X-Fly Feature: Compliance and Data Privacy Controls
ComplianceGDPRData PrivacyFunctional Firewalls
In pharma, compliance is not a feature you add to a platform — it is a foundation you build on. X-Fly was designed with this principle at its core. Every compliance and data privacy control in X-Fly is architectural, meaning it operates automatically regardless of individual user behaviour. Compliance teams do not need to rely on field teams making the right choices; the platform enforces the right outcomes by default.
X-Fly Compliance Architecture
- Granular user permissions — field-level control over who sees, edits, and exports which data
- Functional firewalls — automatic medical-commercial data separation, always enforced
- Sensitive-word detection — automatic flagging of content that requires compliance review
- Multi-step review workflows — approval required before insights cross functional boundaries
- GDPR-aligned data privacy controls — minimisation, retention, erasure, and consent built in
- Full audit trails — complete log of every user action for regulatory review
Six Compliance Capabilities in Detail
🔒 Granular User Permissions
X-Fly operates on a field-level permission model — administrators can specify precisely which data fields, insight categories, and functions each user role can view, edit, comment on, or export. This granularity ensures that the right people have exactly the access they need and no more, without requiring manual review of every data access request.
🚫 Functional Firewalls
The functional firewall is X-Fly's primary architectural compliance control. It automatically enforces separation between medical affairs and commercial data flows — preventing commercial users from accessing medical insights that have not been explicitly approved for cross-functional sharing. This separation is not a toggle setting; it is hardcoded into the platform's data architecture and cannot be bypassed by user action.
Why it matters: Many pharma compliance breaches arise not from malicious intent but from inadequate technical controls. If a commercial user can access an MSL's notes about an off-label HCP query because the CRM does not enforce functional separation, the organisation is exposed — regardless of its SOPs.
🔎 Sensitive-Word Detection
X-Fly scans every incoming insight for terms and phrases defined by the organisation as requiring compliance review — adverse event references, off-label discussion indicators, commercially sensitive competitor claims, and any other organisation-defined trigger terms. When a sensitive word is detected, the insight is automatically routed to a compliance review queue and withheld from normal publishing and escalation workflows until reviewed and approved.
✅ Multi-Step Review and Approval Workflows
Before any insight crosses a functional boundary — from medical affairs to commercial, from field team to leadership distribution, from internal to external stakeholder — it can be required to pass through a configurable approval workflow. Review steps, approvers, and escalation paths are all configurable per organisation, per region, and per insight type.
🌐 GDPR and Regional Data Privacy Controls
X-Fly includes built-in data privacy controls aligned with GDPR and applicable regional regulations — covering data minimisation (capture only what is necessary), retention policies (automatic archiving or deletion after defined periods), right to erasure (individual HCP data removal on request), and consent management. These controls are backed by VML Health Platforms' enterprise-grade data governance framework as part of WPP.
📄 Full Audit Trails
X-Fly maintains a complete, timestamped log of every user action — who captured, viewed, edited, approved, shared, exported, or deleted each insight, and when. Audit trails are accessible to compliance administrators at any time and can be exported for regulatory submissions or internal investigation purposes.
Compliance by Design vs Compliance by Configuration
| Approach | How It Works | Risk Level |
|---|---|---|
| Compliance by user behaviour (CRM add-on approach) | Users are trained to follow SOPs; the platform does not enforce controls technically | High — dependent on every user making correct choices every time |
| Compliance by configuration (some platforms) | Compliance settings are available but must be turned on and maintained by administrators | Medium — dependent on correct initial setup and ongoing maintenance |
| Compliance by architecture (X-Fly) | Compliance controls are built into the platform foundation and operate automatically regardless of user action | Low — compliance enforced technically, not behaviourally |
Frequently Asked Questions
Can X-Fly handle adverse event (AE) flagging requirements?
X-Fly's sensitive-word detection and review workflows are designed to ensure that field-captured insights containing potential AE references are flagged and routed for appropriate review before escalation. While X-Fly is an insights management platform rather than a pharmacovigilance system, it integrates with the organisation's broader safety reporting infrastructure to ensure complete audit trails and timely routing of AE-relevant information.
Is X-Fly suitable for use in multiple regulatory jurisdictions?
Yes. X-Fly is deployed across 80+ countries and its data privacy and compliance controls can be configured per region to reflect local regulatory requirements — including GDPR in Europe, HIPAA considerations in the United States, PDPA in Asia-Pacific, and other applicable regional frameworks. → More compliance FAQs
Talk to the X-Fly Compliance Team
→ Book a demo — walk through compliance architecture with your specific regulatory requirements