Trust, Security & Validation

How ApprovaDoc handles your data, protects audit trail integrity, and supports regulatory requirements. This page is designed to help cautious QA, RA, and Ops buyers evaluate whether ApprovaDoc is trustworthy enough to trial.

What ApprovaDoc is

A focused SaaS tool for document review and approval, training evidence, and periodic review. It handles the SOP lifecycle stages small teams need: upload documents, route through review and approval, assign training by revision, collect revision-specific SOP acknowledgments, verify comprehension, and export evidence for auditors.

Built for small medical device and SaMD teams (5–75 people) that need documented training records without full eQMS overhead. See how it supports ISO 13485 document control requirements and 21 CFR Part 11 read-and-understand training workflows.

What ApprovaDoc is not

ApprovaDoc is not a full eQMS, medical device, SaMD, or clinical tool.
Not a full document management system with in-app authoring, templates, or change request workflows. Does not cover CAPA, complaints, supplier management, or risk management.
Not a validated system out of the box. Customer validation responsibilities apply.

Hosting & data residency

Hosted on Supabase (AWS Frankfurt, EU). AES-256 encryption at rest, TLS 1.2+ in transit. All customer data — documents, acknowledgments, audit logs, user accounts — resides on European infrastructure. No customer data is transferred outside the EU for processing or storage.

Encryption & file access

All data is encrypted with AES-256 at rest and protected with TLS 1.2+ in transit. Documents are stored in private Supabase storage buckets. Access is controlled through time-limited signed URLs — PDFs are never served directly or cached publicly.

Audit trail & immutability

Acknowledgment records, review decisions, quiz attempts, and audit log entries are write-once. No edits, no deletions, no exceptions. These records are enforced at the database level with row-level security policies that prevent UPDATE and DELETE operations. Every action is logged with who, what, when, and the originating IP address.

Document integrity

Every document version is hash-verified with SHA-256 at upload. The SHA-256 hash is stored alongside the document version record. Auditors can verify at any time that the document a person acknowledged is the same document that was originally uploaded — byte for byte.

Electronic signatures & Part 11

Re-authenticated, HMAC-bound electronic signatures designed to support 21 CFR Part 11 requirements. Available on Team and Growth plans.Each signature captures the signer's intent (meaning of the signature), requires password re-authentication at signing time, and is cryptographically bound to the specific record using HMAC. The full signature manifestation — including signer name, date, time, and meaning — is displayed on certificates and exports.

Review & approval workflow integrity

Review decisions and approval e-signatures are immutable — once submitted, they cannot be overwritten or deleted. Threaded review comments are write-once. Sequential approval phases are enforced at the database level, and every status transition is recorded in the audit trail with actor, timestamp, and metadata.

Validation responsibilities

ApprovaDoc is not a formally validated system. If your regulatory framework requires computer system validation (CSV), you are responsible for performing your own validation activities.

ApprovaDoc provides design characteristics that support your validation activities: immutable records, cryptographic document hashing, complete audit trails, access controls, and electronic signatures. These features support data integrity but do not by themselves constitute a validated system.

This is not legal or regulatory advice. You are responsible for your broader quality management obligations.

Sample audit outputs

Download sample exports to see the exact format and content of ApprovaDoc's training evidence outputs before you sign up.

Acknowledgment certificate (PDF)Acknowledgment report (PDF)Compliance matrix (PDF)Acknowledgments export (CSV)Compliance matrix export (CSV)

Infrastructure & sub-processors

ApprovaDoc uses a minimal set of third-party services. No customer content is shared with or processed by services beyond what is strictly necessary for the described purpose.

Service	Purpose	Location
Supabase	Database, authentication, file storage	EU (AWS Frankfurt)
Vercel	Application hosting, edge functions	EU (Frankfurt edge region)
Resend	Transactional email delivery	US (email processing)
Lemon Squeezy	Payment processing (merchant of record)	US (no card data stored by ApprovaDoc)

Legal documents:Terms of Service Privacy Policy Refund Policy

Common questions

Trust & security — common questions

Is ApprovaDoc a validated system?

ApprovaDoc is not a formally validated system. If your regulatory framework requires computer system validation (CSV), you are responsible for performing your own validation activities. ApprovaDoc provides design characteristics that support validation — immutable records, SHA-256 document hashing, complete audit trails, and electronic signatures — but formal validation activities remain your responsibility.

Where is my data stored?

All data is stored on Supabase infrastructure hosted on AWS in Frankfurt, Germany (EU). Documents are stored in private buckets with time-limited signed URLs. No data is stored outside the EU.

Can ApprovaDoc staff access my documents?

No. ApprovaDoc staff do not access, view, or analyze your documents, training records, or acknowledgments. Your data is yours. It is never sold, rented, shared with third parties, or used to train AI or machine learning models.

What happens to my data if I cancel?

After cancellation, your account enters read-only mode. You have 90 days to export all your data in audit-ready formats (CSV, PDF). Immutable records (acknowledgments, quiz attempts, audit logs) are retained during this period to maintain audit trail integrity.

Does ApprovaDoc use cookies or tracking?

Only essential cookies for authentication and session management. No advertising cookies, no third-party tracking pixels, no analytics cookies beyond basic Vercel web analytics.

What is your uptime commitment?

ApprovaDoc is hosted on Supabase (AWS Frankfurt) and Vercel (Frankfurt edge). Both providers offer high availability. The service is provided as-is without a formal SLA, but we prioritize reliability and will communicate any planned maintenance in advance.

ISO 13485 Training Records

Manage training records for ISO 13485 compliance without a full eQMS.

Medical Device SOP Training

SOP training software built for medtech startups and ISO 13485 manufacturers.

ApprovaDoc vs Full eQMS

When you need document control and training evidence but not a full quality management system.

SOP Review & Approval Software

Route SOPs through configurable review and approval workflows with e-signatures and audit trails.