Product / For Quality & Regulatory Pros

Be Compliant From Day One.

Save weeks of writing and get certified in smooth audits.
basebox is compliant with regulatory quality requirements. Especially for medical devices. However, basebox is ready for all other sensitive sectors, too. Cybersecurity guidelines are compliant as well.
To support your certification process, all documents for your audit are completed and available for download.

All Documents Filled Out.
Just Download and Go.

IEC 62304

Medical device software - Software life-cycle processes

IEC 62304 is an international standard for the development of medical device software. It provides a process for developing, testing, and maintaining software used in medical devices. It covers the entire software life cycle, from requirements to post-market surveillance, and is intended to ensure that the software is safe and effective for its intended use.

basebox itself is not a medical device. If you use it, it becomes an off-the-shelf (OTS) component of your product. basebox provides you with all basebox-related IEC 62304 documents for your audit.

ISO 14971

Medical devices - Application of risk management to medical devices

ISO 14971 is an international standard that provides guidelines for the risk management of medical devices. It outlines a process for identifying, analyzing, evaluating, controlling, and monitoring the risks associated with medical devices throughout their life cycle, with the goal of ensuring they are safe and effective for their intended use.

basebox itself is not a medical device. Therefore, ISO 14971 does not apply to basebox. If you use it, it becomes an off-the-shelf (OTS) component of your product. >>basebox supports your risk analysis with any basebox-specific documents needed during your audit.

ISO 13485

Medical devices - Quality management systems - Requirements for regulatory purposes

ISO 13485 is an international standard that sets out requirements for a quality management system (QMS) specific to the medical device industry. It is designed to help organizations ensure that their medical devices are safe, effective, and of high quality by establishing a framework for managing medical device design, development, production, installation, and servicing. Organizations that are certified to this standard demonstrate that they have a robust QMS in place and are committed to meeting the needs of their customers and regulatory requirements.

basebox, the company, is not a medical device manufacturer but is planning to establish ISO 13485-based quality management systems. basebox, the product, is not a medical device itself. basebox, the product, is a universal, generic data management system provided as a backend framework - useful not for Health Tech alone.

It can be operated in any sector where privacy-sensitive data, regulatory compliance, cybersecurity, and performance are at stake.

The legal medical device manufacturer integrating basebox, the product, is responsible for meeting all applicable medical device manufacturing regulations.


IEC 81001-5-1

Health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle
The cybersecurity standard IEC 81001-5-1 focuses on IT security in the software life cycle. As a special standard for health software, it supplements IEC 82304-1 and IEC 62304, among others.

Regulatory requirements include cybersecurity. IEC 81001 is the most recent standard for cybersecurity of medical devices. It uses the framework of IEC 62304 for medical devices.

basebox is a universal backend for all data-sensitive, regulated sectors with high cybersecurity requirements. Although basebox is not a medical device, the principles of security by design, as stated by IEC 81001, were followed where applicable.

The measures we consider and implement are valid for all sectors of this type. basebox is developed with a top-down approach. Therefore, we initially focus on the healthcare sector, one of the most extensive and strictly regulated.
Here we focus on compliance with European regulations and the most critical American FDA guidelines.


MDCG 2019-16

Guidance on Cybersecurity for medical devices

MDCG 2019-16 specifically provides guidance on the application of the MDR for stand-alone software and mobile medical applications. It is issued by the Medical Device Coordination Group (MDCG) of the European Union. MDCG is a group of experts established by the European Medicines Agency (EMA) to provide guidance to manufacturers, notified bodies, and other stakeholders on the implementation of the Medical Device Regulation (MDR) and In-Vitro Diagnostic Regulation (IVDR) in the EU.
The standard is covered by IEC 81001-5-1 and is thus covered by basebox.


The Manufacturer Disclosure Statement for Medical Device Security (MDS2)
This standardized form is to be filled out by medical device manufacturers to communicate their devices' security and privacy characteristics to current device owners and potential buyers, typically healthcare delivery organizations.

The MDS2 was developed by the Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA).


NIST SP 800-53

Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-53 Rev. 4 is a publication from the National Institute of Standards and Technology (NIST). It provides a catalog of security and privacy controls and enhancements for federal information systems and organizations. The framework can be used to protect the confidentiality, integrity, and availability of information and information systems. The publication is widely used as a reference for information security professionals and organizations in the United States and other countries. >>The standard is part of MDS2 and covered by basebox.


ISO 27002

Information technology - Security techniques - Code of practice for information security management

ISO 27002:2013 is an international standard. It provides a code of practice for information security management and gives recommendations and general guidelines for initiating, implementing, maintaining, and improving information security management in an organization. The standard is based on a Code of Practice for Information Security Management, known as ISO/IEC 27002:2013, and specifies the requirements for an Information Security Management System (ISMS). The standard is widely used as a reference for information security professionals and organizations worldwide.
The standard is part of MDS2 and covered by basebox.

ISO 27002 ISMS

IEC TR 80001-2-2

Application of risk management for IT-networks incorporating medical devices - Part 2-2: Guidance on the application of IEC 80001-1

IEC TR 80001-2-2:2012 is a technical report from the International Electrotechnical Commission (IEC). It guides the application of the risk management principles and processes outlined in IEC 80001-1, a standard for risk management on IT networks incorporating medical devices, to a specific type of medical device system. The report focuses on IT networks in healthcare and mitigating the risk of harm caused by these devices. It is intended as a reference for healthcare providers, medical device manufacturers, and other stakeholders in the field of medical device safety.
The guidelines are part of MDS2 and covered by basebox.


'Quality Assurance at Its Best'

Gerd Dautel
Senior Manager
Regulatory Affairs/Quality Assurance (retired)


General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a regulation of the European Union. GDPR strengthens EU data protection rules and regulates the handling and processing of the personal data of EU citizens. It applies to any company that processes the personal data of EU citizens, regardless of where the company is based. It gives EU citizens greater control over their data, sets out strict rules for companies on how they must handle and protect personal data, and gives citizens the right to access, correct, and delete their data, as well as the right to data portability.

basebox supports any database functionality needed for medical device applications and any other applications handling private information to support GDPR compliance (E.g., history of single patient records).

basebox is hosted by you

basebox is a data management system that comes with an integrated database. You can use the built-in database or connect your own. You can host your database at any location.

Regardless of the hosting location of your database, basebox takes care of data management.


Quality Assurance Agreement

A quality assurance agreement (QAA) is a contract between companies such as medical device manufacturers and their suppliers (subcontractors). In these contracts, both parties agree on which obligations the suppliers must fulfill regarding the quality of delivered products and services.

basebox is not a service provider for the production of your product but an off-the-shelf (OTS) backend framework for self-hosting.
We cover the provisions of a quality assurance agreement in the license terms.