Security & trust
Designed to be defensible — by inspectors and security teams alike
LABPROOF holds regulated data. We treat its protection, and the integrity of the record of who did what, as the core of the product.
Encrypted data handling
All data is encrypted in transit with TLS 1.3 and at rest with AES-256. Keys are managed in a dedicated KMS with regular rotation.
Access control
Role-based access enforces least privilege across QA, reviewer, director, compliance, and admin roles. SSO via SAML and SCIM provisioning are available.
Workspace isolation
Each lab workspace is logically isolated. Records, reviewers, and policies never cross a workspace boundary without an explicit, logged action.
Audit-trail integrity
The trail is append-only. Each event carries an integrity hash and cannot be edited or deleted — only superseded by a new, attributed event.
Export integrity
Every export records a hash and an audit event, so an inspector can confirm a report or log was not altered after it left the system.
Human oversight policy
No AI finding is ever finalized autonomously. Sign-off requires an authorized human, and that decision is permanently attributed.
Privacy & retention
You control how long records endure
Retention classes are applied per record and enforced automatically. Enterprise customers can configure residency and custom retention windows to match their regulatory obligations.
Retention classes
Records carry an explicit retention policy (for example, R-7 for a seven-year hold) enforced by the platform.
Right to export
Your data is yours. Full workspace exports are available on demand, with integrity hashes.
Deletion controls
Authorized admins can schedule retention-aware deletion; every action is logged.
Sub-processor transparency
We publish our sub-processors and notify customers of material changes.
Compliance posture
SOC 2 Type II audited, ISO 27001 aligned, and built to support 21 CFR Part 11 electronic-record and signature expectations. We make conservative, accurate claims — and share documentation under NDA on request.