Security & Compliance Overview

Summary

Aliquora is a QC-focused LIMS built around the data-integrity controls that regulated and quality-driven labs depend on: secure authentication, role-based access control, organization-level data isolation, an append-only audit trail, tamper-evident electronic signatures, tamper-resistant records, encryption in transit, and full data export. This overview summarizes those controls. For requirement-level detail, see the companion 21 CFR Part 11 & ALCOA+ capability matrix.

Controls at a glance

Area	Control	Status
Authentication	Passwords hashed with bcrypt (never stored in plain text); automatic account lockout after repeated failed attempts; idle session timeout and server-side session management.	Available
Access control	Role-based access control (admin, technician, reviewer, read-only); authority checks enforced server-side on every protected request.	Available
Tenant isolation	Each organization's data is scoped at the query level; users only ever see data belonging to their own organization.	Available
Audit trail	Append-only, computer-generated, time-stamped log of key actions (who, what, when, from where). No interface to edit or delete entries; exportable to CSV.	Available
Electronic signatures	Password re-authentication at signing; captures signer, timestamp, and meaning; each signature cryptographically bound to a snapshot of the signed record (tamper-evident). Available on every plan.	Available
Tamper-resistant records	Signed entries cannot be edited through the application; verified results are locked until an administrator unlock (password re-auth + documented reason), which is itself audited.	Available
Encryption in transit	TLS / HTTPS for all connections between the browser and Aliquora.	Available
Data ownership & export	CSV export for samples, results, and audit logs; PDF export for Certificates of Analysis. Export your data whenever you need it.	Available
Encryption at rest	Not yet implemented.	Planned
Multi-factor authentication	Not yet implemented.	Planned
Third-party certification	Aliquora is not itself certified or accredited; a SOC 2 examination is on the roadmap. An ISO/IEC 17025 alignment guide is available (accreditation is held by the lab, not the software).	Planned
Data-retention controls	Configurable retention scheduling is planned; data export supports archival in the interim.	Planned

Data integrity (ALCOA+)

Aliquora's controls map to the ALCOA+ principles your auditors already know: actions and signatures are attributable to named users with timestamps; records are legible and exportable; entries are contemporaneous and written to the audit trail in real time; source records are kept original and protected once signed or verified; out-of-spec checks and review workflows keep data accurate; and the append-only trail, consistent data model, and on-demand export support the complete, consistent, enduring, and available extensions.

What we do not yet have

We would rather state limitations plainly. Not available today: multi-factor authentication, encryption at rest, a third-party security examination (e.g. SOC 2), and configurable data-retention scheduling. These items are on the roadmap. ISO/IEC 17025 accreditation is held by your lab rather than the software; our ISO/IEC 17025 alignment guide maps Aliquora's capabilities to its requirements.

Shared responsibility & validation

Aliquora provides the technical controls described above. Compliance is a shared responsibility: certification, computer-system validation (IQ/OQ/PQ), standard operating procedures, user administration, and confirming the system meets your specific regulatory obligations remain the responsibility of your organization. Aliquora is not itself certified or accredited; we provide capabilities that support your compliance program. To support validation, use the IQ/OQ/PQ validation support pack.