Your Lab Data Is Safe With Us
AI Lab Services is built for regulated laboratories that cannot afford data breaches, compliance gaps, or unauthorized access. Security is not a feature — it is the foundation.
AES-256-GCM
Encryption Standard
SHA-256
COA Integrity Hash
Isolated
Database Per Lab
5-Year
Audit Log Retention
Once issued, a COA cannot be edited or re-issued
by anyone — including platform administrators.
Immutability is enforced at the data layer, not by policy. There is no admin override, no back-door edit endpoint, and no soft-delete. Every issued COA carries a SHA-256 integrity hash verified on every download — if a single byte changes, the check fails. Auditors can verify this independently.
SHA-256 integrity hash
Computed at issue time, re-verified on every PDF download via the /integrity-check endpoint.
No re-issue, no edit
Issued COAs are write-locked at the database level. Status can only move to corrected — never overwritten.
Full audit chain
Every view, download, and verification attempt is logged with user, IP, and timestamp — including platform staff.

Ten Layers of Protection
Built from the ground up for labs that operate under accreditation, regulatory oversight, or enterprise procurement requirements.
Isolated Database Per Lab
Your data never shares a table with another lab
- Every lab tenant receives a dedicated, isolated database instance
- No shared tables — cross-tenant data access is architecturally impossible
- Platform infrastructure (billing, accounts) is fully separated from your lab data
- Your data stays yours — we cannot access it without your explicit authorization
Encryption Everywhere
At rest and in transit, always
- AES-256-GCM encryption for all sensitive data stored in the platform
- TLS encryption for all data in transit — no unencrypted communication
- Credentials, connection strings, and integration secrets encrypted individually
- Tamper detection built into every encrypted record
Role-Based Access Control
The right people see the right things
- Four role tiers: Admin, Manager, Technician, and Read-Only
- Every action in the platform requires the appropriate role — enforced at the API level
- Module-level licensing gates access to COC, COA, QMS, Equipment, and API features
- Client portal runs on a separate authentication track with its own credentials
Immutable Audit Trail
5-year tamper-evident log of every action
- Every login, data change, approval, and export is permanently logged
- Logs capture: user, IP address, timestamp, action, and affected record
- Suspicious activity detection flags critical events automatically
- PDF audit export available for inspections and regulatory submissions
- Retained automatically for 5 years — no manual archiving required
Secure Authentication & MFA
Multiple layers to stop unauthorized access
- TOTP-based two-factor authentication — works with Google Authenticator, Authy, and any standard authenticator app
- Admin-configurable 2FA policy — enforce MFA for all users or admin accounts only from the Security settings
- Single-use backup codes for 2FA recovery — emergency access when your device is unavailable
- Admin 2FA reset — account admins can unlock a team member's 2FA, fully logged to the audit trail
- Short-lived access tokens that automatically expire — limiting exposure if compromised
- Rotating refresh tokens — each session renewal invalidates the previous token
- All passwords hashed with industry-standard bcrypt — never stored in plain text
- Password complexity enforced — uppercase, lowercase, number, and special character required
- 90-day password expiry — flagged in the 21 CFR readiness assessment
- Account lockout after 5 failed attempts — 15-minute lock with critical audit event
- Re-authentication required before signing critical records (COA issue, SOP sign-off, COC acceptance)
- 30-minute idle session timeout — automatic logout with on-screen notice
- Cryptographic hash on every issued COA — tamper detection via integrity check endpoint
- Issued COAs are write-locked at the database level — no edit or re-issue is possible by any user, including platform administrators
- Password change and reset immediately revoke all active sessions
- Generic error responses prevent account enumeration attacks
Data Sovereignty & Retention
Your data, your rules
- You own your data — it is never used for training, analytics, or shared with third parties
- Configurable retention periods to match your accreditation requirements (default 7 years)
- Full data export available at any time in standard formats
- On cancellation, your data is retained for 30 days then securely deleted on request
Built-in Legal Agreements & E-Signature
Vendor compliance handled on day one
- Data Processing Agreement (DPA) signed electronically during account setup — no back-and-forth required
- HIPAA Business Associate Agreement (BAA) available for clinical labs handling patient data
- Every signature is recorded with signer name, title, IP address, and timestamp for your audit records
- Signed agreements are permanently stored in your account — viewable and printable at any time
- SaaS Agreement and Service Level Agreement available for enterprise procurement requirements
Continuous Platform Verification
Every module tested end-to-end, automatically
- End-to-end health checks run across every platform module — COC, COA, QMS, 2FA, equipment, integrations, and more
- Cryptographic COA integrity is re-verified automatically on every run to catch tampering or regression
- Health score is mathematically honest — any test failure prevents a clean score, full stop
- Tests run in isolated environments using ephemeral tenants — your live lab data is never touched
- Pass/fail results and the health score are reviewed by the platform team before any release
Adversarial Security Testing
Not just "does it work" — "can it be broken"
- Dedicated adversarial test suite runs injection attempts, SSRF probes, and privilege-escalation attacks against the live API
- NoSQL injection, XSS payloads, and oversized inputs are sent to every major endpoint and verified to be rejected safely
- SSRF protection is tested by pointing integration connectors at private IPs and cloud metadata addresses — all must be blocked
- Separation of duties is verified: SOP authors cannot sign as their own reviewer or approver
- Race condition tests confirm backup codes cannot be double-redeemed via concurrent requests
- Mass assignment tests verify that fields like role, tenantId, and signature hash cannot be overwritten via PATCH
- These tests run alongside functional tests every release — security regressions are caught before they ship
EU AI Act Compliance
Articles 9–17 mapped to AILS controls — automated gap assessment included
- Automated EU AI Act compliance assessment maps 9 articles to AILS platform controls
- Article 9 (Risk Management): Risk Register and CAPA module provide documented lifecycle risk management
- Article 14 (Human Oversight): Re-authentication on COA signing, manager override with re-auth, and RBAC-enforced issuance gate
- Article 15 (Cybersecurity): AES-256-GCM encryption, TOTP 2FA, and 811 automated tests including adversarial scenarios
- Article 17 (QMS): Full quality management system covers CAPA, audits, deviations, training, risk, and proficiency testing
- Article 27 (FRIA): GDPR Data Minimisation Reviewer Agent and EU DPA with SCC-2021 for EU deployments
- EU tenants can run an automated compliance assessment and download a regulator-ready PDF report from their dashboard

9 Compliance Systems — Built Into the Architecture
AI governance boundary, CAPA escalation lifecycle, training enforcement, EMR roundtrip, multi-site onboarding, audit reconstruction, ISO/IEC 17065 framework, 21 CFR Part 11 enforcement map, and COA integrity verification — all enforced at the architecture layer.

Compliance Built In — Not Bolted On
Compliance frameworks and architecture-layer controls, all enforced by design. Enterprise-grade. Architecturally enforced. Always audit-ready.
14 Compliance Systems
Built Into the Architecture
- AI governance boundary — agents operate within enforced limits
- CAPA escalation lifecycle — issues escalate automatically
- Training enforcement — expired training hard-blocks access
- EMR roundtrip — certified electronic data exchange
- Multi-site onboarding — governed, scalable by design
- Audit reconstruction — replay any event, any record
- ISO/IEC 17065 framework — certification-body operations
- 21 CFR Part 11 enforcement — mapped to platform controls
- COA integrity verification — architecturally impossible to alter an issued COA
Every compliance framework is mapped to a platform-layer control — not a policy document. Immutable. Verifiable. Audit-ready from day one. Compliance support varies by module and plan — contact us to discuss your specific requirements.
Security FAQs
The questions procurement and compliance teams ask most.
Can another lab see my data?
No. Every lab on AI Lab Services has its own isolated database. Cross-tenant data access is not possible by design — not just by policy.
Who at AI Lab Services can access my lab data?
No one without your explicit authorization. Our staff cannot access your lab database without a request from your account administrator. All such access is logged.
What happens to my data if I cancel?
Your data remains accessible for 30 days after cancellation. You can export everything in standard formats at any time. After 30 days, your data is securely deleted upon request.
Do you offer a Data Processing Agreement (DPA)?
Yes — and you don't need to ask for it. Every new account signs a DPA electronically during the setup wizard. The signed copy is stored in your account with a full audit record (signer name, IP, timestamp) that you can view and print at any time.
Do you offer a HIPAA Business Associate Agreement (BAA)?
Yes. Clinical labs and any lab handling patient-linked data can sign a BAA during account setup or on request afterward. The BAA is signed electronically and stored permanently in your account. Contact us if you need a countersigned copy for your own records.
Is the platform audit-ready for an FDA inspection?
Yes — and we give you the documentation to prove it. The 21 CFR Readiness Assessment is an AI-powered audit that analyzes your live system data across 10 21 CFR Part 11 categories and returns a scored, printable report with specific findings and recommendations. The Vendor Validation Package (VVP) is a pre-built IQ/OQ/PQ bundle — including a Requirements Traceability Matrix, executed test cases, PQ templates, and a §11.100(c) electronic signature declaration — that you can drop directly into your Computer System Validation binder. Both are available on the 21 CFR module.
What infrastructure does AI Lab Services run on?
The application layer runs on Railway infrastructure in North America. The database layer uses MongoDB Atlas with AES-256-GCM encryption at rest. Document storage uses your choice of S3-compatible provider — AWS S3, Backblaze B2, or your own bucket. Standard deployments keep all data in North America; EU database residency (Frankfurt MongoDB Atlas region) is available on enterprise deployment. Full architecture documentation is available for enterprise procurement — contact us.
Where is my data hosted?
On standard deployments, all data — databases, documents, and audit logs — is hosted and processed in North America (MongoDB Atlas and Railway, US/Canada region). For EU customers on enterprise deployment, EU database residency in the Frankfurt MongoDB Atlas region is available, backed by a signed EU DPA incorporating SCC-2021. We do not use data centers outside these regions.
Does the platform test for attacks, not just correct behavior?
Yes. Every release runs an adversarial test suite that sends injection payloads, probes SSRF protections, tests concurrent race conditions on backup codes, and verifies privilege-escalation attempts are blocked. These run alongside functional tests so security regressions are caught before they ship — not after.
Has the platform been through an independent penetration test?
We run an extensive automated adversarial test suite on every release covering injection, SSRF, mass assignment, separation-of-duties, and race conditions. A formal third-party penetration test is on our roadmap as we scale into enterprise procurement. In the meantime, the adversarial test results are available on request.
Quantum Readiness
AILS tracks NIST PQC readiness across every infrastructure vendor — hosting, database, AI, auth, CDN — and generates a signed Quantum Posture Report for procurement teams.

Global Multi-Site Deployment
Per-tenant database isolation across jurisdictions. EU data residency available on enterprise deployment. GDPR-ready. Every site governed independently, every audit trail separate.

Compliance Ready From Day One
Your DPA is signed during account setup. BAA, SLA, and NDA are available on request.
SOC 2 Type II audit is in planning. SOC 2 security questionnaire responses, architecture diagram, and pen test summary are available for enterprise procurement teams under NDA — contact us.
