Compliance

TrialSage is designed for 21 CFR Part 11 compliance from the ground up.

21 CFR Part 11

The FDA's regulation for electronic records and electronic signatures. TrialSage implements:

Audit Trail

Every data mutation is recorded in an immutable audit_events table:

• Who — user ID, email, and full name (denormalized for permanence)
• When — server-side timestamp
• What — entity type, entity ID, event type (CREATE, UPDATE, DELETE, SIGN)
• Changes — JSON diff of old and new values for each modified field
• Checksum — SHA-256 hash chained to the previous event

The audit table is physically immutable: REVOKE UPDATE, DELETE is enforced at the PostgreSQL level. Even a database administrator cannot modify existing records without breaking the checksum chain.

Checksum Chain

Each audit event's checksum incorporates the previous event's checksum, creating a blockchain-like chain. If any record is tampered with, the chain breaks and the tampering is detectable via verifyAuditChain().

Electronic Signatures (Coming Soon)

The electronic_signatures table is ready for:

• Re-authentication before signing
• Document hash at time of signature
• Signature meaning (APPROVED, REVIEWED, AUTHORED, VERIFIED)
• Signed records locked against modification

Multi-Tenant Isolation

Every table has a tenant_id column with PostgreSQL Row-Level Security policies:

• Users can only see data belonging to their organization
• Policies are enforced at the database level — even buggy application code cannot leak data across tenants
• Role-based access: admin, study_manager, crc, cra, viewer

HIPAA Readiness

• Supabase offers BAA (Business Associate Agreement) on paid plans
• Azure Blob Storage with server-side encryption for clinical documents
• All data encrypted in transit (HTTPS) and at rest