Cross-cutting

Compliance Posture

Honest accounting of regulatory + security posture — what's in place today, what's required for production

DEMO ENVIRONMENT POSTURE

This is a demo environment showing Continuum's architectural compliance posture. Real production deployment requires GxP validation (IQ/OQ/PQ), SOC 2 audit, BAA for HIPAA, signed DPA for GDPR. Architecture supports all of these — implementation is the gating step.

21 CFR Part 11

Architecture compliant

Electronic records and signatures.

Immutable timestamps on every state change

In place

Audit trail with actor (human + agent)

In place

E-signature meaning + name + date capture

Designed, ready for activation

Tamper-evident audit log

In place

System validation (IQ/OQ/PQ)

Required for production deployment

ICH E6(R3) / RBQM

Native

Good Clinical Practice — Risk-Based Quality Management.

Risk identification — 32 alert definitions across 10 categories

Live

KRIs computed continuously

Live

QTLs with study-level configuration

Live

Risk control with tiered escalation

Live

Risk communication via persona-scoped routing

Live

Risk reporting via audit + dashboards

Live

HIPAA / PHI

No PHI in demo

Health Insurance Portability and Accountability Act.

No real PHI in demo data — all patient identifiers synthetic

In place

De-identification pipeline designed

Designed for production

Business Associate Agreement (BAA)

Required for production

PHI encryption at rest + in transit

In place (Postgres TLS, MinIO encryption)

Access controls with audit log

In place

GDPR

Architecture supports

EU General Data Protection Regulation.

Right to erasure at the entity level

Postgres cascade delete supports

EU data residency (separate tenant deployment)

Multi-tenant primitive supports

Lawful basis for processing (documented per study)

Required per study setup

Data Processing Agreement

Required for production

GxP (GCP/GLP/GMP)

Demo environment

Good Clinical/Laboratory/Manufacturing Practice.

GxP-validated environment

Required for production

IQ/OQ/PQ documentation package

Planned for GA

Change control with risk assessment

In place via audit log

Periodic review of agent outputs

Designed

SOC 2 Type II

Target for GA

Security, Availability, Processing Integrity, Confidentiality, Privacy.

Access controls

In place (Auth.js + persona scoping)

Change management

In place (git + audit log)

Monitoring + logging

In place (PM2 + structured logs)

Encryption at rest + in transit

In place

Annual SOC 2 audit

Required for GA

Every agent decision + every user action is logged immutably — inspector-replayable