Trust Center

Compliance and validation, built into the architecture.

Regulated buyers gate on evidence, not adjectives. CuRE generates that evidence as a property of how the platform is built — tenant isolation, tamper-evident audit trails, electronic signatures, and statistical validation are substrate, not a late validation project. Every claim below is backed by code and automated tests, and labelled by status.

How to read this page

Shipped · CI-enforced

Implemented in code with automated tests enforced in our CI pipeline.

Planned

On the roadmap with a defined path — not available today.

We state our posture honestly: we describe what the platform is built to and audited against, and show independent third-party attestations as a transparent roadmap rather than implying we hold a certification we do not yet have.

Frameworks

Built to the standards regulated research runs on

The frameworks that govern electronic records, computerised systems, software assurance, and data integrity — each backed by a structural conformance suite in CI.

21 CFR Part 11

FDA · Electronic Records & Signatures

Shipped · CI-enforced

Append-only audit trails, tamper-evident record hashing, electronic-signature manifestation, and identity re-authentication before signing. Structural conformance is asserted by automated tests that run on every change.

EMA Annex 11

EU · Computerised Systems

Shipped · CI-enforced

Periodic access-review cycles, breach-incident tracking, third-party supplier qualification, and audit-trail controls — each modelled in the schema and verified by structural tests in CI.

GAMP 5 / CSA

Computer Software Assurance

Shipped · CI-enforced

Risk-based, "validated on day one" assurance. IQ/OQ/PQ evidence is generated from source for every release and gated by a pass/fail verdict before a build can ship.

ALCOA+

Data Integrity

Shipped · CI-enforced

Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, and Available. Enforced structurally rather than asserted in a binder.

HIPAA / HITECH

US · Protected Health Information

Shipped · CI-enforced

Safeguards for protected health information are built into the data plane and covered by a structural conformance suite. Subprocessors that touch PHI are qualified and BAA-tracked in the supplier register.

Evidence by construction

The proof is produced by the architecture

These are not policy documents describing intent. Each is a mechanism in the running platform, exercised by automated tests on every change.

Tenant isolation, enforced by the database

Shipped · CI-enforced

Every tenant-scoped table carries FORCE row-level security, so the database itself filters rows by organization even if an application query forgets to. A static check confirms the policy exists on every such table, and a runtime audit confirms every data path sets its tenant context first — both run in blocking mode in CI.

Tamper-evident audit trail

Shipped · CI-enforced

Record changes extend a per-record SHA-256 hash chain: altering history breaks verification. A separate HMAC-signed chain covers every schema migration and data backfill, so structural changes to the database are themselves tamper-evident and attributable. CI verifies chain integrity on every run.

Electronic signatures, built to §11.100

Shipped · CI-enforced

Signatures are cryptographically bound to the record they approve and attributed to a durable platform identity that survives identity-provider changes. Signature logs are append-only with a long-horizon retention contract, and signing authority is gated on completed Part 11 training. The system implements the §11.100(c) certification & retention contract; certification to a health authority is a customer/sponsor filing step, not a platform claim.

Qualified supplier register

Shipped · CI-enforced

Every third-party subprocessor is classified by GxP criticality with its attestations on file (e.g. SOC 2, ISO 27001, HIPAA BAA), SLA, and data-processing status. The register is generated from a typed source of truth and locked by a byte-for-byte snapshot test, so it cannot silently drift from reality.

Algorithms validated against published references

Shipped · CI-enforced

Randomization is validated byte-for-byte against the peer-reviewed R packages randomizeR and carat across permuted-block, stratified, biased-coin, and minimization designs. Survival and descriptive statistics are validated against R reference implementations, with point-of-care and analytics surfaces pinned to the same oracle so they cannot diverge. Equivalence is enforced in CI.

Secrets and key rotation, by policy

Shipped · CI-enforced

Platform secrets and the audit-chain signing keys rotate on a defined cadence with a mandatory dual-credential overlap window, logged against a rotation policy rather than handled ad hoc.

Continuous validation

Validated on every change, not once a year

Traditional validation is a snapshot that ages the moment it is signed. CuRE re-proves its compliance posture continuously: these gates run in our pipeline on every change, and the regulated-control gates run in blocking mode — a change that would weaken tenant isolation, break the audit chain, or diverge from a validated algorithm cannot merge.

Once a week, the full evidence set is bundled and cryptographically signed, producing a dated, verifiable record of the platform's compliance state.

  • Row-level-security policy presence — blocking
  • Tenant-context runtime audit — every data path
  • Migration-audit HMAC chain verification — blocking
  • 21 CFR Part 11 & Annex 11 structural suites
  • Statistical oracle-equivalence (randomizeR, carat, survival, descriptive)
  • Per-release IQ/OQ/PQ validation binder with pass/fail gate
  • Weekly cryptographically-signed compliance evidence bundle

Validation evidence package

A traceable package your quality team can audit

Where most vendors hand over marketing slides, CuRE delivers an evidence package generated from source — every line traceable to an implementation, a test, and an architecture decision.

IQ / OQ / PQ validation binder

Installation, operational, and performance qualification with an overall pass/fail verdict per release.

Requirements Traceability Matrix

Each regulatory requirement traced to its implementation, test, and architecture decision.

Supplier qualification register

GxP-criticality classification and current attestations for every subprocessor.

Audit-trail & e-signature controls

The Part 11 / Annex 11 control checklist, each item asserted by an automated test.

Statistical oracle-validation reports

Equivalence evidence for randomization and statistics against published R references.

Public posture, gated package

This page is the public compliance posture. The full validation evidence package — including the IQ/OQ/PQ binder and machine-readable artifacts — is shared with qualified buyers under NDA, because it details internal control implementations.

The package is generated by our pipeline and cryptographically signed, so what you receive is verifiable rather than hand-assembled.

Request the validation package

Independent attestation

Our third-party attestation roadmap

Independent attestation is earned, not asserted. We publish our path transparently — these are planned milestones, not current certifications.

Planned · roadmap, not current state
  1. Step 1

    Independent penetration test

    Third-party security assessment of the platform.

  2. Step 2

    SOC 2 Type I

    Design of security controls, independently examined.

  3. Step 3

    SOC 2 Type II

    Operating effectiveness of those controls over time.

  4. Step 4

    Formal CSV

    Independent computer-system-validation attestation.

  5. Step 5

    HITRUST

    Certified healthcare information-security posture.

Several of our subprocessors already hold SOC 2 Type II and ISO 27001 attestations, tracked in the supplier qualification register. Principia's own independent attestations follow the roadmap above.

Bring your quality team. We'll show our work.

Walk through the evidence package with our team, or request the full validation binder for your supplier qualification process.