ValidKeep™ Features

Tamper-Evident Audit Trails

We utilize a logical append-only database architecture. Every create, modify, or delete action is preserved as a permanent historical record, cryptographically linked to the specific user identity and timestamp.

Cryptographic WORM Storage

Critical evidence and raw data are stored in a Write-Once-Read-Many (WORM) state. Records are physically locked at the infrastructure layer, preventing deletion or modification for the mandated retention period (e.g., 7 years).

Using Cloudflare R2 Object Lock in Compliance Mode. Evidence cannot be altered or deleted once written.

Database-Level Electronic Signatures

Signatures are not merely embedded in fragile PDF files. They are stored as immutable database records linking the User ID, Meaning (e.g., "Approval"), and Date/Time directly to the specific version of the data being signed.

Robotic Verification Agents (OQ)

We replace manual testing screenshots with automated, code-driven test agents. Every software build is subjected to a rigorous Operational Qualification (OQ) suite that verifies functionality and captures objective evidence automatically.

Traceability Matrix Generation

The platform dynamically generates a Requirements Traceability Matrix (RTM) for every release, mapping every User Requirement (URS) directly to the specific Test Script ID and execution result.

Frozen Artifact Deployment

To ensure Supply Chain Security, application code and third-party dependencies are locked into a static, versioned bundle. The system runs on a "Known Good" snapshot that cannot drift or be altered at runtime.

Identity-Aware Access Gateway

We enforce Zero Trust principles. No user touches the application without passing through a strict Identity-Aware Proxy that enforces MFA and Device Posture checks.

Powered by Cloudflare Zero Trust for comprehensive access control.

Geo-Fenced Data Residency

For EU clients, we strictly pin code execution and data storage to specific geographic regions to satisfy GDPR data sovereignty requirements.

GDPR-compliant data residency with Cloudflare Data Localization Suite. Data remains within specified geographic regions as required by regulation.

Compliant Privacy Redaction

We support "Right to be Forgotten" requests via a validated Crypto-Shredding mechanism, rendering Personal Identifiable Information (PII) unreadable without breaking the integrity of the historical audit chain.

Automated Identity Governance (SCIM)

We support SCIM 2.0 protocols for real-time user provisioning and deprovisioning. When HR terminates an employee in central directories (Okta, Entra ID), their access to ValidKeep is instantly revoked.

Federated Single Sign-On (SSO)

Native integration with Enterprise IdPs (Okta, Azure AD, Ping) via OIDC/SAML. We do not store passwords.

Software Bill of Materials (SBOM)

Every release includes a machine-readable SBOM (CycloneDX format) detailing every software component, ensuring full supply chain transparency in compliance with FDA Cybersecurity guidelines.

Cloudflare

Certifications:
• ISO/IEC 27001:2013 Certified
• SOC 2 Type II Compliant
• PCI DSS Level 1

Critical Features: High-Availability Edge Architecture, Cryptographically Enforced WORM Vault, Tamper-Evident Chronological Audit Trails, Step-Up Authentication Enforcement, Granular Role-Based Access Control

GitHub Enterprise

Certifications:
• SOC 2 Type II Compliant
• ISO/IEC 27001 Certified

Critical Features: Frozen Artifact Deployment, Robotic Verification Agents (OQ), Code Provenance Verification

EU AI Act (2024)

Classification: Limited Risk.
Our use is limited to code assistance. We comply with Transparency Obligations (Art. 50) by disclosing that AI tools assist in the SDLC. Since the AI does not make decisions affecting patient health at runtime, we are exempt from "High Risk" conformity assessments.

FDA: AI/ML-Based SaMD (Action Plan)

"Static State" Adherence.
The FDA is concerned with "Adaptive Algorithms" that change post-deployment. ValidKeep software is Locked/Static. We do not deploy "Continuous Learning" models, thus avoiding the need for a Predetermined Change Control Plan (PCCP).

GAMP 5 (2nd Ed) - Appendix D2

"Verification of Output."
GAMP 5 states that for AI tools used in development, the focus must be on verifying the output, not validating the algorithm. Our Automated OQ Robot proves the AI-generated code works, satisfying this requirement.

ISO/IEC 42001

"AI Risk Assessment."
We align with this standard by maintaining an AI Inventory and performing risk assessments on AI hallucinations (e.g., "What if the AI generates a bad Regex?"). Mitigation: Our "Mutation Testing" catches logic errors.

NIST AI Risk Management Framework (AI RMF 1.0)

"Map, Measure, Manage."
We map where AI is used (Xlsweep™), measure validity via automated testing, and manage risk via the Independent Quality Unit review.

FDA: Computer Software Assurance (CSA)

"Scripted Testing."
We use AI to generate robust test scripts. Per CSA guidance, the rigor of testing is sufficient to validate the software, regardless of who (human or AI) wrote the code.