Trust Center
Compliance and validation, built into the architecture.
Regulated buyers gate on evidence, not adjectives. CuRE generates that evidence as a property of how the platform is built — tenant isolation, tamper-evident audit trails, electronic signatures, and statistical validation are substrate, not a late validation project. Every claim below is backed by code and automated tests, and labelled by status.
How to read this page
Implemented in code with automated tests enforced in our CI pipeline.
On the roadmap with a defined path — not available today.
We state our posture honestly: we describe what the platform is built to and audited against, and show independent third-party attestations as a transparent roadmap rather than implying we hold a certification we do not yet have.
Frameworks
Built to the standards regulated research runs on
The frameworks that govern electronic records, computerised systems, software assurance, and data integrity — each backed by a structural conformance suite in CI.
21 CFR Part 11
FDA · Electronic Records & Signatures
Append-only audit trails, tamper-evident record hashing, electronic-signature manifestation, and identity re-authentication before signing. Structural conformance is asserted by automated tests that run on every change.
EMA Annex 11
EU · Computerised Systems
Periodic access-review cycles, breach-incident tracking, third-party supplier qualification, and audit-trail controls — each modelled in the schema and verified by structural tests in CI.
GAMP 5 / CSA
Computer Software Assurance
Risk-based, "validated on day one" assurance. IQ/OQ/PQ evidence is generated from source for every release and gated by a pass/fail verdict before a build can ship.
ALCOA+
Data Integrity
Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, and Available. Enforced structurally rather than asserted in a binder.
HIPAA / HITECH
US · Protected Health Information
Safeguards for protected health information are built into the data plane and covered by a structural conformance suite. Subprocessors that touch PHI are qualified and BAA-tracked in the supplier register.
Evidence by construction
The proof is produced by the architecture
These are not policy documents describing intent. Each is a mechanism in the running platform, exercised by automated tests on every change.
Tenant isolation, enforced by the database
Shipped · CI-enforcedEvery tenant-scoped table carries FORCE row-level security, so the database itself filters rows by organization even if an application query forgets to. A static check confirms the policy exists on every such table, and a runtime audit confirms every data path sets its tenant context first — both run in blocking mode in CI.
Tamper-evident audit trail
Shipped · CI-enforcedRecord changes extend a per-record SHA-256 hash chain: altering history breaks verification. A separate HMAC-signed chain covers every schema migration and data backfill, so structural changes to the database are themselves tamper-evident and attributable. CI verifies chain integrity on every run.
Electronic signatures, built to §11.100
Shipped · CI-enforcedSignatures are cryptographically bound to the record they approve and attributed to a durable platform identity that survives identity-provider changes. Signature logs are append-only with a long-horizon retention contract, and signing authority is gated on completed Part 11 training. The system implements the §11.100(c) certification & retention contract; certification to a health authority is a customer/sponsor filing step, not a platform claim.
Qualified supplier register
Shipped · CI-enforcedEvery third-party subprocessor is classified by GxP criticality with its attestations on file (e.g. SOC 2, ISO 27001, HIPAA BAA), SLA, and data-processing status. The register is generated from a typed source of truth and locked by a byte-for-byte snapshot test, so it cannot silently drift from reality.
Algorithms validated against published references
Shipped · CI-enforcedRandomization is validated byte-for-byte against the peer-reviewed R packages randomizeR and carat across permuted-block, stratified, biased-coin, and minimization designs. Survival and descriptive statistics are validated against R reference implementations, with point-of-care and analytics surfaces pinned to the same oracle so they cannot diverge. Equivalence is enforced in CI.
Secrets and key rotation, by policy
Shipped · CI-enforcedPlatform secrets and the audit-chain signing keys rotate on a defined cadence with a mandatory dual-credential overlap window, logged against a rotation policy rather than handled ad hoc.
Continuous validation
Validated on every change, not once a year
Traditional validation is a snapshot that ages the moment it is signed. CuRE re-proves its compliance posture continuously: these gates run in our pipeline on every change, and the regulated-control gates run in blocking mode — a change that would weaken tenant isolation, break the audit chain, or diverge from a validated algorithm cannot merge.
Once a week, the full evidence set is bundled and cryptographically signed, producing a dated, verifiable record of the platform's compliance state.
- Row-level-security policy presence — blocking
- Tenant-context runtime audit — every data path
- Migration-audit HMAC chain verification — blocking
- 21 CFR Part 11 & Annex 11 structural suites
- Statistical oracle-equivalence (randomizeR, carat, survival, descriptive)
- Per-release IQ/OQ/PQ validation binder with pass/fail gate
- Weekly cryptographically-signed compliance evidence bundle
Validation evidence package
A traceable package your quality team can audit
Where most vendors hand over marketing slides, CuRE delivers an evidence package generated from source — every line traceable to an implementation, a test, and an architecture decision.
IQ / OQ / PQ validation binder
Installation, operational, and performance qualification with an overall pass/fail verdict per release.
Requirements Traceability Matrix
Each regulatory requirement traced to its implementation, test, and architecture decision.
Supplier qualification register
GxP-criticality classification and current attestations for every subprocessor.
Audit-trail & e-signature controls
The Part 11 / Annex 11 control checklist, each item asserted by an automated test.
Statistical oracle-validation reports
Equivalence evidence for randomization and statistics against published R references.
Public posture, gated package
This page is the public compliance posture. The full validation evidence package — including the IQ/OQ/PQ binder and machine-readable artifacts — is shared with qualified buyers under NDA, because it details internal control implementations.
The package is generated by our pipeline and cryptographically signed, so what you receive is verifiable rather than hand-assembled.
Request the validation packageIndependent attestation
Our third-party attestation roadmap
Independent attestation is earned, not asserted. We publish our path transparently — these are planned milestones, not current certifications.
- Step 1
Independent penetration test
Third-party security assessment of the platform.
- Step 2
SOC 2 Type I
Design of security controls, independently examined.
- Step 3
SOC 2 Type II
Operating effectiveness of those controls over time.
- Step 4
Formal CSV
Independent computer-system-validation attestation.
- Step 5
HITRUST
Certified healthcare information-security posture.
Several of our subprocessors already hold SOC 2 Type II and ISO 27001 attestations, tracked in the supplier qualification register. Principia's own independent attestations follow the roadmap above.
Bring your quality team. We'll show our work.
Walk through the evidence package with our team, or request the full validation binder for your supplier qualification process.