Inspection-readiness, wired into the database.

Not a checklist on a slide — controls built into the running system, each one demonstrable in the product. The database, not application code, is what enforces isolation, immutability and the freeze on signed records.

Isolation you can point to

Tenants can't see each other. The database enforces it.

Isolation shouldn't rest on remembering a WHERE clause. Every request runs as a constrained role inside a per-tenant transaction, so row-level security applies to reads and writes alike — even raw queries.

Row-level security, not app trust
The app connects as a non-owner role; each query is bound by the tenant set on the request. A connection with no tenant context reads nothing.
Append-only audit engine
A database trigger writes an immutable row for every insert, update, and delete — and auto-attaches to any new table, so coverage can't drift.
Signed records are frozen
Once a form is e-signed, a trigger blocks further change at the database level — the freeze doesn't depend on application code behaving.
Controlled release & export
Production startup requires a validated release identifier, CI evidence and QA approval reference. Server-generated export receipts bind actor, scope, time, row count and output digest.
session · app.tenant_id = sponsor-A
sponsor-A subject A007 · VITAL_SIGNS read ✓
sponsor-A audit_log · seq 48213 read ✓
cro-B subject B012 · DEMOG blocked
cro-B audit_log · seq 90771 blocked
RLS policy: tenantId = current_setting enforced
Compliance, itemized

Each control, demonstrable in the product.

The software supplies technical controls; compliance itself is achieved by your validated deployment and procedures. Here is what the system enforces.

IVDR 2017/746 · ISO 20916Performance-study data model with acceptance criteria, method comparison (Bland–Altman, robust regression, PPA/NPA) and specimen chain of custody — designed around the standard.By design
21 CFR Part 11Unique identities, authenticator step-up, signing meaning/time and a signature bound to the record content hash. Validation and procedures remain required.Technical controls
EU Annex 11 · GCPRecord-level freeze on signed data, versioned form definitions, and a database-lock milestone.Enforced
ALCOA+Attributable, legible, contemporaneous, original, accurate — with a complete, immutable audit trail.Enforced
GDPRPseudonymous subject coding, data minimization at capture (e.g. year-only dates), recorded legal basis and consent, and export accountability logging.By design
Access controlPer-study, per-site RBAC, unique accounts, TOTP MFA and enforced separation of editing and independent review duties.Technical controls
Release & continuityImmutable release archives, owner-only migrations, runtime readiness checks and provider-independent inspection exports. Backup operation and recovery evidence remain deployment responsibilities.Shared responsibility
Audited
regulated writes carry actor, time and required change reason
0
cross-tenant reads without a tenant context
3
signing controls: re-auth · freeze · hash
IT · EN
bilingual capture for European sites
Show, don't tell

Ask us to demonstrate any control, live.

Every row above can be shown in the running product — from the audit trigger to the RLS policy to the signature hash check.