Compliance.

At Traction Guest, we take compliance really seriously.

AAALAC

Section Article: Guide for the Care and Use of Laboratory Animals, p23 and p151


Preventive measures should be considered, including pre-employment screening and physical and information technology security (Miller 2007).

When possible, the animal facility should be located within another structure with its own independent set of security features. Vehicular access should be limited and, when provided, controlled, and monitored.

Security and access control are generally provided in zones, starting at the perimeter with areas of highest security located within other zones. Control measures may consist of security personnel, physical barriers, and control devices.


  • External watch list screening for FDA barred persons
  • Internal watch lists screening for known animal rights activists
  • Log of all escorted visitors for investigations

Chemical Facility Anti-Terrorism Standards (CFATS)

Section Article: 6 CFR, Part 27

Links: https://www.federalregister.gov/documents/2015/12/18/2015-31625/chemical-facility-anti-terrorism-standards-personnel-surety-program

https://www.cisa.gov/sites/default/files/publications/cfats-rbps-guidance_508.pdf


Too much to list, but simply you need a visitor management system – see links above


  • Requires the existence of a visitor management system even at the lowest tiered facilities
  • Ensuring that all visitors are escorted and/or screened against terror watch lists
  • Keep legible records for x amount of years
  • Process for terminated employees and keeping them out of the facility
  • Verify and keep a record of TWIC credential

FDA Food Safety Modernization Act (FSMA)

Section Article: Section 103


  • Preventive Controls.–The owner, operator, or agent in charge of a facility shall identify and implement preventive controls, including at critical control points, if any, to provide assurances that–
    • “(1) hazards identified in the hazard analysis conducted under subsection (b)(1) will be significantly minimized or prevented;
    • “(2) any hazards identified in the hazard analysis conducted under subsection (b)(2) will be significantly minimized or prevented and addressed, consistent with section 420, as applicable; and
    • “(3) the food manufactured, processed, packed, or held by such facility will not be adulterated under section 402 or misbranded under section 403(w).
  • The owner, operator, or agent in charge of a facility shall maintain, for not less than 2 years, records documenting the monitoring of the preventive controls implemented under subsection (c), instances of nonconformance material to food safety, the results of testing, and other appropriate means of verification under subsection (f)(4), instances when corrective actions were implemented, and the efficacy of preventive controls and corrective actions.

  • Maintain a record of everyone who has entered a food space, when they left, how long they were there
  • Maintain record in legible format for at least 2 years
  • Scan third party watch lists for all FDA and other barred lists
  • Leverage internal watch list to keep out “disgruntled” employees

General Data Protection Regulation (GDPR)

Section Article: Chapter 3 - Rights of the data subject


  • The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
  • Right to be provided person data collected and not collected from the data subject
  • Right of access by the data subject
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right of data portability

  • SOC2 Type 2
  • Auto deletion; retention periods
  • Profile-based reports
  • Data minimization (not holding/sending data without specific purpose)
  • Skip on photo
  • Data residency – visibility and selection by country

Good Laboratory Practice (GLP)

Section Article: CFR Title 21, Part 58
RQA -Good practices


(a) Each individual engaged in the conduct of or responsible for the supervision of a nonclinical laboratory study shall have education, training, and experience, or combination thereof, to enable that individual to perform the assigned functions.

(b) Each testing facility shall maintain a current summary of training and experience and job description for each individual engaged in or supervising the conduct of a nonclinical laboratory study.

(f) Any individual found at any time to have an illness that may adversely affect the quality and integrity of the nonclinical laboratory study shall be excluded from direct contact with test systems, test and control articles and any other operation or function that may adversely affect the study until the condition is corrected. All personnel shall be instructed to report to their immediate supervisors any health or medical conditions that may reasonably be considered to have an adverse effect on a nonclinical laboratory study.

  1. a) Physical security measures should be in place to restrict access to computer hardware, communications equipment, peripheral components and electronic storage media to authorised personnel only. For equipment not held within specific ’computer rooms’ (e.g., personal computers and terminals), standard test facility access controls are necessary as a minimum. However, where such equipment is located remotely (e.g., portable components and modem links), additional measures need to be taken

SOPs required: Procedures for security measures used to detect and prevent unauthorised access and programme changes.


  • Record of who enters a lab space
  • Record of training for non-employees in a space
  • COVID-19 health tracking

Good Manufacturing Practice (GMP)

Section Article: 21 CFR Chapter I, Subchapter B, Part 117

Links: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3122044/

https://www.ecfr.gov/cgi-bin/text-idx?SID=3f7125891958b3eb9380856f26065b5c&mc=true&node=pt21.2.117&rgn=div5


Same as GLP – recordkeeping, SOP for Security, etc…


  • Record of who enters a lab space
  • Record of training for non-employees in a space
  • COVID-19 health tracking

International Standards Organization (ISO) 27000

Section Article: ISO 27001, A.11.1.2 Physical Entry Controls
Links:https://www.iso27001security.com/ISO27k_Guideline_on_ISMS_audit_v2.docx


  • Visitors routinely escorted
  • Visitors logged in (room visitors book)
  • Copies of visitor check in/outs maintained for audit

  • Maintain log of all entry/exits
  • Escort required

Sarbanes Oxley Act (SOX)

Section Article: Public Law 107-204

Links: https://www.varonis.com/blog/sox-compliance/

https://pcaobus.org/About/History/Documents/PDFs/Sarbanes_Oxley_Act_of_2002.pdf


SOX requires internal controls to protect computers which house financial records. Auditors often pull access control and visitor logs to see who has access, who has accessed, and for what reasons, these areas which store financial data whether on computers (data center) or hard files.


  • Visitor management system
  • Reports of who entered what
  • Reports of reason for visit

Service Organization Controls Type 2 (SOC2)

Section Article: CC6.4
Links: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html


The entity restricts physical access to facilities and protected information assets (for XYZ, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.


  • Presence of VMS
  • Our own SOC2, Type 2 certification
  • Ability to report out all entries/exits to a space

Transported Asset Protection Association (TAPA)

Section Article: TAPA Facility Requirements (FSR) 2017
Links: https://tapa.memberclicks.net/assets/docs/Standards/2017-Standards/tapa_fsr_2017_final%20march%202017.pdf


Access at visitor entry point(s) controlled by an employee/guard/receptionist that has been trained on badge issuance, controls, logging, visitors, escort requirement, etc. (process in place for visits outside operational hours).

3.1.4 All visitors identified using government-issued photo-ID (e.g. driver’s license; passport or national ID card, etc.).

3.1.5 All visitors registered and log maintained for minimum of 30 days.

3.1.6 All visitor badges must be reconciled as the visitor leaves the premises and the full log checked daily.

3.1.7 All visitors visibly display badges or passes and are escorted by company personnel

3.1.8 Visitor policy documented.


  • Presence of VMS
  • ID checking
  • PRocess for after hours visits (kiosk mode)
  • Visitor badge reconciliation
  • Visitor pass printing
  • Driver and manifest information

United States Department of Agriculture (USDA) & Food Safety & Inspection Service (FSIS)

Section Article: FSIS Security Guidelines for Food Processors

Links: https://www.fsis.usda.gov/wps/wcm/connect/457116c6-dccb-494a-a419-62d07d4123a4/PHVv2Homeland_Food_Security-Security_Guide.pdf?MOD=AJPERES

https://www.fsis.usda.gov/wps/wcm/connect/63b6a057-ee99-41a0-813a-557cfb7f1c05/Slaughter_Plant_Checklist.pdf?MOD=AJPERES


  • Visitor vehicles placarded and registered
  • Visitors restricted to non product areas unless escorted
  • Visitors identified in some manner at all times while on premises
  • Visitors restricted to what they can bring with them inside

  • Vehicle registrations
  • Visitor badges issuance with ESCORT required
  • Escort required
  • Waivers shown to visitors on entry
  • Pre-registration (for deliveries)