Trust & security
What's true, what's in progress, and what we deliberately don't claim.
Clinical monitoring software earns trust the way monitors do: by showing its work and never overstating. This page is our standing answer to security reviews. Three lists, dated, kept current. If a claim you need is missing, ask — we'd rather say “not yet” than imply.
Last reviewed: 2026-07-08
Column A
True today — mechanisms, not adjectives.
Each claim names the mechanism that enforces it. Re-verified against the product whenever this page changes.
Human sign-off on every artifact
Every AI-drafted report and letter requires a named reviewer to edit and approve before it exists as a finished document. There is no autonomous path to a signed artifact.
Append-only audit trail
Every state-changing action writes an audit row attributed to the authenticated user; the database layer permits no updates or deletes to the trail — enforced by policy, not convention.
Per-artifact source provenance
Every source data point carries its provenance class — certified copy, central-lab feed, EMR feed, or pending — and an attestation, once made, is frozen by a database trigger. Corrections create new versions; nothing is silently rewritten.
Tenant isolation enforced in the database
Row-level security scopes source data by site and clinical work by assignment, verified with real authenticated sessions (not admin backdoors) as part of our release process.
The AI shows its inputs
Reviewers see the exact structured data sent to the model beside every draft; drafts mark uncertainty explicitly ([VERIFY: …]) rather than papering over it.
No PHI in our demo environments
All demonstration data is synthetic by policy — subject codes, documents, and lab values are fabricated. We will not ingest real patient data before the in-progress safeguards below are in place.
Encryption in transit and at rest
TLS everywhere; database and document storage encrypted at rest (AES-256).
Read-only toward your systems of record
We never write to your EDC or a site's EHR. Queries are drafted here, raised by your CRA in your EDC.
Column B
In progress — dated when the letters are signed.
We publish target dates the day an engagement letter is signed, not before. A hoped-for date is worse than none.
SOC 2 Type IIn progress
Auditor selection under way; the engagement date and report target publish here the day the letter is signed. Type II observation window follows immediately.
Unlocks: Shortens security questionnaires to one link.
Business Associate Agreements across the subprocessor chainIn progress
Hosting, database, and AI providers. The subprocessor register publishes at /subprocessors when the chain is signed.
Unlocks: Unblocks real patient data under HIPAA.
Independent penetration testIn progress
Scheduled as part of the SOC 2 program; letter available under NDA thereafter.
Unlocks: Third-party validation of the isolation claims above.
Role separation & SSOIn progress
Distinct coordinator / CRA / lead / read-only roles with SAML/OIDC single sign-on.
Unlocks: Maps product roles onto your org chart.
Generation recordsIn progress
Every AI output stored with its exact prompt, model version, and input snapshot, so “why did the AI write this?” is answerable for any historical draft. Our AI-governance page publishes alongside this.
Unlocks: Model-change-control evidence for sponsor audits.
Column C
Deliberately not claimed.
The credibility column. If a vendor claims these loosely, ask them the questions we answer here.
We do not claim 21 CFR Part 11 electronic signatures
In-product approvals are named review attestations. Your signed record of record executes in your existing validated system (eTMF/QMS); we export audit-grade evidence of the human review. If and when customers want in-system signatures of record, that becomes a scoped, validated program — announced here first.
We do not claim the AI makes monitoring decisions
Deterministic software computes matches and discrepancies; the model drafts prose around computed results; your monitor decides. We consider “the AI found a deviation” a category error and design so it can't be true.
We do not claim cryptographic signatures
Typed-name attestations are exactly that, attributed to an authenticated account in the audit trail.
We do not claim “HIPAA certified”
No such certification exists. We claim specific safeguards (above) and BAAs (in progress), and will show you the mapping.
We do not claim autonomous EDC or EHR writes — and never will
Read-only is an architectural commitment, enforced at the credential level.
Security reviews welcome — use the contact form with role and organization type filled in. We answer questionnaires with references to mechanisms, not adjectives.