Compliance

Built around the regulations
your auditors expect

Every Protokol feature is designed with a specific regulatory requirement in mind. Here's exactly how we address each framework.

21 CFR Part 11 EU GMP Annex 15 GAMP5 ICH Q7A §12 Audit Trail

21 CFR Part 11

US FDA

Electronic Records and Electronic Signatures

The FDA's regulation governing the use of electronic records and electronic signatures in FDA-regulated industries. It sets requirements that ensure electronic documents are as trustworthy as paper records.

How Protokol helps: Protokol's approval workflow, e-signatures, and audit trail are designed to satisfy Part 11's technical controls. This means your electronically-signed Protokol documents can form part of a compliant quality management system.

Regulatory requirement

How Protokol addresses it

Audit trails (21 CFR 11.10(e))

Append-only audit log captures every create, edit, review, approve, and export event with user identity and timestamp.

Unique user identification (11.10(d))

Each user account is uniquely identified via Clerk. Shared accounts are not permitted.

System access controls (11.10(d))

Role-based access (Author, Reviewer, QA Approver, Client, Admin) enforced at all API and UI layers.

Electronic signature attribution (11.50)

Each signature is bound to the signing user's identity, timestamp, and the exact document version signed.

Signature acknowledgement (11.100(c))

Signers must confirm a typed acknowledgement statement before the signature is recorded.

Record integrity (11.10(a))

Document content is hashed at approval. The hash is stored in the audit log, providing cryptographic proof of integrity.

EU GMP Annex 15

EMA / EU

Qualification and Validation

The European Medicines Agency guideline covering qualification of facilities, utilities, and equipment, and validation of processes in pharmaceutical manufacturing. It applies to all facilities operating under EU GMP.

How Protokol helps: Protokol generates IQ, OQ, PQ, DQ, and FAT/SAT protocols structured to satisfy Annex 15's requirements for documented evidence of qualification. Every generated document includes the sections and evidence expectations the guideline demands.

Regulatory requirement

How Protokol addresses it

Design Qualification (DQ)

Protokol DQ templates capture equipment specifications, P&ID references, and design verification criteria.

Installation Qualification (IQ)

AI-generated IQ protocols cover installation verification, calibration records, utility connections, and documentation cross-references.

Operational Qualification (OQ)

OQ protocols include operational range testing, alarm verification, and interlocks with pre-defined acceptance criteria.

Performance Qualification (PQ)

PQ protocols address process performance under actual operating conditions with statistically valid sampling.

Change Control references

Document templates include mandatory sections for referencing the Change Control number that triggered requalification.

Summary reports

Protokol generates qualification summary reports that consolidate IQ/OQ/PQ findings for regulatory submission.

GAMP5

ISPE

A Risk-Based Approach to Compliant GxP Computerised Systems

The ISPE GAMP5 guide provides a framework for validating computerised systems used in GxP environments. It categorises software by complexity and prescribes a risk-proportionate validation approach.

How Protokol helps: Protokol itself is being developed in accordance with GAMP5 principles. A full Computer System Validation (CSV) package covering the Protokol platform will be completed in Phase 3, enabling it to be used as a validated standalone electronic records system.

Regulatory requirement

How Protokol addresses it

Software categorisation

Protokol is a Category 4/5 system (configurable/custom software). The CSV package will include DQ, IQ, OQ, and PQ of the Protokol platform itself.

Risk assessment

A formal risk assessment covering data integrity, access control, and audit trail risks is maintained as part of the CSV documentation.

Supplier assessment

Supplier assessment documentation for all Protokol sub-processors (Supabase, Anthropic, Vercel, etc.) is maintained and available on request.

User Requirements Specification

A formal URS for the Protokol platform is maintained. Customers may request a copy for inclusion in their own supplier assessment.

Data integrity (ALCOA+)

Platform data practices are designed to satisfy ALCOA+ principles: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available.

ICH Q7A §12

ICH

API Good Manufacturing Practice — Validation

ICH Q7A is the international guideline for GMP in Active Pharmaceutical Ingredient (API) manufacturing. Section 12 covers validation of facilities, equipment, and analytical methods.

How Protokol helps: For engineering teams working on API manufacturing sites, Protokol generates qualification documentation that addresses the specific validation requirements in ICH Q7A Section 12, including equipment qualification, process validation, and cleaning validation protocols.

Regulatory requirement

How Protokol addresses it

Process validation (12.1)

Protokol PQ templates address process validation for API manufacturing processes, including critical process parameters and acceptance criteria.

Equipment qualification (12.2)

IQ/OQ/PQ templates cover equipment qualification with references to manufacturer specifications and site conditions.

Analytical method validation (12.3)

AMV protocol templates are included in the document library for common analytical techniques.

Cleaning validation (12.5)

Cleaning validation protocol templates address equipment surface area, solubility, detection limits, and acceptance criteria per ICH Q7A guidance.

Change control for validated systems

Requalification templates include mandatory change control cross-references and impact assessment sections.

Audit Trail

Internal standard

Complete Audit Trail Architecture

An audit trail is a chronological record of all actions taken on a document — who did what, when, and from which document version. Regulatory agencies including the FDA, EMA, and MHRA inspect audit trails as a primary indicator of data integrity.

How Protokol helps: Protokol's audit trail is designed to withstand regulatory inspection. Every action is recorded in an append-only log, exported in a readable format, and cryptographically linked to the document content at key checkpoints.

Regulatory requirement

How Protokol addresses it

Creation events

Project creation, document creation, section creation — each with user ID, timestamp, and initial content hash.

Modification events

Every text change is recorded with a before/after snapshot, user ID, and timestamp. Nothing is overwritten.

Review and approval events

Every workflow state change (Draft → In Review → Approved / Rejected) is logged with the full reviewer identity and any rejection reason.

Signature events

Each e-signature event records the signer's identity, acknowledgement text, timestamp, and a hash of the document version signed.

Export events

Every document export (DOCX or PDF) is logged, including the user who exported and the document version at export time.

Export for inspection

The full audit trail for any document can be exported as a PDF report — formatted for regulatory inspection without requiring auditor access to the platform.

Questions about your specific requirements?

Talk to us about your regulatory context — we're happy to walk through how Protokol addresses your auditors' expectations.

Talk to us