTT broker in place, customers gain confidence that their critical GxP data from production processes, labs, or devices remains complete, accurate, and traceable. Features like audit trails, encryption, and reliable message delivery are built-in, helping to maintain ALCOA+ principles, like Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available. for data integrity. 

• Strong Security Posture: HiveMQ’s adherence to ISO 27001 means it continuously monitors and improves its security. Customers benefit from a platform that is hardened against cyber threats, such as malware, intrusion, etc., reducing the likelihood of breaches that could expose sensitive data or disrupt regulated operations. In an era where data breaches can lead to regulatory penalties and reputation damage, this proactive security is a major advantage.

• Support for Innovation within Compliance: Partnering with a GxP-aligned provider like HiveMQ lets regulated companies adopt modern technologies (IoT, cloud services, real-time analytics) with less fear of compliance fallout. HiveMQ’s platform enables innovations like real-time monitoring, remote device connectivity, and data-driven decision-making like predictive maintenance in manufacturing while still meeting compliance requirements. This balanced approach helps companies stay competitive, moving toward Pharma 4.0 and digital transformation, without compromising on quality or patient safety.

• Expertise and Guidance: HiveMQ’s focus on compliance means its team is aware about GxP concerns. Beyond the technology itself, such a vendor can often provide guidance or best practices for deployment in regulated settings. For example, HiveMQ can assist with documentation needed for validation, share reference architectures (as seen in cloud providers’ GxP guides), and ensure its updates or changes are communicated in a way that supports the customer’s change control and re-validation processes. This kind of partnership fosters a true culture of quality across company boundaries.

HiveMQ: Enabling GxP-Aligned Innovation 

Digital technologies and rigorous compliance can go hand in hand–and HiveMQ’s dual achievement of ISO/IEC 27001:2022 certification and SOC 2 Type 2 attestation (with all trust criteria) is proof of that. GxP compliance is not just about ticking boxes; it’s about establishing trust that every electronic record, every data point, and every process in a regulated environment is reliable and accountable. HiveMQ has built that trust into its operations and products. By leveraging HiveMQ’s secure MQTT Broker in GxP-regulated workflows, companies in pharma, biotech, and medical devices can confidently modernize their systems, knowing that the underlying platform meets the high-bar security and integrity requirements demanded by FDA and EU regulators.