// COMPLIANCE
Aurantium and 21 CFR Part 11.
Part 11 is the FDA's rule for electronic records and electronic signatures. Here is how Aurantium's controls map to it, stated plainly. A compliance claim you can't defend in front of an auditor is worse than no claim at all.
Compliance is earned, not installed.
No software is Part 11 compliant out of the box, whatever the brochure says. The regulation governs your records, your procedures and your validation, and the FDA holds the manufacturer accountable, not the software vendor. What a system can do is provide the technical controls the rule requires, behave the same way every time, and give your quality team the evidence to validate it. That is the standard Aurantium is built to.
// ELECTRONIC RECORDS
Built-in record controls.
The records half of Part 11 asks for specific, verifiable system behavior. These controls are part of Aurantium's core, not configured on top of it.
System-generated audit trails
Every change to an audited record is captured automatically: who made it, when, and the before and after value of each field. The trail is produced by the system, not by user discipline, and entries are appended, never edited or overwritten.
Point-in-time record history
Records are versioned through time, so the system can reconstruct exactly what a record said at any past moment. When an investigator asks what the formula showed the day the batch ran, the answer is a query, not an excavation.
Role-based access control
System access is limited to authorized individuals through configurable roles and permission sets. Permissions follow your org chart, with per-user overrides for the places reality is messier than the chart.
Authentication controls
Passwords are hashed with Argon2id and governed by configurable policy: complexity rules, expiration and reuse prevention. Repeated failed logins lock the account automatically.
Protected sessions
Sessions are encrypted, validated server-side on every request, and expire automatically. A workstation someone walked away from does not stay a signed-in identity forever.
Records that stay retrievable
Operational records are archived rather than deleted, and audit history is append-only. Records stay accurate, complete and retrievable in human-readable form throughout their retention period.
Signatures on formulas, with cryptographic teeth.
Product formulas can require signatures by role before use, with the reason for each signature defined up front: quality approval, production review, whatever your SOPs call for. Each signature records the signer, the timestamp and the requirement it satisfies.
Behind each signature, the formula's full contents are signed with ECDSA keys held in a hardware-backed cloud key service. If a signed record is altered afterward, the signature no longer verifies. Tampering isn't just against policy; it's detectable by math.
We are precise about what we call this: role-enforced, tamper-evident record signing on formulas. If your process requires Part 11 electronic signatures on other record types, bring us the requirement and we will show you exactly where the system stands today, rather than stretch a definition past what your auditor would accept.
Validated in your environment, with our help.
A compliant system is a validated system, and validation happens in your operation, not ours. We support IQ, OQ and PQ as part of onboarding: installation evidence, operational test support, and performance qualification built around your actual processes. It is a guided process, not a documentation dump and a wish of good luck.
The honest version: Part 11 compliance is a property of your whole operation. Procedures, training, validation and records, working together. Aurantium supplies the technical controls and the support to validate them. Be suspicious of any vendor who sells compliance as a checkbox.
Bring us your compliance requirements.
Walk through the audit trail, access controls and signature model with the people who built them, against your SOPs, not a generic script.