TestLedger is documentation infrastructure software. Compliance with specific regulations (FDA, CLIA, HIPAA, etc.) depends on your organization's implementation, policies, and use case. TestLedger is designed to support compliance requirements but does not itself confer regulatory compliance. Consult with your quality and regulatory affairs teams before deployment in regulated environments.
๐ Security Architecture
TestLedger is built with security principles appropriate for regulated environments. Our architecture addresses data integrity, access control, and audit requirements.
Encryption at Rest Implemented
AES-256 encryption for all stored data via AWS S3 server-side encryption
Encryption in Transit Implemented
TLS 1.3 for all data transmission between client and server
Cryptographic Hashing Implemented
SHA-256 hash generation for record integrity verification
Immutable Storage Implemented
AWS S3 Object Lock in Compliance Mode prevents record modification or deletion
Authentication Q2 2026
AWS Cognito with MFA support, SSO/SAML integration for enterprise
Role-Based Access Control Q2 2026
Granular permissions for operators, reviewers, witnesses, and administrators
Data Residency
All customer data is stored in AWS US regions (us-west-2 by default). Enterprise customers may request specific region deployment for data sovereignty requirements.
Data Retention
Sealed records are retained according to your organization's configured retention policy. Default retention is 7 years, aligned with common regulatory requirements. Records under legal hold or regulatory retention cannot be deleted regardless of policy settings.
๐ Regulatory Framework Alignment
TestLedger's architecture is designed to support organizations operating under various regulatory frameworks. The table below maps our capabilities to specific regulatory requirements.
We use precise language intentionally. "Designed to support" means our architecture provides the technical foundation for compliance. Achieving compliance requires your organization's procedural controls, validation, and documentation beyond our software.
| Regulation | Requirement | TestLedger Capability | Status |
|---|---|---|---|
| FDA 21 CFR Part 11 FDA Guidance โ |
Electronic records, audit trails | Immutable audit trail, timestamped entries, user attribution | Implemented |
| FDA 21 CFR Part 11 | Electronic signatures | Attestation workflow with operator/reviewer/witness capture | Implemented |
| FDA 21 CFR Part 11 | Closed system controls | Authentication, access controls, session management | Q2 2026 |
| CLIA CMS CLIA โ |
Test result documentation | Structured data capture, evidence attachment, chain of custody | Implemented |
| CLIA | Record retention (2 years minimum) | Configurable retention, immutable storage, export capability | Implemented |
| ISO 13485:2016 ISO Standard โ |
Document control | Version tracking, change attribution, supersession workflow | Implemented |
| DOT 49 CFR Part 40 eCFR โ |
Drug testing documentation | Chain of custody, collector attestation, MRO review workflow | Implemented |
| HIPAA Security Rule HHS Guidance โ |
Technical safeguards | Encryption, access controls, audit logs | Q2 2026 |
| HIPAA | Business Associate Agreement | BAA available for Audit-Ready tier customers | Q2 2026 |
โ Third-Party Validation
We believe in independent verification of security claims. Below is our current and planned third-party validation status.
SOC 2 Type II Q3 2026
Security, availability, and confidentiality audit scheduled
Penetration Testing Q2 2026
Independent security assessment prior to enterprise release
ISO 27001 2027
Information security management certification planned
HIPAA Assessment Q3 2026
Third-party HIPAA readiness assessment
We will publish SOC 2 reports and penetration testing summaries to qualified prospects under NDA. We do not overstate our current compliance posture. Items marked "Planned" or "Roadmap" are not yet completed.
โก What We Don't Claim
Honest communication about our current state is essential for regulated environments. Here's what we explicitly do not claim:
- We are not "FDA-approved" or "FDA-cleared." TestLedger is documentation software, not a medical device. It does not require 510(k) clearance.
- We are not "HIPAA-certified." There is no such certification. We are building toward HIPAA-readiness for covered entities.
- We do not guarantee regulatory compliance. Compliance depends on your organization's implementation, SOPs, and validation activities.
- We have not completed SOC 2 audit. This is planned for Q3 2026. We will update this page when completed.
- We do not currently support 21 CFR Part 11 closed system controls. Full authentication and access control features are planned for Q2 2026.
๐ค Shared Responsibility Model
Compliance in regulated environments is a shared responsibility between TestLedger and your organization.
TestLedger Provides:
- Secure, immutable storage infrastructure
- Cryptographic integrity verification
- Audit trail generation and retention
- Encrypted data transmission and storage
- Platform availability and disaster recovery
Your Organization Provides:
- User access management and credential security
- Standard Operating Procedures (SOPs) for system use
- Training and competency verification for operators
- Validation documentation (IQ/OQ/PQ if required)
- Periodic access reviews and user deprovisioning
- Incident response procedures
- Regulatory submissions and correspondence
Security Questions?
For security inquiries, compliance documentation requests, or to report a vulnerability:
[email protected]