Keystone
by CloudVoro
Try the sandboxTalk to us →
BRCGS Issue 9

Traceability software built for BRCGS Issue 9.
Designed against §3.9 / §3.11. Tested in real audits.

BRCGS Issue 9 raised the bar on traceability. §3.9 demands a verified system that links inputs to outputs end-to-end. §3.11 demands traceability tests at frequencies you specify, with documented results. Keystone is built to make both painless.

  • Designed against BRCGS Issue 9 §3.9 / §3.11 traceability clauses
  • Mock-recall in 90 seconds — signed PDF for audit
  • Both directions: upstream supplier chain + downstream customer chain
  • Audit-trail of every traceability test run
What §3.9 and §3.11 actually require

The shorthand BRCGS auditors actually look for.

§3.9 — your traceability system must link inputs (raw materials, packaging, primary processing aids) to outputs (finished goods), in both directions, with a defined response time. §3.11 — you must test the system at documented intervals, with results retained. Most producers fail not because they can't trace, but because they can't prove the test was run and the result was correct.

How Keystone maps to the clauses

Clause-by-clause coverage.

§3.9.1 — Identification of incoming materials
Supplier deliveries are first-class entities; every batch is linked to the deliveries that fed it.
§3.9.2 — Identification of finished products
Every dispatch line carries its batch ID. Reverse-trace works from any customer reference.
§3.11 — Traceability tests
Built-in mock-recall feature with scheduled prompts and signed-PDF output.
§3.11.3 — Test result records
Every test logged with who, when, target trace time, actual trace time, result.
FAQ

Questions buyers actually ask.

Is Keystone a BRCGS-approved software?
BRCGS does not currently issue "approved software" certifications for traceability systems — they audit the producer's outcomes. Keystone is designed against Issue 9 clauses and we're happy to walk an auditor through the system on a discovery call.
What about BRCGS Issue 10?
Issue 10 is currently in consultation. We monitor BRCGS draft revisions and update the platform ahead of effective dates.
Do you provide audit-prep support?
Yes — included in Standard implementation. We'll run a mock audit on your live data 30 days before your BRCGS visit.
Can we restrict who can run a recall test?
Yes — role-based access. Recall execution is typically restricted to QA Manager + nominated deputy.

Ready to see if Keystone fits your floor?

20-minute discovery call. No sales pitch. Written scope within 48 hours if we fit — referral to someone better if we don't.

Talk to us
Compliance & trust

How we keep your
data and your audits safe.

We are honest about what's certified and what's in progress. Anything marked "in progress" reflects active work towards a recognised standard — never marketing decoration. Privacy queries go to privacy@cloudvoro.com. Sub-processor list at /legal/sub-processors. Full security posture at /site/security.

Live
Hosted in EU / Ireland
Customer data resides on AWS Ireland (eu-west-1) — never leaves the EU.
Live
GDPR · Privacy Contact named
Internal Data Protection Lead handles subject access requests. Owner is ADPO Ireland member.
In progress
NIS2 · building toward readiness
Tenant isolation, audit trails and MFA support customers in NIS2 scope. CloudVoro itself is below the size threshold; not yet certified.
In progress
ISO 27001 · alignment
We map our controls to Annex A but hold no third-party certificate. Formal certification on the 2026 roadmap.
In progress
Cyber Essentials · planned
UK Cyber Essentials assessment is on our roadmap. We will name the assessing body (IASME) and a confirmed date here once scoped.
Live
Encryption · at rest & in transit
TLS 1.3 in transit, industry-standard symmetric ciphers at rest, KMS-managed keys.