Trust & Compliance

What pharma QA can expect from a software vendor — precise, regulatory-aware, no marketing speak.

Compliance Posture

Framework	Status	Note
EU Annex 11 — Computerised Systems	Aligned	Audit trail, determinism, access control built-in
21 CFR Part 11 — Electronic Records	Aligned	Tamper evidence via output hashing, signed audit logs
GAMP 5 — Software Category 4	Configured Product	Configuration only, no custom code at customer site
ICH M7 (R2) — Mutagenic Impurity	Dedicated Tools	covatox_assess_ichm7_batch + expert review workflow
ICH Q1A/E — Stability	Dedicated Tools	covastab Arrhenius, shelf-life estimation with 95% CI
ICH Q12 — Lifecycle Management	Readiness	Versioning + change control pathways documented

Three measurable properties, not a marketing label:

Tool versions are pinned. Identical input → identical output, reproducible weeks later. No RNG seed drift, no LLM probabilism in the numerical path.

Every tool call is logged with input, output, tool version, timestamp, and API key ID. Logs are exportable as CSV or JSON.

Output includes a SHA-256 hash. If an audit log entry is modified post-hoc, re-hashing surfaces the change.

Pro/Unlimited: Software delivers audit-grade outputs. Use-case validation happens at the customer site.
Enterprise: Validation pack with URS, FS, IQ, OQ, PQ templates. GAMP 5 Cat 4 argumentation included.
Validation IS what runs at the customer site. That's the regulatory reality — no software ships 'fully validated' at purchase.

'GxP-validated' as out-of-the-box property. Validation is a customer process, not a vendor property.
'Replaces QA review'. CovaSyn complements QA workflows, does not replace them.
'FDA-approved'. Software is not FDA-approved — only devices and compounds are.
'SOC 2 Type II certified'. In preparation, not yet certified.

Included in the Enterprise tier. Book a discovery call for a walkthrough.