Skip to content
What is basebox?

For Quality & Regulatory Professionals

basebox is compliant with regulatory quality requirements. Especially for medical devices. However, basebox is ready for all other sensitive sectors, too. Cybersecurity guidelines are compliant as well.
To support your certification process, all documents for your audit are completed and available for download.
All Documents Filled Out.
Just Download and Go.

Considered Standards and Guidelines

Software manufacturers typically do not publish their technical documentation but basebox wants to establish trust and support compliance on customer side by being transparent. That´s why the technical documentation of basebox is published as applicable for an OTS component. The following list provides an overview of standards and guidelines which were reviewed and considered during the development of basebox and were used to create the technical documentation.

Software Development

IEC 62304 Medical device software - Software life-cycle processes

IEC 62304 is the international standard for the development of medical device software. It provides a process and requirements for developing, testing, and maintaining software used in medical devices. It covers the entire software life cycle, from requirements to post-market surveillance, and is intended to ensure that the software is safe and effective for its intended use.

basebox development did consider the requirements from IEC62304 as applicable to an OTS, for instance by:

  • Establishing user and software requirements,
  • Transforming those into an architecture,
  • Apply coding rules,
  • Do automated testing before any commits and for all builds.


IEC 81001-5-1 Health software and health IT systems safety, effectiveness and security — Part 5-1: Security — Activities in the product life cycle

The cybersecurity standard IEC 81001-5-1 focuses on IT security in the software life cycle and supplements IEC 62304 with cybersecurity specific requirements.

basebox applied the principles of security by design from IEC 81001-5-1 where applicable for an OTS component, for instance, by:

  • Performing threat modeling,
  • Implementing security controls,
  • Executing penetration testing by a certified 3rd party,
  • Using Rust as the secure programming language,
  • And issuing a MDS2 form.

While considering IEC 81001-5-1 most of the requirements from MDCG 2019-16 Guidance on Cybersecurity for medical devices are covered. Relevant controls from NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations were considered during the development of basebox.


Risk Management

ISO 14971 Medical devices - Application of risk management to medical devices

ISO 14971 is an international standard that provides requirements for the risk management of medical devices. It outlines a process for identifying, analyzing, evaluating, controlling, and monitoring the risks associated with medical devices throughout their life cycle, with the goal of ensuring they are safe and effective for their intended use.

Since basebox is not a medical device and therefore has no Intended Use ISO 14971 does not apply to basebox. But basebox incorporates cybersecurity controls to protect from cyber threats which may lead to a health risk or privacy issues. The technical documentation comprises also the list of known anomalies which may be used by the Medical Device manufacturer as an input to the risk analysis performed for the final Medical Device.

General Quality Management

ISO 13485 Medical devices - Quality management systems - Requirements for regulatory purposes

ISO 13485 is an international standard that sets out requirements for a quality management system (QMS) specific to the medical device industry. It is designed to help organizations ensure that their medical devices are safe, effective, and of high quality by establishing a framework for managing medical device design, development, production, installation, and servicing. Organizations that are certified to this standard demonstrate that they have a robust QMS in place and are committed to meeting the needs of their customers and regulatory requirements.

basebox, the company, is not a legal manufacturer of Medical Devices but is planning to establish a ISO 13485-based quality management system.

”Quality Assurance at its Best”

Gerd Dautel
Senior Director
Regulatory Affairs/Quality Assurance (retired)


General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a regulation of the European Union. GDPR strengthens EU data protection rules and regulates the handling and processing of the personal data of EU citizens. It applies to any company that processes the personal data of EU citizens, regardless of where the company is based. It gives EU citizens greater control over their data, sets out strict rules for companies on how they must handle and protect personal data, and gives citizens the right to access, correct, and delete their data, as well as the right to data portability.

basebox supports any database functionality needed for medical device applications and any other applications handling private information to support GDPR compliance (E.g., history of single patient records).

basebox is hosted by you

basebox is a data management system that comes with an integrated database. You can use the built-in database or connect your own. You can host your database at any location.

Regardless of the hosting location of your database, basebox takes care of data management.


Quality Assurance Agreement

A quality assurance agreement (QAA) is a contract between companies such as medical device manufacturers and their suppliers (subcontractors). In these contracts, both parties agree on which obligations the suppliers must fulfill regarding the quality of delivered products and services.

basebox is not a service provider for the production of your product but an off-the-shelf (OTS) backend framework for self-hosting.
We cover the provisions of a quality assurance agreement in the license terms.