cm.security/posture · GxP-grade

GxP-grade by design,
not by retrofit.

Audit trail, RBAC, MFA, separation of duties, encryption are foundational architecture — not features you toggle on later. Inspection-readiness is the default state.

§01 / 04 topic: audit_trail retention: 7y model: append-only · tamper-evident

Append-only.
ALCOA+. 7-year retention.

Every GxP-relevant action is recorded as an immutable audit entry: actor, timestamp with timezone, previous vs new values, reason, study/site/subject context. Tamper-evident storage. AI actors are distinguishable from human actors in every row.

timeline →
audit/principles ICH E6(R3) mapping 9 / 9 implemented verified per release
cm-audit // ALCOA+_matrix standard: ICH E6(R3) verified: 2026-05-13 aligned
A
Attributable
Every action carries actor_id, role, and origin (human / agent / system).
→ audit.actor_id NOT NULL
L
Legible
Stored as structured JSON with human-readable previous/new value diffs.
→ JSON + PDF export
C
Contemporaneous
Recorded synchronously with the source transaction. No deferred audit batches.
→ in-transaction insert
O
Original
Source record preserved; updates land as new audit rows, never overwrites.
→ append-only DDL
A
Accurate
Type-checked previous/new values; reason field required for sensitive fields.
→ schema-enforced
C
Complete
Every GxP-relevant module emits to one trail. No exempt modules.
→ 12 / 12 modules
C
Consistent
Single audit schema platform-wide. One actor_id namespace.
→ single source
E
Enduring
7-year retention minimum. Encrypted backups independently.
→ S3 + KMS rotation
A
Available
Searchable by study / subject / user / record / event / date. Inspection-ready export.
→ <5min query · <2min export
§02 / 04 topic: access_control roles: 11 predefined MFA: required for all

RBAC. MFA.
Separation of duties.

Unique user accounts — no shared logins, ever. Eleven predefined roles with fine-grained permissions per module, per data domain, per blinding scope. Conflicting roles cannot stack on a single user. The user who creates a record cannot approve it.

RBAC matrix →
access/policy policy version: v4.2 SoD enforced at permission layer audited per change
cm-access // authentication_stack session timeout: 30m lockout: 5 attempts enforced
LayerDetailStatus
identity Email, user-ID, or phone · password + OTP · OTP-only where policy permits required
2nd factor OTP via email · SMS · authenticator app · random · single-use · time-limited · rate-limited required
SSO (opt-in) SAML 2.0 + OIDC · Okta · Azure AD · Ping · custom IdP supported
RBAC 11 predefined roles · fine-grained per module × data domain × blinding scope · extendable per sponsor enforced
SoD Separation of duties · creator ≠ approver · coder ≠ QC · blocked at the permission layer enforced
onboarding Training-gated · approval workflow · effective-dated role changes · periodic access reviews audited
offboarding Immediate revocation · session invalidation · bulk operations preserve individual auditability immediate
§03 / 04 topic: infrastructure tenant model: shared + dedicated encryption: TLS 1.3 + AES-256-GCM

Encrypted in transit.
In rest. Between modules.

AWS hosting in the US region. EC2 + RDS Postgres + S3 + CloudFront in a private VPC. Bastion-only SSH. Container images scanned on every build. Three environments (DEV / SANDBOX / PROD) with separate databases, separate keys, separate logging. Production deploys are user-authorised.

request URS pack →
infra/topology AWS · us-east 3 environments tenant: shared (default)
cm-infra // stack region: us-east-1 EU / APAC: on enterprise healthy
LayerDetailStatus
transport TLS 1.3 · HSTS · ECDHE-RSA-AES256-GCM-SHA384 preferred · A+ rating enforced
storage AES-256-GCM at rest · KMS rotation per sponsor policy · backups encrypted with separate keys enforced
database RDS PostgreSQL · row-level blinding enforced at the repository layer · optional segregated-storage mode enforced
network Private VPC · bastion-only SSH · no inbound internet to RDS · WAF + Shield isolated
tenancy Shared on Pilot/Sponsor · dedicated AWS account on Enterprise · BYO-KMS supported tiered
environments DEV / SANDBOX / PROD separate · tag-gated promotion · production deploys user-authorised three
observability Structured logs · request tracing · real-time error alerts · on-call diagnostics without SSH live
GDPR Pseudonymization workflow · dual sign-off (DPO + QA) · deterministic hashing of PII supported
§04 / 04 topic: validation_evidence refresh: per-release scope: URS Pack · IQ/OQ/PQ

Inspection-ready,
out of the box.

Validation deliverables are generated from the same source of truth as the code: User Requirements, Functional Requirements, Validation Plan, Risk Assessment, IQ/OQ/PQ scripts, Traceability Matrix. Refreshed on every release. Shipped under NDA.

request URS pack →
validation/pack deliverables: 8 refresh: per release format: PDF + Word
cm-validation // URS_pack release: v0.5.43 generated: 2026-05-13 current
User Requirements Specification
Sponsor-facing requirements organized by module. URS-XX-NNN identifier scheme. ~340 requirements at v0.5.43.
URS-PACK · pdf + docx
Functional Requirements Specification
Engineering-facing specs traced 1:1 to URS. FRS-XX-NNN. Linked to test scripts.
FRS · pdf + docx
Validation Plan
Scope, approach, deliverables, roles. Aligned to 21 CFR Part 11 + Annex 11 + ICH E6(R3).
VP-v4.2 · pdf
Risk Assessment
Module-by-module risk scoring · controls matrix · residual risk register.
RA · xlsx
IQ / OQ / PQ Scripts
Installation, operational, performance qualification scripts. Executed evidence per release.
IQOQPQ · pdf + xlsx
Traceability Matrix
URS → FRS → test → executed-evidence → release. Fully linked, exportable as machine-readable.
TM · xlsx + JSON
Audit-trail sample export
Anonymised example of audit-trail JSON + PDF export for inspection / vendor assessment.
SAMPLE · pdf + json
Security one-pager
Posture summary: encryption, tenancy, RBAC, MFA, retention. Suitable for procurement.
SEC · pdf
release: v0.5.43 refresh cadence: per release distribution: under NDA format: PDF + Word + Excel + JSON request → security@clinmaker.com
cm.security

Want our posture
in writing?

We'll send the URS Pack, a security one-pager, and a sample audit-trail export — all under NDA, within one business day.

Talk to us or security@clinmaker.com