Quality Policy

Applicable from 28/11/2023

The Quality Management System is based on customer requirements and applicable International Standard of ISO 13485:2016.

“The Quality Management System is based on customer requirements and applicable regulatory requirements.

Cystotech develops and distributes software as medical devices (SaMD) that are safe and provide outstanding customer satisfaction while meeting all applicable regulations. At Cystotech, we are committed to providing AI-based support for treatment decisions in bladder cancer and to fulfilling customer requirements and user needs to enhance patient outcomes by ensuring the effectiveness of our Quality Management System through the application of a risk-based approach, competent and committed employees and the establishment of ambitious Quality Objectives focusing on meeting regulatory requirements and customer expectations, efficient processes, operational excellence, and continuous improvements of Cystotech employees, products and processes through continual monitoring and regular Management Reviews to ensure continued suitability”.

Risk Management Policy

Applicable from 30/08/2024

This policy has been established and applied for the evaluation of risks and residual risks associated with the medical devices manufactured by Cystotech to ensure that the medical devices have a high level of safety consistent with stakeholder expectations.

This policy applies to all persons and activities involved in establishing, reviewing, updating, and approving the criteria for risk acceptability in risk management plans for medical devices designed, developed and manufactured by Cystotech for commercial distribution.

To ensure continual applicability and continued consideration of the generally acknowledged state-of-the-art, international standards relevant for the particular type of medical device, including standards for testing of specific properties with approval/rejection limits are regularly assessed for inclusion or modification of the acceptability criteria as well as knowledge acquired through post-market surveillance including best practices in technology, results of accepted scientific research, publications from authorities, validated concerns from stakeholders of the medical device or similar medical devices regarding safety and security are included.

Specific to AI systems, the organization addresses potential risks such as bias in AI-aided decision-making and data characteristics during the development of machine learning models. Any suspected bias is investigated, documented, and mitigated as necessary to ensure fairness and accuracy in outcomes.

To protect and safeguard customer, client, patient, and company data against cyber attacks, comprehensive cybersecurity measures are implemented and continuously updated.

Through the application of risk management risks are reduced as far as possible without adversely affecting the overall safety and effectiveness of the medical device. Consideration is given to whether identified risk control measures are technically practicable measures and if such measures would reduce the risk without impacting the intended use or the benefit of the medical device.

This risk management policy is reviewed for contentious sustainability at Management Review Meetings.

Vulnerability Disclosure Policy

Applicable from 03/09/2024

At Cystotech, we are dedicated to ensuring the security and integrity of our software as a medical device (SaMD) products. We believe that collaboration with the security community is essential to achieving this goal and are committed to working transparently and responsibly with all stakeholders.

Scope: This policy applies to all Cystotech SaMD products and services. We welcome reports on any potential vulnerabilities, including but not limited to, issues related to data security, unauthorized access, or software malfunctions.

Safe Harbor: We are committed to protecting those who report vulnerabilities in good faith. Reporters will not face legal action or penalties for their disclosure, provided they adhere to the guidelines of this policy.

Reporting Process: If you identify a potential security vulnerability, please report it through our Support portal. Include detailed information to help us understand and address the issue effectively.

Preferences: This policy is a living document and will be updated as needed to reflect our evolving priorities and preferences. We prioritize vulnerabilities based on their potential impact, severity, and likelihood of exploitation. Communication with reporters will be handled respectfully and transparently, ensuring they are informed about the status of their reports.

Thank you for helping us protect our products and the patients who rely on them.