Trust, Security & Validation
How ApprovaDoc handles your data, protects audit trail integrity, and supports regulatory requirements. This page is designed to help cautious QA, RA, and Ops buyers evaluate whether ApprovaDoc is trustworthy enough to trial.
What ApprovaDoc is
A focused SaaS tool for tracking SOP acknowledgments and producing audit-ready training evidence. It handles one specific workflow: upload controlled documents, assign training by revision, collect acknowledgments, verify comprehension, and export evidence for auditors.
Built for small medical device and SaMD teams (5–75 people) that need documented training records without full eQMS overhead.
What ApprovaDoc is not
- ApprovaDoc is not a full eQMS, medical device, SaMD, or clinical tool.
- Not a replacement for document control, CAPA, complaints, supplier management, or risk management.
- Not a validated system out of the box. Customer validation responsibilities apply.
Hosting & data residency
Hosted on Supabase (AWS Frankfurt, EU). AES-256 encryption at rest, TLS 1.2+ in transit. All customer data — documents, acknowledgments, audit logs, user accounts — resides on European infrastructure. No customer data is transferred outside the EU for processing or storage.
Encryption & file access
All data is encrypted with AES-256 at rest and protected with TLS 1.2+ in transit. Documents are stored in private Supabase storage buckets. Access is controlled through time-limited signed URLs — PDFs are never served directly or cached publicly.
Audit trail & immutability
Acknowledgment records, quiz attempts, and audit log entries are write-once. No edits, no deletions, no exceptions. These records are enforced at the database level with row-level security policies that prevent UPDATE and DELETE operations. Every action is logged with who, what, when, and the originating IP address.
Document integrity
Every document version is hash-verified with SHA-256 at upload. The SHA-256 hash is stored alongside the document version record. Auditors can verify at any time that the document a person acknowledged is the same document that was originally uploaded — byte for byte.
Electronic signatures & Part 11
Re-authenticated, HMAC-bound electronic signatures designed to support 21 CFR Part 11 requirements. Available on Team and Growth plans.Each signature captures the signer's intent (meaning of the signature), requires password re-authentication at signing time, and is cryptographically bound to the specific record using HMAC. The full signature manifestation — including signer name, date, time, and meaning — is displayed on certificates and exports.
Validation responsibilities
ApprovaDoc is not a formally validated system. If your regulatory framework requires computer system validation (CSV), you are responsible for performing your own validation activities.
ApprovaDoc provides design characteristics that support your validation activities: immutable records, cryptographic document hashing, complete audit trails, access controls, and electronic signatures. These features support data integrity but do not by themselves constitute a validated system.
This is not legal or regulatory advice. You are responsible for your broader quality management obligations.
Sample audit outputs
Download sample exports to see the exact format and content of ApprovaDoc's training evidence outputs before you sign up.
Infrastructure & sub-processors
ApprovaDoc uses a minimal set of third-party services. No customer content is shared with or processed by services beyond what is strictly necessary for the described purpose.
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (AWS Frankfurt) |
| Vercel | Application hosting, edge functions | EU (Frankfurt edge region) |
| Resend | Transactional email delivery | US (email processing) |
| Lemon Squeezy | Payment processing (merchant of record) | US (no card data stored by ApprovaDoc) |
Trust & security — common questions
Ready to evaluate ApprovaDoc?
Start a free 14-day trial with full features. No credit card required.