SC.11 — Physical and Environmental Security#
System: AI Connectors Platform Last updated: 2026-04-29
This document describes how the AI Connectors platform fulfils the SC.11 control category.
Control Attestation Table#
| Control | Description | Status | Evidence |
|---|---|---|---|
| SC.11.01–SC.11.02 | Place components in physically secure locations | Compliant — inherited from AWS | AWS SOC 2 Type II, ISO 27001, AWS compliance documentation available via AWS Artifact |
| SC.11.03 | Ensure similar protection for hosted/cloud infrastructure | Compliant — inherited from AWS | AWS maintains ISO 27001/27002, SOC 2, and annually renewed certifications. AWS Customer Agreement includes audit rights. Access via AWS Artifact. |
Security Controls Reference#
CTRL0537489 — SC.11.01–SC.11.02: Place components in physically secure locations#
Control Text: Place components, such as servers, computers acting as servers, firewalls, routers, switches and patch panels, in an appropriate physical location with appropriate security measures such as entry control, fire protection, cooling and protection against flooding.
Applicability: Basic IT security requirement.
Additional Description
Business-critical IT solutions and network equipment should be housed in secure areas protected by defined security perimeters with appropriate security barriers and entry controls. Information processing facilities should be protected from unauthorized access, damage, and interference at all times.
Key considerations: - Apply a combination of physical and logical access controls to protect IT equipment from unauthorised access. - Terminate cables directly at devices, avoiding patch connectors when possible, to mitigate malicious control over connections. - Access to data centres hosting clinical trial data should be controlled by two-factor authentication. - Where availability requirements are high, consider multiple physical data centres at sufficient distance from each other so that physical incidents (fire, flooding) do not affect all locations simultaneously.
Relevant standards and certifications for physical security best practices: ISO 27001/27002, ISAE 3402, SSAE 16 SOC2, Uptime Institute Tier III/IV, ANSI/TIA-942.
Ensure that the supplier renews their audit or certification annually. Audit reports or client versions should be provided to Novo Nordisk upon request, and Novo Nordisk must have the right to audit data centres where its data is stored.
Detailed Description
The AI Connectors platform fulfils SC.11.01–SC.11.02 by inheriting all physical security responsibilities from AWS, with no physical infrastructure owned or managed by the AI Connectors team. All platform components run on AWS ECS Fargate in the eu-central-1 (Frankfurt) region, where AWS operates data centres with multi-layer biometric access control, 24/7 security staff, CCTV monitoring, fire suppression, flood protection, and redundant environmental controls. AWS maintains ISO 27001 certification (including Annex A.11 physical security controls) and SOC 2 Type II attestation, both of which are renewed annually and accessible to Novo Nordisk via AWS Artifact. This cloud-only architecture ensures that physical security is fully delegated to a certified, audited cloud provider with the resources and expertise to maintain industry-leading data centre security.
Implementation Considerations
- architecture-data-flow.md §2 — AWS eu-central-1 region and cloud-only architecture
- supplier-vendor-assessment.md — AWS physical security certifications and compliance documentation
CTRL0537525 — SC.11.03: Ensure similar protection for hosted/cloud infrastructure#
Control Text: Ensure similar protection if hosted at an IT supplier/cloud provider.
Applicability: The IT Solution is relying on IT supplier(s).
Additional Description
If the IT solution is hosted with a different vendor (cloud, "as a service" arrangements), ensure that appropriate physical security controls are included in a binding agreement with the supplier. The IT solution owner remains solely responsible for the physical security of the IT solution.
Relevant standards and certifications for physical security best practices: ISO 27001/27002, ISAE 3402, SSAE 16 SOC2, Uptime Institute Tier III/IV, ANSI/TIA-942.
Ensure that the supplier renews their audit or certification annually. Audit reports or client versions should be provided to Novo Nordisk upon request, and Novo Nordisk must have the right to audit data centres where its data is stored.
Detailed Description
The AI Connectors platform fulfils SC.11.03 by hosting all infrastructure with enterprise cloud providers (AWS for compute/storage/networking, Microsoft for identity/collaboration) that maintain binding agreements with Novo Nordisk covering physical security obligations, audit rights, and data protection. Both AWS and Microsoft maintain ISO 27001, SOC 2 Type II, and additional physical security certifications that are renewed annually, with compliance reports accessible to Novo Nordisk via AWS Artifact and Microsoft Compliance Manager respectively. The AI Connectors team remains responsible for ensuring supplier compliance through contractual obligations, annual verification of renewed certifications, and supplier risk management reviews. All infrastructure remains within the EU (eu-central-1 for AWS, EU region for Microsoft), ensuring consistent physical security protections aligned with SC.11 requirements.
Implementation Considerations
- architecture-data-flow.md §2 — Cloud-hosted infrastructure with AWS and Microsoft Azure AD
- supplier-vendor-assessment.md — AWS and Microsoft compliance certifications, audit rights, and enterprise agreements