Valiqa holds the validation records regulated manufacturers depend on, so protecting them and supporting your Part 11 obligations is a core part of the product, not an add-on. This page describes the controls that are live in Valiqa today.
Valiqa supports 21 CFR Part 11 Subpart C electronic signatures. Signing requires re-authentication at the moment of signing (password, authenticator app, or passkey), records the signer, meaning, and time, and enforces separation of duties so the person who authored a protocol cannot also approve it. Approval routing is configurable: reviewer, approver, and releaser stages can each require multiple independent signers. Each signature is bound to the exact record it signs.
Protocol execution is a controlled, signed workflow. Digital execution runs step by step with per-step results and evidence, optional per-step signatures by the performer and an independent witness (separation of duties enforced), enforced step ordering, execution locking, operator assignment, and a signed completion attestation. Paper execution uses a stamped, machine-readable controlled copy, and transcribed results require independent second-person verification.
Every change is written to an append-only audit trail that is cryptographically hash-chained, so records cannot be altered or deleted after the fact. You can verify the integrity of the chain on demand, and if anything has been tampered with, the verification pinpoints the exact record. The audit table is write-protected at the database level.
Sensitive fields, including personal and customer-identifying data, are encrypted at rest with AES-256-GCM, with keyed blind indexes that allow lookups without exposing the underlying values. Data moves over encrypted connections.
Access is governed by role-based permissions and strict per-company isolation, so one organization can never see another's data. Accounts support two-factor authentication with an authenticator app or a passkey, plus single sign-on with Google and Microsoft.
When Valiqa generates a document, it records the exact model version used and its qualification status, and every change to that configuration is logged under change control. The numbers in a signed report are computed deterministically from your recorded results, not produced by a model, so a signed record's totals are reproducible.
Valiqa runs on its own dedicated infrastructure with a self-hosted database, not a shared third-party backend. Backups are automated, encrypted, and retained, so your validation records are durable.
When a protocol is approved, its definition is locked and a versioned snapshot is captured, giving you an immutable record of exactly what was approved. Later changes require a controlled revision.
Have a security or compliance question for your own assessment?
Reach us through the contact pageWe use essential cookies for authentication and security. With your consent, we also use Microsoft Clarity and the LinkedIn Insight Tag on our marketing pages to understand how visitors navigate the site and to measure our advertising. Learn more.