Compliance Foundation

We adhere to the specific binding regulations that govern our clients in the US and EU, utilizing globally accepted frameworks that auditors expect to see.

Regulatory Standards

Regulatory framework diagram showing 21 CFR Part 11, EU Annex 11, GAMP 5, ALCOA+, and ISO standards

United States (FDA)

21 CFR Part 11: Electronic Records; Electronic Signatures. Enforced via Step-Up Authentication Enforcement (Willful Act) and Tamper-Evident Chronological Audit Trails with Cryptographically Enforced WORM Vault storage.

21 CFR Part 211.68: Automatic, Mechanical, and Electronic Equipment (Pharma). Ensures input/output verification and data backup via Cryptographically Enforced WORM Vault storage.

21 CFR Part 820.70(i): Automated Processes (Medical Devices). "When computers are used as part of production... the manufacturer shall validate computer software for its intended use." (The core mandate for ValidKeep).

European Union (EMA)

EudraLex Vol 4, Annex 11: Computerised Systems. The EU equivalent of Part 11. Specifically addresses "Audit Trails" and "Security."

GDPR: General Data Protection Regulation. Enforced via Geo-Fenced Data Residency (EU Residency) and Compliant Privacy Redaction capabilities (Right to be Forgotten).

Industry Frameworks & Standards

ISPE GAMP® 5

A Risk-Based Approach to Compliant GxP Computerized Systems. We treat qualified infrastructure providers as Category 1 (Infrastructure) and the ValidKeep App as Category 5 (Custom Application).

ALCOA+

Data Integrity Principles: Attributable, Legible, Contemporaneous, Original, Accurate (+ Complete, Consistent, Enduring, Available).

ISO/IEC 27001

Information Security Management. We inherit this via our Qualified Infrastructure Providers with documented SOC 2 Type II and ISO 27001 certifications.

ISO 14971

Application of Risk Management to Medical Devices. Applied via our FMEA (Failure Mode and Effects Analysis) on spreadsheet logic.

ICH Q9

Quality Risk Management. Defines our decision logic for what requires PQ vs. what requires only OQ.

AI Governance

EU AI Act (2024)

The world's first comprehensive AI law. Classifies AI by risk.

FDA: AI/ML-Based SaMD (Action Plan)

Focuses on "Good Machine Learning Practice" (GMLP) for medical devices.

GAMP 5 (2nd Ed) - Appendix D2

Critical Thinking Tools & AI/ML.

ISO/IEC 42001

AI Management Systems (AIMS).

NIST AI Risk Management Framework (AI RMF 1.0)

US Standard for managing AI Trustworthiness.

FDA: Computer Software Assurance (CSA)

Draft Guidance emphasizing "Critical Thinking" over documentation.

Infrastructure Qualification

Infrastructure qualification diagram showing qualified infrastructure components, serverless compute, object storage, and configuration management systems

We do not validate the cloud; we qualify it as a vendor.

Our infrastructure providers are approved critical vendors with documented evidence of compliance, including SOC 2 Type II Reports, ISO 27001 Certificates, and PCI DSS Level 1 certification. Configuration management systems provide SOC 2 Type II Reports for version control and artifact management.

We maintain formal vendor qualification documentation that auditors can review. We do not validate the cloud infrastructure. Instead, we qualify it as a trusted vendor and document that qualification. For detailed information about our qualified infrastructure providers, see our Products page.

Validation Methodology (V-Model, IQ / OQ / PQ)

We follow the industry-standard V-Model for software validation. Each specification has a corresponding test.

Validation Deliverables Structure

When organizations engage ValidKeep, they receive the complete document stack:

Level 1: Planning

Validation Plan (VP), Risk Assessment (FMEA)

Level 2: Specification

User Requirements Specification (URS), Functional Specification (FS), Configuration Specification (CS), Infrastructure Design Spec (IDS)

Level 3: Verification

Installation Qualification (IQ), Operational Qualification (OQ), Traceability Matrix (RTM)

Level 4: Performance & Release

Performance Qualification (PQ) Protocol, Validation Summary Report (VSR) with Independent Quality Unit signature

Level 5: Operations

System Administrator SOP, Backup & Disaster Recovery SOP, Periodic Review Policy

Regulatory Compliance (21 CFR Part 11 / Annex 11)

The core legal requirements for Electronic Records and Signatures.

21 CFR 11.10(b) - Audit Trails

Tamper-Evident Chronological Audit Trail
A system-generated, immutable record of every create, modify, or logical-delete action. Timestamps are enforced by a centralized authority to prevent edge-node clock drift.

21 CFR 11.10(e) - Record Retention

Cryptographically Enforced WORM Vault
Records and evidence are stored in a Write-Once-Read-Many (WORM) state. Deletion or overwriting is physically prevented at the storage infrastructure layer for the mandated retention period.

21 CFR 11.50 - Signature Manifestations

Database-Level Electronic Signatures
Signatures are cryptographically bound to the data record in the immutable ledger. Reports generate dynamic "Human-Readable Renditions" that verify validity in real-time against the central truth.

21 CFR 11.200 - Willful Act of Signing

Step-Up Authentication Enforcement
Critical actions require immediate re-authentication (MFA or Password) at the exact moment of signing to satisfy the 'Willful Act' requirement, distinct from the initial session login.

21 CFR 11.10(g) - Authority Checks

Granular Role-Based Access Control (RBAC)
Permissions are enforced at the network edge. Access rights are explicitly defined for Operators, Reviewers, and Quality Admin roles.

Validation & Quality Assurance

Addressing GAMP 5, V-Model, and Calculation Accuracy.

Scaling Risk Prevention

Parametric Risk Engine
Critical Process Parameters (CPPs) and limits are configuration-managed. The system physically blocks inputs (e.g., batch sizes) that fall outside the validated range.

Confirmatory Testing

Confirmatory Performance Mode (PQ)
A dedicated production state that enforces comparison of software calculations against physical lab results (Assays) to validate the model in the real world before general release.

Operational Qualification (OQ)

Robotic Verification Agents (OQ)
Automated testing agents execute functional test scripts against every build, capturing objective evidence (screenshots/logs) for every requirement.

Traceability

Automated Traceability Matrix
Dynamically generated documentation linking every User Requirement directly to specific Test Scripts and execution results.

Independent Oversight

Dual-Lock Quality Assurance
Validation packages are subjected to independent review and sign-off by a Certified Quality Auditor (CQA) distinct from the development team.

Technical Integrity

Leveraging Git and Hashing for mathematical certainty.

Configuration Management

Cryptographic Configuration Control
We assign a unique, mathematical fingerprint (SHA-1) to every software build. This guarantees that the deployed application matches the validated baseline with zero possibility of drift.

Code Provenance

Code Provenance Verification
All application logic is digitally signed by the author at the source and subjected to enforced peer review gates before merging.

Software Integrity

Frozen Artifact Deployment
Application code and dependencies are locked into a static, versioned bundle. The system runs on a 'Known Good' snapshot that cannot be altered at runtime.

Enterprise Security & Identity

Addressing CISO concerns, GDPR, and Access Control.

User Deprovisioning (Kill Switch)

Automated Identity Governance (SCIM)
Supports System for Cross-domain Identity Management (SCIM) for real-time, zero-touch access revocation synchronized with central directories (Okta, Entra ID).

Data Sovereignty (GDPR)

Geo-Fenced Data Residency
Application execution and data storage are strictly pinned to specific legal jurisdictions (e.g., EU-West) to satisfy GDPR and local data laws.

Right to Erasure (GDPR Privacy)

Compliant Privacy Redaction
Supports 'Right to be Forgotten' requests by destroying encryption keys for specific PII, rendering data unreadable without breaking the immutable audit chain.

Supply Chain Security

Continuous Supply Chain Scanning
Automated analysis of the software supply chain to detect and block components with known security vulnerabilities (CVEs) or malicious behavior.

Transparency

Software Bill of Materials (SBOM)
A comprehensive machine-readable inventory of all software components is generated for every release, meeting FDA cybersecurity expectations.

Operational Excellence

Addressing Workflow and Usability.

Data Entry Accuracy

Automated Device Data Ingestion
Directly parse raw data files from equipment (Loggers, Balances) to eliminate manual transcription errors and improve speed.

Input Accuracy

Input Sanitization & Type Safety
Frontend constraints and backend schema validation prevent 'Fat Finger' errors and invalid data types before entry.

Availability

High-Availability Edge Architecture
Deployed on a globally distributed network ensuring 99.9% uptime and offline-first resilience for lab/warehouse operations.

Audit Defense

Live Trust Verification
Printed reports include secure verification links/QR codes that allow auditors to confirm authenticity against the central ledger in real-time.

The Totality: Three Pillars of Compliance

Our compliance architecture consolidates every feature, regulation, and architectural decision into three foundational pillars that simplify the message and close the deal.

Data Integrity

21 CFR Part 11 & ALCOA+

WORM Storage
Cryptographically enforced Write-Once-Read-Many vaults prevent deletion or overwriting at the infrastructure layer.

Tamper-Evident Audit Trails
Immutable, chronological records of every action with centralized timestamp authority.

Database-Level Electronic Signatures
Cryptographically bound signatures with real-time verification against the central ledger.

Automated Validation

GAMP 5 & Verification

Robotic Verification Agents (OQ)
Automated testing agents execute functional test scripts against every build, capturing objective evidence.

Confirmatory Performance Mode (PQ)
Enforces comparison of software calculations against physical lab results before general release.

Automated Traceability Matrix
Dynamically generated documentation linking every User Requirement to specific Test Scripts and results.

Enterprise Security

ISO 27001 & GDPR

Automated Identity Governance (SCIM)
Real-time, zero-touch access revocation synchronized with central directories (Okta, Entra ID).

Geo-Fenced Data Residency
Application execution and data storage strictly pinned to specific legal jurisdictions (e.g., EU-West).

Software Bill of Materials (SBOM)
Comprehensive machine-readable inventory of all software components for every release, meeting FDA cybersecurity expectations.

Unified Compliance Architecture: We layer Infrastructure Qualification (Qualified Vendors), Supply Chain Security (SBOMs), and Automated GAMP 5 Verification (Automated Validation) to create a compliance shield that is audit-ready on Day 1.