01 / Regulatory frameworks
Regulatory framework alignment
21 CFR Part 11 — FDAGA
21 CFR Part 11 governs electronic records and electronic signatures in FDA-regulated environments. Veracore is designed to operate in conformance with Part 11 requirements for computerised product information systems.
EU Annex 11 — GxP computerised systemsGA
Veracore follows a risk-based approach consistent with EU GMP Annex 11. System configuration is documented, change control is applied to all schema and logic changes, and periodic review is supported through the audit log.
EU GMP / ICH Q9 risk managementGA
Product information records carry explicit lifecycle states (draft → review → published → archived). Only published records generate regulatory outputs. Every state transition is logged with actor, timestamp, and content hash.
GDPR postureGA
SmPC and product information data is regulatory content — not personal data. Contact records collected via demo intake are retained only for sales qualification and are not processed beyond that purpose. A data processing agreement (DPA) is available on request.
21 CFR Part 11 — specific controls
- Unique user IDs. Each user account is uniquely identified. Shared login credentials are prohibited by the access control model. Auth module — roadmap
- Secure, computer-generated, time-stamped audit trails. Every create, update, approve, generate, and verify action writes an immutable row to
audit_eventswith actor, action type, target record, timestamp (UTC), and SHA-256 content hash. Audit rows cannot be modified or deleted by any application user or API call. - Sequence of events reconstructible. The
smpc_section_versionstable is append-only. Every prior state of every section is retained with content hash and change notes, enabling full reconstruction of the record at any point in time. - Record retention. Audit events and version history are retained for the life of the tenant plus 10 years. Deletion of tenant data requires a formal data erasure request and is logged in the audit trail.
- Electronic signature manifestation. Approval actions record the approver identity, timestamp, and the SHA-256 hash of the exact content approved. Signature infrastructure (hardware token / PKI binding) is on the roadmap. E-sig binding — roadmap
- Operational system checks. The
/healthendpoint and Render uptime monitoring provide continuous availability verification.
EU Annex 11 — specific controls
- Risk-based validation approach. Veracore is classified as a direct-impact computerised system (GxP-relevant product information). A validation plan, IQ/OQ/PQ documentation, and a traceability matrix are available to customers. See Validation Support below.
- Supplier assessment. Infrastructure sub-processors (Render, Neon) are assessed for SOC 2 / ISO 27001 compliance. See Sub-processors below.
- Change control. All schema changes are executed via numbered migration files (
migrations/<timestamp>_<name>.sql). Application code changes are version-controlled in Git with tagged releases. No undocumented schema changes are possible at runtime. - Periodic review. The audit log provides the primary evidence base for periodic review. Exportable in JSON and PDF.
- Back-up. Neon PostgreSQL provides automated continuous backup with point-in-time recovery. Backup frequency and retention period are detailed in the Neon sub-processor entry below.
- Batch processing and data integrity. Output generation is deterministic. The same canonical input always produces the same output. Each generated output stores a SHA-256 content hash in
generated_outputs, enabling re-verification at any time.
02 / Data residency
Data residency and storage
| Component | Primary region | Notes |
|---|---|---|
| Application hosting | US East (Render — Oregon) | EU-region deployment available on request for GDPR-sensitive workloads. |
| PostgreSQL database | US East (Neon — AWS us-east-2) | EU region (Frankfurt, eu-central-1) available on request. Data-at-rest encrypted (AES-256). Data-in-transit encrypted (TLS 1.2+). |
| Transactional email | Polsia email proxy (US) | Used only for operator notification of demo requests. No product data transmitted via email. |
EU-only data residency is available as a deployment option. Contact security@veracore.io to request an EU-region tenant. This is not a roadmap item — it requires configuration of your specific deployment, not a product change.
03 / Audit trail
Audit trail guarantees
- Append-only. The
audit_eventstable has no UPDATE or DELETE grants for the application role. Every write is an INSERT. Once written, a row cannot be modified by any code path in the application. - SHA-256 content hashing. Every create, update, approval, and output-generation event records the SHA-256 hash of the content at that moment. For SmPC sections, the hash covers the exact section text. For generated outputs, the hash covers the full output document. Re-running generation from the same canonical input produces an identical hash — divergence indicates unauthorised modification.
- Time-stamped records. All audit events use
created_at TIMESTAMPTZ DEFAULT NOW()at the database layer. Application-layer timestamps cannot override this. - Actor attribution. Every event records the user ID of the actor. Bulk actions (e.g. batch publish) record each sub-event individually.
- Exportable in machine-readable format. Audit logs are available via the
/api/auditendpoint in JSON. PDF export is on the roadmap. PDF export — roadmap - Retention. Audit events are retained for the life of the tenant plus 10 years from account termination. Early deletion is not possible except through a court-ordered data erasure — which itself is logged.
- SmPC version history.
smpc_section_versionsstores every prior state of every section. This is separate from the audit log and provides full text reconstruction at any historical point.
04 / Access controls
Access controls and authentication
Role-based access model
| Role | Permissions | Status |
|---|---|---|
| Author | Create and edit draft records. Cannot approve or publish. | Roadmap |
| Reviewer | Comment on and approve draft records for promotion to Review state. | Roadmap |
| Approver | Approve records for publication. Cannot create or edit content. | Roadmap |
| Publisher | Publish approved records to generate regulatory outputs. | Roadmap |
| Auditor | Read-only access to audit log and version history. No write permissions. | Roadmap |
The RBAC model is designed and the data model supports it. Role enforcement at the API layer is the next auth milestone. Current deployments operate as single-tenant with operator-controlled access.
Authentication
- SSO via SAML 2.0 / OIDC. On the roadmap. Priority for enterprise and consultancy tiers. Roadmap
- MFA enforcement. On the roadmap, will be mandatory for Approver and Publisher roles. Roadmap
- Session management. Current sessions are stateless JWT-equivalent. Session revocation on role change or termination is part of the auth milestone.
- Password policy. Enforced minimum entropy, bcrypt hashing at storage. No plaintext credential storage at any layer.
Network security
- All traffic over HTTPS/TLS 1.2+. HTTP requests are redirected to HTTPS.
- Database connections use TLS. The connection string is held in environment variables — not in source code or build artifacts.
- No inbound ports exposed other than HTTPS (443) and the Render health-check endpoint.
05 / Validation support
Validation support (IQ / OQ / PQ)
Veracore is designed to be validatable. The following documentation is available to customers for their own validation packages:
| Document | Description | Availability |
|---|---|---|
| Validation Plan template | Scope, approach, roles, and schedule for IQ/OQ/PQ execution in your environment. | Available on request |
| Installation Qualification (IQ) | Evidence that the system is installed and configured correctly. Includes system configuration baseline, environment variable manifest, and build version record. | Available on request |
| Operational Qualification (OQ) | Test scripts verifying that all functions operate within specified limits. Covers canonical record lifecycle, audit log writes, output generation, and hash verification. | Available on request |
| Performance Qualification (PQ) | Evidence that the system performs consistently in production with real product data. Protocol available; customer executes in their environment with their data. | Available on request |
| Traceability Matrix | Maps 21 CFR Part 11 and EU Annex 11 requirements to specific system functions and test cases. | Available on request |
| Change Control log | Git-tagged release history with per-release impact assessment. Provided as part of the re-qualification package for major releases. | Available on request |
To request validation documentation, contact security@veracore.io with your company name and the tier you are evaluating. Typical turnaround is 2 business days.
06 / Sub-processors & infrastructure
Sub-processors and infrastructure
| Sub-processor | Purpose | Data processed | Certifications | Region |
|---|---|---|---|---|
| Render render.com |
Application hosting and web serving | All application traffic; no persistent data storage | SOC 2 Type II | US East (Oregon). EU region available. |
| Neon neon.tech |
PostgreSQL database (all persistent data) | All product information, audit logs, version history | SOC 2 Type II | AWS us-east-2. AWS eu-central-1 available on request. |
| Polsia email proxy polsia.app |
Transactional email (demo request notifications to operator only) | Demo form data: company name, contact email, role | Polsia internal security controls | US |
Veracore does not use third-party analytics SaaS beyond a first-party Polsia analytics beacon (no personal data — anonymous visitor ID only). No product information data is transmitted to any analytics service.
This list is maintained and updated when sub-processors are added or removed. Customers on enterprise agreements will receive 30 days' notice of material sub-processor changes.
07 / Status & disclosures
Honest status: GA vs. roadmap
The table below is a direct summary. Items marked Roadmap are not available today. Do not rely on them in your current validation or purchasing decision without explicit written confirmation of delivery timeline.
| Capability | Status | Notes |
|---|---|---|
| Canonical SmPC record management | GA | Draft → Review → Published → Archived lifecycle, full section management. |
| Append-only audit log (SHA-256) | GA | Every action logged with hash, actor, timestamp. JSON export via API. |
| Section version history | GA | Complete text history for every section. Diff view available in product. |
| Deterministic output generation (EU ePI, US SPL, UK) | GA | Hash-verified. Same canonical input → same output, verifiable at any time. |
| Validation documentation (IQ/OQ/PQ, traceability matrix) | GA | Available on request. Not self-serve — contact security@veracore.io. |
| Audit log PDF export | Roadmap | JSON export available today. PDF in next release. |
| Role-based access control (Author / Reviewer / Approver / Publisher / Auditor) | Roadmap | Data model designed. API enforcement in next auth milestone. |
| SSO via SAML 2.0 / OIDC | Roadmap | Priority for Growth and Consultancy tiers. |
| MFA enforcement | Roadmap | Will be mandatory for Approver and Publisher roles. |
| Electronic signature binding (21 CFR Part 11 §11.50) | Roadmap | Approval actions are logged with actor and content hash today. PKI/hardware token binding on roadmap. |
| EU-region data residency (single-tenant) | Available on request | Requires configuration of your deployment. Contact security@veracore.io. |