ValidKeep™ Features

Governed SDLC, real qualification evidence, and architectural controls designed to support 21 CFR Part 11, GAMP 5, and modern CSA.

Governed SDLC landscape

From sandbox experiment to locked production, with multiple changes in flight. This is governed SDLC rigor, not a rubber-stamp document pack.

  1. Experiment: Studio sandbox / prototype; ungoverned preview (not validated).
  2. Formalize: Change request created; scope, risk, and modules pinned. Prototype ≠ production.
  3. Realize: Development on a CR-locked branch; zero-orphan traceability from code to requirements.
  4. Qualify (OQ): Active test drivers prove business rules at the capability boundary.
  5. Qualify (PQ): Embedded SDK probes under load prove implementation resilience.
  6. Integrate: Long-lived integration environment; approved CRs merge when ledger status allows.
  7. Release: Bundled formal testing on a verification release branch (one active release at a time).
  8. Produce: Merge to production only after release approval; audit-ready ledger history.

Landscape profiles are customizable per organization. Yttrigen delivery sets up your governed path after quote. Read Governed SDLC landscape and the ValidKeep ecosystem map; see High Assurance profile for our recommended assurance model.

CLI, MiniHub & ValidKeep Hub

npx validkeep verifies the current commit and working tree against assurance and landscape profiles before governance accepts changes. This is deterministic, profile-driven verification with no LLM in the loop; see The Impartial Auditor.

  • MiniHub: local open-source CoreHub for SDLC rehearsal (part of validkeep-core).
  • ValidKeep Hub: Yttrigen's online persistent ledger for official CR, test run, and signature evidence.

OQ & PQ: real qualification

Demand vs supply verification, not checkbox testing.

Operational Qualification (OQ): active driver scripts prove business rules against the public capability boundary (black-box).

Performance Qualification (PQ): embedded ValidKeep SDK probes in application code emit telemetry under load; the ledger records proof of implementation resilience (white-box).

Our recommended High Assurance profile structures atomic specs and separated OQ/PQ loops; see OQ at the capability boundary and PQ under load, plus the module architecture hub. Other assurance profiles are supported.

The Three Pillars of Integrity

Three foundational architectural controls that ensure compliance with 21 CFR Part 11, GAMP 5, ISO 27001, and GDPR.

Pillar 1: Data Integrity

Data integrity through 21 CFR Part 11 & ALCOA+ compliance

Tamper-Evident Audit Trails

We utilize a logical append-only database architecture. Every create, modify, or delete action is preserved as a permanent historical record, cryptographically linked to the specific user identity and timestamp.

Cryptographic WORM Storage

Critical evidence and raw data are stored in a Write-Once-Read-Many (WORM) state. Records are physically locked at the infrastructure layer, preventing deletion or modification for the mandated retention period (e.g., 7 years).

Using Cloudflare R2 Object Lock in Compliance Mode. Evidence cannot be altered or deleted once written.

Database-Level Electronic Signatures

Signatures are not merely embedded in fragile PDF files. They are stored as immutable database records linking the User ID, Meaning (e.g., "Approval"), and Date/Time directly to the specific version of the data being signed.

Pillar 2: Automated Validation

Automated validation addressing GAMP 5 & Verification

Robotic Verification Agents (OQ)

We replace manual testing screenshots with automated, code-driven test agents. Every software build is subjected to a rigorous Operational Qualification (OQ) suite that verifies functionality and captures objective evidence automatically.

Traceability Matrix Generation

The platform dynamically generates a Requirements Traceability Matrix (RTM) for every release, mapping every User Requirement (URS) directly to the specific Test Script ID and execution result.

Frozen Artifact Deployment

To ensure Supply Chain Security, application code and third-party dependencies are locked into a static, versioned bundle. The system runs on a "Known Good" snapshot that cannot drift or be altered at runtime.

Pillar 3: Enterprise Security

Enterprise security addressing ISO 27001 & GDPR

Identity-Aware Access Gateway

We enforce Zero Trust principles. No user touches the application without passing through a strict Identity-Aware Proxy that enforces MFA and Device Posture checks.

Powered by Cloudflare Zero Trust for comprehensive access control.

Geo-Fenced Data Residency

For EU clients, we strictly pin code execution and data storage to specific geographic regions to satisfy GDPR data sovereignty requirements.

GDPR-compliant data residency with Cloudflare Data Localization Suite. Data remains within specified geographic regions as required by regulation.

Compliant Privacy Redaction

We support "Right to be Forgotten" requests via a validated Crypto-Shredding mechanism, rendering Personal Identifiable Information (PII) unreadable without breaking the integrity of the historical audit chain.

Enterprise Integration

Designed for the Corporate Environment.

ValidKeep™ is built to integrate seamlessly into the existing IT landscape of top-tier Pharmaceutical and MedTech organizations.

Automated Identity Governance (SCIM)

We support SCIM 2.0 protocols for real-time user provisioning and deprovisioning. When HR terminates an employee in central directories (Okta, Entra ID), their access to ValidKeep is instantly revoked.

Federated Single Sign-On (SSO)

Native integration with Enterprise IdPs (Okta, Azure AD, Ping) via OIDC/SAML. We do not store passwords.

Software Bill of Materials (SBOM)

Every release includes a machine-readable SBOM (CycloneDX format) detailing every software component, ensuring full supply chain transparency in compliance with FDA Cybersecurity guidelines.

Qualified Infrastructure

ValidKeep™ is built upon the world's most secure and resilient cloud infrastructure.

We do not manage physical data centers; we leverage the certified security of industry giants. We qualify our infrastructure providers as vendors with documented evidence of compliance.

Cloudflare

Certifications:
• ISO/IEC 27001:2013 Certified
• SOC 2 Type II Compliant
• PCI DSS Level 1

Critical Features: High-Availability Edge Architecture, Cryptographically Enforced WORM Vault, Tamper-Evident Chronological Audit Trails, Step-Up Authentication Enforcement, Granular Role-Based Access Control

GitHub Enterprise

Certifications:
• SOC 2 Type II Compliant
• ISO/IEC 27001 Certified

Critical Features: Frozen Artifact Deployment, Robotic Verification Agents (OQ), Code Provenance Verification

Vendor Neutrality & Data Ownership

We believe organizations should own their data. ValidKeep provides Vendor-Neutral Data Exit tools, allowing organizations to export entire datasets in open standards (SQL/JSON) and source code at any time. Organizations are never locked in.

AI Governance

ValidKeep adheres to leading AI governance frameworks and regulations, ensuring responsible and compliant use of AI in regulated environments.

EU AI Act (2024)

Classification: Limited Risk.
Our use is limited to code assistance. We comply with Transparency Obligations (Art. 50) by disclosing that AI tools assist in the SDLC. Since the AI does not make decisions affecting patient health at runtime, we are exempt from "High Risk" conformity assessments.

FDA: AI/ML-Based SaMD (Action Plan)

"Static State" Adherence.
The FDA is concerned with "Adaptive Algorithms" that change post-deployment. ValidKeep software is Locked/Static. We do not deploy "Continuous Learning" models, thus avoiding the need for a Predetermined Change Control Plan (PCCP).

GAMP 5 (2nd Ed) - Appendix D2

"Verification of Output."
GAMP 5 states that for AI tools used in development, the focus must be on verifying the output, not validating the algorithm. Our Automated OQ Robot proves the AI-generated code works, satisfying this requirement.

ISO/IEC 42001

"AI Risk Assessment."
We align with this standard by maintaining an AI Inventory and performing risk assessments on AI hallucinations (e.g., "What if the AI generates a bad Regex?"). Mitigation: Our "Mutation Testing" catches logic errors.

NIST AI Risk Management Framework (AI RMF 1.0)

"Map, Measure, Manage."
We map where AI is used (Xlsweep™), measure validity via automated testing, and manage risk via the Independent Quality Unit review.

FDA: Computer Software Assurance (CSA)

"Scripted Testing."
We use AI to generate robust test scripts. Per CSA guidance, the rigor of testing is sufficient to validate the software, regardless of who (human or AI) wrote the code.