Clinly — Security & Compliance Architecture

Compliance Status

Current Certifications & Roadmap

Honest about where we are today and where we're heading.

Live

FDA 21 CFR Part 11-Aligned Architecture

Designed and built toward 21 CFR Part 11 alignment. Append-only audit trails, role-based access controls, and electronic record integrity are built into the data layer. Formal IQ/OQ/PQ validation is a funded milestone.

Append-only audit log via PostgreSQL triggers
User ID + timestamp on every record change
Old/new value capture on all updates
Role-based access with 4 permission tiers
Filterable audit trail UI for inspections

Formal IQ/OQ/PQ validation documentation: planned Q3 2026 (funded via seed round).

Live

HIPAA-Aligned Architecture

Clinly's data architecture follows HIPAA technical safeguard principles: encryption at rest and in transit, access controls, audit controls, and data integrity measures.

AES-256 encryption at rest
TLS 1.3 in transit
Minimum necessary access principle
Data segregation by study

Formal BAA and HIPAA attestation: planned with first enterprise customer onboarding.

Planned

SOC 2 Type II

SOC 2 Type II audit is on the roadmap and will be completed after the seed round closes. Controls are being designed to the SOC 2 framework now.

Target: Q1 2027
15% of seed funds allocated
Trust Service Criteria: Security + Availability

We do not currently hold SOC 2 Type II certification. We will be transparent about this with all prospects.

Security Roadmap

From Current State to Enterprise-Certified

Now

FDA 21 CFR Part 11-aligned architecture, HIPAA-compliant encryption, append-only audit trails

Deployed and validated on real Phase III protocol data

Q3 2026

Formal IQ/OQ/PQ validation documentation + SOC 2 Type II audit initiated

Funded via seed round; required for enterprise CRO contracts

2027+

ISO 27001 certification + formal BAA / HIPAA attestation with enterprise customers

Target for multi-site enterprise contracts

Enterprise risk mitigation: Clinly is designed for pilots to run on de-identified or synthetic data until formal IQ/OQ/PQ validation is complete. First CRO partners receive a dedicated deployment environment with no shared-tenant data exposure.

Security due diligence package (architecture diagrams, data flow maps, audit trail documentation) available on request. Request package →

Infrastructure

Data Architecture & Stack.

Hosting & Infrastructure

Cloud: Neon (PostgreSQL)

Serverless Postgres with automatic scaling, PITR backups, and SOC 2 Type II certified infrastructure

Offline: SQLite (local)

Encrypted local database for offline-capable deployments. Sync engine handles conflict resolution on reconnect

Runtime: Node.js / TypeScript

Express API with Drizzle ORM. Type-safe throughout — from database schema to API response.

Extraction Pipeline: Enterprise Language Model API

Protocol PDF extraction routes through an enterprise-grade language model API with structured output. Zero data retention mode — no protocol data is used to train external models.

Security Controls

Encryption at Rest

AES-256 encryption for all stored clinical data. Database-level encryption on Neon, file-level on offline SQLite.

Encryption in Transit

TLS 1.3 enforced for all API communications. HTTP → HTTPS redirect. HSTS headers.

Role-Based Access Control

4-tier RBAC: Clinical Data Manager, Medical Team, Programmer, CRA. Study-level data isolation prevents cross-study access.

Append-Only Audit Trail

PostgreSQL trigger-based audit log. Every INSERT, UPDATE, DELETE captured with actor, timestamp, and change delta. Append-only.

21 CFR Part 11

How the Audit Trail Works.

Every data change in Clinly generates an append-only audit record before it touches the main table. This is not a log file — it's enforced at the database trigger level.

-- PostgreSQL trigger (simplified) — fires on every INSERT/UPDATE/DELETE

CREATE OR REPLACE FUNCTION audit_trail_trigger()

RETURNS TRIGGER AS $$

BEGIN

INSERT INTO audit_log (

table_name, operation, record_id,

user_id, timestamp, old_values, new_values

) VALUES (

TG_TABLE_NAME, TG_OP, NEW.id,

current_setting('app.user_id'), NOW(),

row_to_json(OLD), row_to_json(NEW)

);

RETURN NEW;

END;

$$ LANGUAGE plpgsql;

Who Changed It

User ID and session token captured on every operation. Linked to the authenticated user account.

When It Changed

UTC timestamp with millisecond precision. Server-side clock — not client-supplied.

What Changed

Complete before/after JSON snapshot. Every field value before and after the change is stored.

Data Handling

How Your Data Is Handled.

Protocol PDFs (Extraction Pipeline)

Protocol PDFs are routed through an enterprise-grade language model API with zero data retention mode — no protocol data is stored or used to train external models.

Files are processed transiently and are not persisted on any external infrastructure beyond the API call lifetime.

Structured extraction output is stored in Clinly's own database, not the raw PDF.

Subject Clinical Data

Subject data is stored only in Clinly's own database — never sent to third-party AI APIs.

Data is segregated at the study level. Cross-study access is blocked by RBAC policies.

Pseudonymisation supported — subject identifiers use site code + subject number, not PII.

Backups & Recovery

Neon (cloud) provides automated PITR (Point-in-Time Recovery) with 7-day retention by default, 30-day on enterprise plans.

Daily logical backups exported to a separate storage bucket with AES-256 encryption.

Recovery Time Objective (RTO): <4 hours for cloud deployment.

Data Retention & Deletion

Clinical trial data retention follows customer contractual requirements (typically 15 years per ICH E6 GCP).

Full data export provided to customer on contract termination before deletion.

Audit logs are retained separately and cannot be deleted even by Clinly administrators.

Regulatory Standards

Standards We Design For.

21 CFR §11 Live

FDA Electronic Records and Electronic Signatures. Audit trail, access controls, record integrity — all implemented at the database layer.

CDISC CDASH Live

Clinical Data Acquisition Standards Harmonization. Form templates and variable mappings follow CDASH standards for FDA and EMA submissions.

CDISC ODM-XML Live

Operational Data Model XML 1.3.2. Full ODM-XML export for regulatory submissions to FDA and EMA.

ICH E6 GCP Live

Good Clinical Practice guidelines. Audit trail, source data verification support, and data integrity controls align with ICH E6(R2) requirements.

EMA Annex 11 In Progress

European Medicines Agency guidance for computerised systems in clinical trials. Controls are being mapped to Annex 11 requirements.

SOC 2 Type II Planned

Trust Services Criteria: Security and Availability. Formal audit planned for Q1 2027 post-seed funding. Controls are being documented now.

Competitive Positioning

Why Clinly vs. Legacy EDC

A direct comparison against the two platforms that dominate the regulated EDC market — Medidata Rave and Oracle InForm.

Dimension	Medidata Rave	Oracle InForm	Clinly
Setup Time	12–16 weeks	8–12 weeks	7 days
Audit Trail	Application-layer logging; external validation required	Log-file based; complex configuration	PostgreSQL trigger-level; append-only architecture from day one
Protocol Parsing	Manual (CDM team, 4–6 wks)	Manual (specialist team required)	Automated extraction (87.8% accuracy, <60 sec) + HITL review
Cost per Trial	$200K–$400K+/yr	$150K–$300K+/yr	$15K–$25K setup + SaaS seats
Compliance Depth	21 CFR §11 — requires separate IQ/OQ/PQ validation sprint	21 CFR §11 — requires vendor validation package ($20K–$50K)	21 CFR §11-aligned data layer — formal IQ/OQ/PQ validation is a funded seed milestone

Legacy pricing estimated from published CRO benchmarks (Tufts CSDD, 2023). Clinly figures reflect current production pricing. Setup times reflect industry averages.

Built for
Regulated Data.