CFR 21 Part 11 compliant for sites, sponsors, and CROs. Traceable, access-controlled AI that enables GCP-aligned work where trials run.
Full compliance with FDA 21 CFR Part 11 requirements for electronic records and electronic signatures. Audit trails, access controls, and system validation documentation are available for customer review.
For SOC 2 Type II, HIPAA, and GxP/GCP documentation, we are able to share relevant architecture and security materials upon request as we work toward formal certifications.
Request documentation →Under GCP, sites must ensure trial data and records are attributable and traceable, systems are fit for purpose, and monitoring and inspections can reconstruct what happened. Generic AI tools often break those requirements. Rightview exists so sites can adopt AI without giving up compliance: controlled access, time-stamped immutable audit trails, no model training on customer data, and ZDR with AI infrastructure providers—plus validation documentation you can fold into your IQ/OQ/PQ and quality agreements.
GCP compliance is owned by the investigator and institution; Rightview is not “GCP certified.” We provide the system properties and evidence package that enable your site to use AI in a GCP-compliant way within your protocols and SOPs.
Discuss site rollout & documentation →Customer queries, results, and usage data are never used to train any AI model Rightview's or third-party. Your data is yours.
All third-party AI providers used by Rightview operate under zero data retention (ZDR) agreements. Unlike default OpenAI or Anthropic API terms, prompts and completions are not stored or used for training.
Granular permissions at the user, team, and data-type level. Principle of least privilege enforced. Access is logged and auditable per CFR 21 Part 11 requirements.
Every data access, query, and system action is time-stamped and logged in a tamper-evident record creating the complete audit trail required under 21 CFR Part 11.
Deployed on enterprise-grade cloud infrastructure with physically secured data centers, network-level isolation, and no public-facing database endpoints. All internal traffic runs over private networks with distributed redundancy across availability zones.
Automated daily backups with point-in-time recovery. Backups are encrypted, stored in a separate region, and tested for recoverability on a defined schedule.
24/7 security monitoring with automated alerting. Documented incident response procedures with defined notification timelines aligned to regulatory expectations.
Strict logical separation at the database and application layer. No shared data structures between customer accounts. Tenant boundaries enforced at every query.
ICH E6 requires reliable trial data, clear accountability, and investigator oversight—including for computerized systems. Rightview gives sites attributable actions, least-privilege access, and audit-ready logs so AI use can stay within a GCP-compliant quality system.
We're happy to share validation documentation, architecture overviews, and security materials with qualified customers.
Contact our Security Team