Security & Trust

Your Lab Data Is Safe With Us

AI Lab Services is built for regulated laboratories that cannot afford data breaches, compliance gaps, or unauthorized access. Security is not a feature — it is the foundation.

AES-256-GCM

Encryption Standard

SHA-256

COA Integrity Hash

Isolated

Database Per Lab

5-Year

Audit Log Retention

COA Immutability Guarantee

Once issued, a COA cannot be edited or re-issued by anyone — including platform administrators.

Immutability is enforced at the data layer, not by policy. There is no admin override, no back-door edit endpoint, and no soft-delete. Every issued COA carries a SHA-256 integrity hash verified on every download — if a single byte changes, the check fails. Auditors can verify this independently.

SHA-256 integrity hash

Computed at issue time, re-verified on every PDF download via the /integrity-check endpoint.

No re-issue, no edit

Issued COAs are write-locked at the database level. Status can only move to corrected — never overwritten.

Full audit chain

Every view, download, and verification attempt is logged with user, IP, and timestamp — including platform staff.

COA detail — AI QC Compliance Check Pass badge, 13 test results, SHA-256 hash locked, no edit controls visible
Issued COA — AI QC Pass, ISO/IEC 17025:2017 · FDA FSMA · AOAC compliant. SHA-256 locked. No edit controls. Not even for platform admins.

Ten Layers of Protection

Built from the ground up for labs that operate under accreditation, regulatory oversight, or enterprise procurement requirements.

Isolated Database Per Lab

Your data never shares a table with another lab

  • Every lab tenant receives a dedicated, isolated database instance
  • No shared tables — cross-tenant data access is architecturally impossible
  • Platform infrastructure (billing, accounts) is fully separated from your lab data
  • Your data stays yours — we cannot access it without your explicit authorization

Encryption Everywhere

At rest and in transit, always

  • AES-256-GCM encryption for all sensitive data stored in the platform
  • TLS encryption for all data in transit — no unencrypted communication
  • Credentials, connection strings, and integration secrets encrypted individually
  • Tamper detection built into every encrypted record

Role-Based Access Control

The right people see the right things

  • Four role tiers: Admin, Manager, Technician, and Read-Only
  • Every action in the platform requires the appropriate role — enforced at the API level
  • Module-level licensing gates access to COC, COA, QMS, Equipment, and API features
  • Client portal runs on a separate authentication track with its own credentials

Immutable Audit Trail

5-year tamper-evident log of every action

  • Every login, data change, approval, and export is permanently logged
  • Logs capture: user, IP address, timestamp, action, and affected record
  • Suspicious activity detection flags critical events automatically
  • PDF audit export available for inspections and regulatory submissions
  • Retained automatically for 5 years — no manual archiving required

Secure Authentication & MFA

Multiple layers to stop unauthorized access

  • TOTP-based two-factor authentication — works with Google Authenticator, Authy, and any standard authenticator app
  • Admin-configurable 2FA policy — enforce MFA for all users or admin accounts only from the Security settings
  • Single-use backup codes for 2FA recovery — emergency access when your device is unavailable
  • Admin 2FA reset — account admins can unlock a team member's 2FA, fully logged to the audit trail
  • Short-lived access tokens that automatically expire — limiting exposure if compromised
  • Rotating refresh tokens — each session renewal invalidates the previous token
  • All passwords hashed with industry-standard bcrypt — never stored in plain text
  • Password complexity enforced — uppercase, lowercase, number, and special character required
  • 90-day password expiry — flagged in the 21 CFR readiness assessment
  • Account lockout after 5 failed attempts — 15-minute lock with critical audit event
  • Re-authentication required before signing critical records (COA issue, SOP sign-off, COC acceptance)
  • 30-minute idle session timeout — automatic logout with on-screen notice
  • Cryptographic hash on every issued COA — tamper detection via integrity check endpoint
  • Issued COAs are write-locked at the database level — no edit or re-issue is possible by any user, including platform administrators
  • Password change and reset immediately revoke all active sessions
  • Generic error responses prevent account enumeration attacks

Data Sovereignty & Retention

Your data, your rules

  • You own your data — it is never used for training, analytics, or shared with third parties
  • Configurable retention periods to match your accreditation requirements (default 7 years)
  • Full data export available at any time in standard formats
  • On cancellation, your data is retained for 30 days then securely deleted on request

Built-in Legal Agreements & E-Signature

Vendor compliance handled on day one

  • Data Processing Agreement (DPA) signed electronically during account setup — no back-and-forth required
  • HIPAA Business Associate Agreement (BAA) available for clinical labs handling patient data
  • Every signature is recorded with signer name, title, IP address, and timestamp for your audit records
  • Signed agreements are permanently stored in your account — viewable and printable at any time
  • SaaS Agreement and Service Level Agreement available for enterprise procurement requirements

Continuous Platform Verification

Every module tested end-to-end, automatically

  • End-to-end health checks run across every platform module — COC, COA, QMS, 2FA, equipment, integrations, and more
  • Cryptographic COA integrity is re-verified automatically on every run to catch tampering or regression
  • Health score is mathematically honest — any test failure prevents a clean score, full stop
  • Tests run in isolated environments using ephemeral tenants — your live lab data is never touched
  • Pass/fail results and the health score are reviewed by the platform team before any release

Adversarial Security Testing

Not just "does it work" — "can it be broken"

  • Dedicated adversarial test suite runs injection attempts, SSRF probes, and privilege-escalation attacks against the live API
  • NoSQL injection, XSS payloads, and oversized inputs are sent to every major endpoint and verified to be rejected safely
  • SSRF protection is tested by pointing integration connectors at private IPs and cloud metadata addresses — all must be blocked
  • Separation of duties is verified: SOP authors cannot sign as their own reviewer or approver
  • Race condition tests confirm backup codes cannot be double-redeemed via concurrent requests
  • Mass assignment tests verify that fields like role, tenantId, and signature hash cannot be overwritten via PATCH
  • These tests run alongside functional tests every release — security regressions are caught before they ship

EU AI Act Compliance

Articles 9–17 mapped to AILS controls — automated gap assessment included

  • Automated EU AI Act compliance assessment maps 9 articles to AILS platform controls
  • Article 9 (Risk Management): Risk Register and CAPA module provide documented lifecycle risk management
  • Article 14 (Human Oversight): Re-authentication on COA signing, manager override with re-auth, and RBAC-enforced issuance gate
  • Article 15 (Cybersecurity): AES-256-GCM encryption, TOTP 2FA, and 811 automated tests including adversarial scenarios
  • Article 17 (QMS): Full quality management system covers CAPA, audits, deviations, training, risk, and proficiency testing
  • Article 27 (FRIA): GDPR Data Minimisation Reviewer Agent and EU DPA with SCC-2021 for EU deployments
  • EU tenants can run an automated compliance assessment and download a regulator-ready PDF report from their dashboard
COA integrity flow diagram — from sample intake through issuance to SHA-256 hash verification
COA integrity flow — every step from sample intake through AI QC review to issuance and cryptographic hash verification.
Compliance Architecture

9 Compliance Systems — Built Into the Architecture

AI governance boundary, CAPA escalation lifecycle, training enforcement, EMR roundtrip, multi-site onboarding, audit reconstruction, ISO/IEC 17065 framework, 21 CFR Part 11 enforcement map, and COA integrity verification — all enforced at the architecture layer.

Compliance architecture — 9 panels: AI Governance Boundary Flow, CAPA Escalation Lifecycle, Training Enforcement Lifecycle, EMR to COA to EPIC Roundtrip, Multi-Site Onboarding Flow, Audit Reconstruction Flow, ISO/IEC 17065 Compliance Framework, 21 CFR Part 11 Enforcement Map, COA Integrity Verification Flow
Compliance by architecture, not configuration. Every flow shown is enforced at the platform level — immutable, verifiable, and auditable at every step.
Enterprise Compliance

Compliance Built In — Not Bolted On

Compliance frameworks and architecture-layer controls, all enforced by design. Enterprise-grade. Architecturally enforced. Always audit-ready.

14 Compliance Systems

21 CFR Part 11
Electronic records & e-signatures
FDA 21 CFR Part 211 / GMP
Pharmaceutical manufacturing
ISO/IEC 17025
Testing & calibration labs
GLP / GMP / cGMP
Good practice standards
SQF 9.0 / HACCP / FSMA
Food safety
CLIA (42 CFR 493)
Clinical laboratories
HIPAA / HITECH
Health data privacy
PIPEDA
Canadian privacy law
SOC 2 Type II
Security controls (on request)
EU AI Act
Articles 9–17, FRIA Art. 27
ISO 9001
Quality management systems
ISO/IEC 17065
Product certification bodies
ISO/IEC 17020
Inspection bodies
ISO 37001
Anti-bribery management

Built Into the Architecture

  • AI governance boundary — agents operate within enforced limits
  • CAPA escalation lifecycle — issues escalate automatically
  • Training enforcement — expired training hard-blocks access
  • EMR roundtrip — certified electronic data exchange
  • Multi-site onboarding — governed, scalable by design
  • Audit reconstruction — replay any event, any record
  • ISO/IEC 17065 framework — certification-body operations
  • 21 CFR Part 11 enforcement — mapped to platform controls
  • COA integrity verification — architecturally impossible to alter an issued COA
Immutable by Design
Verifiable
Audit-Ready
Court-Defensible

Every compliance framework is mapped to a platform-layer control — not a policy document. Immutable. Verifiable. Audit-ready from day one. Compliance support varies by module and plan — contact us to discuss your specific requirements.

Security FAQs

The questions procurement and compliance teams ask most.

Can another lab see my data?

No. Every lab on AI Lab Services has its own isolated database. Cross-tenant data access is not possible by design — not just by policy.

Who at AI Lab Services can access my lab data?

No one without your explicit authorization. Our staff cannot access your lab database without a request from your account administrator. All such access is logged.

What happens to my data if I cancel?

Your data remains accessible for 30 days after cancellation. You can export everything in standard formats at any time. After 30 days, your data is securely deleted upon request.

Do you offer a Data Processing Agreement (DPA)?

Yes — and you don't need to ask for it. Every new account signs a DPA electronically during the setup wizard. The signed copy is stored in your account with a full audit record (signer name, IP, timestamp) that you can view and print at any time.

Do you offer a HIPAA Business Associate Agreement (BAA)?

Yes. Clinical labs and any lab handling patient-linked data can sign a BAA during account setup or on request afterward. The BAA is signed electronically and stored permanently in your account. Contact us if you need a countersigned copy for your own records.

Is the platform audit-ready for an FDA inspection?

Yes — and we give you the documentation to prove it. The 21 CFR Readiness Assessment is an AI-powered audit that analyzes your live system data across 10 21 CFR Part 11 categories and returns a scored, printable report with specific findings and recommendations. The Vendor Validation Package (VVP) is a pre-built IQ/OQ/PQ bundle — including a Requirements Traceability Matrix, executed test cases, PQ templates, and a §11.100(c) electronic signature declaration — that you can drop directly into your Computer System Validation binder. Both are available on the 21 CFR module.

What infrastructure does AI Lab Services run on?

The application layer runs on Railway infrastructure in North America. The database layer uses MongoDB Atlas with AES-256-GCM encryption at rest. Document storage uses your choice of S3-compatible provider — AWS S3, Backblaze B2, or your own bucket. Standard deployments keep all data in North America; EU database residency (Frankfurt MongoDB Atlas region) is available on enterprise deployment. Full architecture documentation is available for enterprise procurement — contact us.

Where is my data hosted?

On standard deployments, all data — databases, documents, and audit logs — is hosted and processed in North America (MongoDB Atlas and Railway, US/Canada region). For EU customers on enterprise deployment, EU database residency in the Frankfurt MongoDB Atlas region is available, backed by a signed EU DPA incorporating SCC-2021. We do not use data centers outside these regions.

Does the platform test for attacks, not just correct behavior?

Yes. Every release runs an adversarial test suite that sends injection payloads, probes SSRF protections, tests concurrent race conditions on backup codes, and verifies privilege-escalation attempts are blocked. These run alongside functional tests so security regressions are caught before they ship — not after.

Has the platform been through an independent penetration test?

We run an extensive automated adversarial test suite on every release covering injection, SSRF, mass assignment, separation-of-duties, and race conditions. A formal third-party penetration test is on our roadmap as we scale into enterprise procurement. In the meantime, the adversarial test results are available on request.

Post-Quantum Cryptography

Quantum Readiness

AILS tracks NIST PQC readiness across every infrastructure vendor — hosting, database, AI, auth, CDN — and generates a signed Quantum Posture Report for procurement teams.

AILS Quantum Readiness — NIST PQC vendor tracking across infrastructure stack
Enterprise Architecture

Global Multi-Site Deployment

Per-tenant database isolation across jurisdictions. EU data residency available on enterprise deployment. GDPR-ready. Every site governed independently, every audit trail separate.

AILS global multi-site architecture — per-tenant DB isolation across jurisdictions

Compliance Ready From Day One

Your DPA is signed during account setup. BAA, SLA, and NDA are available on request.

SOC 2 Type II audit is in planning. SOC 2 security questionnaire responses, architecture diagram, and pen test summary are available for enterprise procurement teams under NDA — contact us.