Security & Compliance
21 CFR Part 11 & ALCOA+ Capability Matrix
Aliquora
aliquora.com
A requirement-by-requirement mapping of Aliquora's technical capabilities to FDA 21 CFR Part 11 (electronic records and electronic signatures) and the ALCOA+ data-integrity principles.
Document status
Published for evaluation
Audience
Quality, regulatory & IT teams
Scope
Lightly- to moderately-regulated labs
How to read this document
Aliquora is a laboratory information management system (LIMS) built around data-integrity controls. This document maps Aliquora's technical capabilities to the requirements of FDA 21 CFR Part 11 and the ALCOA+ data-integrity principles. Two honesty principles govern it:
- We describe capabilities, not certifications. Aliquora is not itself certified or accredited (e.g. SOC 2, ISO 17025). We provide the technical controls that support your compliance program. Where a capability is partial or planned, we say so plainly.
- Compliance is a shared responsibility. A compliant operation depends on both the software and how your organization configures, validates, and operates it.
Status legend:
Available Implemented and live today Partial Implemented, with a noted limitation Planned On the roadmap, not yet available Customer A control the customer owns; Aliquora may provide supporting capability
21 CFR Part 11 — §11.10 Controls for closed systems
| Requirement | Aliquora capability | Status |
|---|---|---|
| §11.10(a) — Validation of systems to ensure accuracy, reliability, consistent intended performance | Aliquora is built and tested for consistent performance. Formal computer-system validation (IQ/OQ/PQ) for your environment is a customer activity; a validation support pack of customer-executed protocol templates is available. | Customer (templates available) |
| §11.10(b) — Accurate and complete copies of records in human-readable and electronic form | Records (samples, results, audit logs) export to CSV; Certificates of Analysis export to PDF. Data is stored as structured, human-readable records. | Available |
| §11.10(c) — Protection of records for accurate and ready retrieval throughout the retention period | Signed entries are protected from edits and audit entries are append-only; verified results can be changed only via an explicit administrator unlock that requires password re-authentication, a documented reason, and is recorded in the audit trail. Long-term archival and retention scheduling remain a customer responsibility. | Available (scheduling planned) |
| §11.10(d) — Limiting system access to authorized individuals | Authenticated accounts, role-based access control, account lockout after repeated failed logins, and idle session timeout. | Available |
| §11.10(e) — Secure, computer-generated, time-stamped audit trails | Append-only audit log records user identity, username, action, affected resource, timestamp, and originating IP. Data exports and verified-result unlocks are explicitly recorded. The application exposes no interface to edit or delete entries. | Available |
| §11.10(f) — Operational system checks to enforce permitted sequencing of steps | Review and approval workflows enforce configurable step sequencing before reports are finalized. Approval chains are available on every plan. | Available |
| §11.10(g) — Authority checks for who can use the system, sign records, and perform operations | Role-based authority checks are enforced server-side on every protected request and at the point of signing. | Available |
| §11.10(h) — Device (terminal) checks | Not implemented. | Planned |
| §11.10(i) — Personnel education, training, and experience | Personnel training and qualification is an organizational process. | Customer |
| §11.10(j) — Written policies holding individuals accountable for actions under their signatures | An organizational policy matter; Aliquora's per-user signatures support enforcement. | Customer |
| §11.10(k) — Controls over systems documentation | Aliquora maintains its own product documentation; control of your SOPs and validation documentation is a customer responsibility. | Customer |
21 CFR Part 11 — Subpart C, Electronic signatures
Electronic signatures are available on every plan.
| Requirement | Aliquora capability | Status |
|---|---|---|
| §11.50 — Signature manifestations (printed name, date/time, meaning) | Each electronic signature record captures the signer's identity, a timestamp, and the meaning of the signature (e.g. reviewed, approved). | Available |
| §11.70 — Signature/record linking (cannot be excised, copied, or transferred) | Each signature stores a content snapshot of the signed record together with an HMAC-SHA256 over that snapshot, cryptographically binding the signature to the exact record state at signing. Aliquora re-verifies every signature against the live record and flags any later change (tamper-evident). | Available |
| §11.100 — Each signature unique to one individual; not reused or reassigned | Signatures are tied to unique, per-user accounts. | Available |
| §11.200 — Signature components & controls (at least two distinct ID components) | Signing requires the user's session identity plus password re-authentication at the moment of signing. A second independent factor (MFA) is planned. | Partial (MFA planned) |
| §11.300 — Controls for identification codes/passwords | Unique usernames; passwords hashed with bcrypt; automatic lockout after repeated failed attempts. Periodic password expiry and rotation policies are planned. | Partial (expiry planned) |
ALCOA+ data-integrity mapping
| Principle | How Aliquora supports it | Status |
|---|---|---|
| Attributable | Every action and signature is bound to a named user account with a timestamp. | Available |
| Legible | Records are stored as structured, human-readable data; exportable to CSV and PDF. | Available |
| Contemporaneous | Actions are time-stamped when they occur and written to the audit trail in real time. | Available |
| Original | Source records are retained; signed entries are protected from modification, and verified results require an explicit administrator unlock — password re-authenticated, reason-documented, and audited — to change. | Available |
| Accurate | Automatic out-of-spec detection plus review/approval workflows guard data quality. | Available |
| Complete | The append-only audit trail captures the full sequence of actions on a record. | Available |
| Consistent | A single structured data model and enforced workflow sequencing keep records consistent. | Available |
| Enduring | Records persist in the database and can be exported for durable archival. Retention scheduling is a customer responsibility. | Available (scheduling planned) |
| Available | Authorized users can retrieve and export records on demand. | Available |
ISO/IEC 17025 supporting features
For environmental, food, and contract-testing labs working toward or maintaining ISO/IEC 17025 accreditation, Aliquora provides supporting capabilities (the accreditation itself is held by the laboratory, not the software):
- Traceability — sample chain-of-custody from log-in through reporting, with audit trail.
- Control of data & records (§7.11, §8.4) — append-only audit trail, access control, and record export.
- Method management — a configurable test/method catalog with units and reference ranges; an optional method-library add-on with pre-built methods.
- Review of results & reporting (§7.8) — configurable review/approval workflows and Certificate-of-Analysis generation.
- Control of nonconforming work (§7.10) — automatic out-of-spec flagging on result entry.
A full clause-by-clause mapping is available in the ISO/IEC 17025 alignment guide.
Security controls summary
| Control | Detail | Status |
|---|---|---|
| Password storage | Hashed with bcrypt; never stored in plain text. | Available |
| Account lockout | Automatic lockout after repeated failed login attempts. | Available |
| Session management | Server-side sessions with idle timeout. | Available |
| Access control | Role-based permissions, server-side authority checks. | Available |
| Signature integrity | Tamper-evident: each signature bound to a record snapshot via HMAC-SHA256 and re-verified on read. | Available |
| Tenant isolation | Per-organization data scoping on every query. | Available |
| Encryption in transit | TLS / HTTPS for all connections. | Available |
| Encryption at rest | Not yet implemented. | Planned |
| Multi-factor authentication | Not yet implemented. | Planned |
Shared responsibility model
| Aliquora provides | Customer is responsible for |
|---|---|
| Electronic signatures, audit trail, access control, workflow, isolation, export | Computer-system validation (IQ/OQ/PQ) for your environment |
| Secure authentication and the technical controls above | Standard operating procedures and written accountability policies |
| Product documentation of capabilities | User administration, role assignment, and access reviews |
| Data export for archival | Data-retention scheduling and long-term archival |
| Supporting capability for your compliance program | Confirming the system meets your specific regulatory obligations |
Honest gaps & roadmap
We would rather state limitations clearly than overstate readiness.
Not available today
- Multi-factor authentication (MFA)
- Encryption at rest
- Device/terminal checks (§11.10(h))
- Periodic password-expiry enforcement (§11.300)
- Third-party certification or accreditation (e.g. SOC 2, ISO 17025)
On the roadmap
- Multi-factor authentication
- Encryption at rest
- SOC 2 examination
- Configurable data-retention controls
This document describes Aliquora product capabilities as of the date provided and is offered for evaluation purposes. It is not legal or regulatory advice and is not a warranty of compliance. Each organization is responsible for validating and confirming that the system meets its own regulatory obligations. Generated by Aliquora · aliquora.com