Inspection-readiness, wired into the database.

Not a checklist on a slide — controls built into the running system, each one demonstrable in the product. The database, not application code, is what enforces isolation, immutability and the freeze on signed records.

Isolation you can point to

Tenants can't see each other. The database enforces it.

Isolation shouldn't rest on remembering a WHERE clause. Every request runs as a constrained role inside a per-tenant transaction, so row-level security applies to reads and writes alike — even raw queries.

Row-level security, not app trust
The app connects as a non-owner role; each query is bound by the tenant set on the request. A connection with no tenant context reads nothing.
Append-only audit engine
A database trigger writes an immutable row for every insert, update, and delete — and auto-attaches to any new table, so coverage can't drift.
Signed records are frozen
Once a form is e-signed, a trigger blocks further change at the database level — the freeze doesn't depend on application code behaving.
Backups & continuity
Scheduled database backups and export accountability keep the study recoverable and every extraction traceable. For the strictest audit programmes, record hashes can optionally be anchored to a public blockchain — independent, third-party proof of non-tampering.
session · app.tenant_id = sponsor-A
sponsor-A subject A007 · VITAL_SIGNS read ✓
sponsor-A audit_log · seq 48213 read ✓
cro-B subject B012 · DEMOG blocked
cro-B audit_log · seq 90771 blocked
RLS policy: tenantId = current_setting enforced
Compliance, itemized

Each control, demonstrable in the product.

The software supplies technical controls; compliance itself is achieved by your validated deployment and procedures. Here is what the system enforces.

IVDR 2017/746 · ISO 20916Performance-study data model with acceptance criteria, method comparison (Bland–Altman, robust regression, PPA/NPA) and specimen chain of custody — designed around the standard.By design
21 CFR Part 11Electronic signatures with password re-authentication, a signing meaning, and a bound content hash.Enforced
EU Annex 11 · GCPRecord-level freeze on signed data, versioned form definitions, and a database-lock milestone.Enforced
ALCOA+Attributable, legible, contemporaneous, original, accurate — with a complete, immutable audit trail.Enforced
GDPRPseudonymous subject coding, data minimization at capture (e.g. year-only dates), recorded legal basis and consent, and export accountability logging.By design
Access controlPer-study, per-site RBAC with configurable roles, MFA-capable sign-in, and separation of duties.Enforced
Backups & continuityScheduled database backups, versioned form definitions, and a deployment that can be rebuilt from configuration — the study survives the infrastructure.Operated
Blockchain anchoringFor the strictest audit programmes: record and signature hashes anchored to a public blockchain, giving third-party, tamper-evident proof of when data existed — without any personal data leaving the EDC (only hashes are anchored).Optional
100%
of writes attributable — actor, time, reason
0
cross-tenant reads without a tenant context
3
signing controls: re-auth · freeze · hash
IT · EN
bilingual capture for European sites
Show, don't tell

Ask us to demonstrate any control, live.

Every row above can be shown in the running product — from the audit trigger to the RLS policy to the signature hash check.