Architecture & Security

Built for the people who have to defend it in an audit.

Regulated manufacturers don't get to wave hands at "the cloud." Your QA, IT, and InfoSec teams need specifics — where data lives, who can touch it, how it's signed, how it's restored, how releases are validated. This page is written for them.

The Six Pillars

What the platform guarantees

Not aspirations. Not roadmap. These are properties of the system today.

Tenant isolation

Every customer is a logical tenant with row-level security enforced at the database. No tenant can read or write another tenant's data — the database itself rejects it, not the application layer.

Immutable audit trail

Every critical action — release, signature, dispense, QC decision, label print — writes an append-only audit row with actor, timestamp (UTC), IP, prior/next state hash, and reason. Audit rows cannot be edited or deleted, by anyone, including us.

Identity-verified e-signatures

21 CFR Part 11 compliant. Re-authentication at the moment of signing, signature manifestation on the record, signed reason codes, and a permanent link between the signature and the signed object — never a checkbox.

Encrypted at rest and in transit

AES-256 at rest on managed Postgres and object storage. TLS 1.2+ in transit. Per-tenant encryption keys for storage objects. Backups are encrypted with separate key material.

Validated release pipeline

Every release ships with executed IQ/OQ artifacts and a signed change manifest. Your QA receives the validation pack — they don't have to re-run it. PQ runbooks are provided for site-specific qualification.

Continuous monitoring

Uptime, latency, error budgets, and security events are monitored 24/7. Status page is public. Incidents are disclosed with a written RCA — not buried.

From browser to immutable row

Every write goes through the same gate.

Auth at the edge, tenant claim attached, row-level security enforced at the database, append-only audit trigger fires before the response returns. Same path for every API call — operator, admin, integration, even us.

The Stack

Layer by layer

No mystery boxes. Here's what runs where.

Layer	What it does
Edge / delivery	Global edge network. TLS terminated at the edge. DDoS and WAF in front of every request.
Application runtime	Stateless serverless workers. No long-lived server to patch on your end. Horizontal autoscale.
API & server functions	Typed RPC. Every mutation is authenticated, authorized, and audit-logged before it touches the database.
Database	Managed Postgres with point-in-time recovery. Row-level security policies on every table. Migrations are reviewed and version-controlled.
Object storage	Encrypted blob storage for PDFs (BMR, MMR, CoA), label artwork, attachments. Signed URLs only — no public buckets.
Observability	Structured logs, metrics, and traces with retention sized for audit windows. Security events stream to a separate, write-only sink.

Where Your Data Lives

Residency, recovery, and uptime

Regional residency

Pick US or EU at provisioning. Primary, replica, and backups all stay in-region. SCCs and DPA available for EU tenants.

Point-in-time recovery

Restore the database to any second within the retention window. Tested monthly. Restore reports are part of the validation pack.

99.9% uptime SLA

Multi-AZ failover. Public status page. Operator kiosks tolerate brief disconnects — scans queue locally and reconcile cleanly.

Compliance Posture

What we map to, out of the box

21 CFR Part 11 (e-records, e-signatures)

21 CFR Part 211 (cGMP for finished pharma)

21 CFR Part 111 (cGMP for dietary supplements)

21 CFR Part 117 (preventive controls, food)

ISO 13485 (medical devices QMS)

EU Annex 11 (computerised systems)

FSMA 204 (food traceability rule)

GFSI-recognised schemes (SQF, BRCGS, FSSC 22000)

MoCRA (cosmetics modernisation)

FIFRA (agricultural chemicals)

SOC 2-aligned controls (Type II in progress)

GDPR / CCPA data subject rights

The Questions Auditors Ask

Straight answers

Where is our data stored?

Primary region is selected at tenant provisioning. US and EU residency available. Backups stay in-region. We do not move customer data across regions without written authorization.

Who can see our data?

Your users, scoped by role. A small, named operations team has break-glass access for support — every access is logged, time-boxed, and reviewable in your audit trail. We never use customer data to train models.

What happens if you go down?

Multi-AZ failover for the database and application tier. Point-in-time recovery to any second within the retention window. Published RPO/RTO targets and a public status page. Operator kiosks queue scans locally and reconcile on reconnect.

How do you handle qualification (IQ/OQ/PQ)?

IQ and OQ are executed by us per release and delivered as part of the validation pack. PQ runbooks are provided for your site-specific qualification — your QA executes and signs. We do not require you to re-validate the platform on every release.

What about Part 11 / Annex 11?

Identity-verified e-signatures, immutable audit trail, controlled access, validated state, and record retention are all built in. Compliance is a configuration of the platform, not a custom build.

Can we export everything?

Yes. Full data export in open formats (CSV, JSON, PDF). Audit trail export is signed. You own your data — exit is a feature, not a negotiation.

Want the full security pack?

SOC 2 status letter, penetration test summary, DPA, sub-processor list, validation pack sample, and architecture diagrams — available under NDA. Forward this page to your IT and QA teams; we'll handle the rest.

Request the security pack See the compliance backbone