Trust center

Built for regulated workflows.

Tawqee is operated as a 21 CFR Part 11–capable platform for life sciences, clinical research, and biotech. Below is the evidence package a regulated customer’s vendor-review team will request.

21 CFR Part 11 controls

Every requirement of 21 CFR Part 11 maps to a specific control in Tawqee. The full mapping is available in our compliance brief.

§11.10(a)

Validation

Documented IQ/OQ/PQ package; customers re-execute PQ in their environment, results recorded in ValidationLog.

Implemented

§11.10(e)

Audit trail

Computer-generated, time-stamped, hash-chained AuditEvent rows. Append-only at the DB role level.

Implemented

§11.10(i)

Training

TrainingRecord per user. Untrained users cannot be assigned to Part 11 envelopes.

Implemented

§11.50

Signature manifestation

Printed name + UTC date/time + meaning rendered next to every signature in the signed PDF.

Implemented

§11.70

Record linking

PAdES-LTA + RFC 3161 TSA timestamps + organization-key signing of the chain head.

Implemented

§11.200(a)(1)

Two-component signing

Email + password (Argon2id). First signature in a session re-prompts for password.

Implemented

§11.300(b)

Password rotation

Configurable rotation period (default 90 days). Email-bound IDs are immutable.

Implemented

§11.300(d)

Unauthorized-use detection

Rate limit + account lockout + admin alert on suspicious patterns.

Implemented

Documents

All artifacts an FDA-regulated customer needs for vendor qualification.

21 CFR Part 11 compliance mapping

Full requirement-to-control map · 12 pages

Validation Plan (IQ/OQ/PQ)

GAMP 5 aligned · 47 test scripts

§11.100(c) FDA certification letter template

For your signing officer to send to FDA

Quality Agreement template

MSA addendum for life-sciences customers

Audit-log integrity brief

Hash-chain verification + sample script

SOC 2 Type II report

Available under NDA upon request

Customer commitments

We do not modify, delete, or train AI models on Customer Content without explicit consent.
Audit trails for Part 11 records survive even if the customer’s subscription ends; full export available for 90 days post-termination.
Source code held in third-party escrow (Iron Mountain) for Enterprise customers.
Major changes require change-impact assessments published 30 days before release.
Annual penetration tests by an independent firm; summary available under NDA.
All staff with production access undergo annual Part 11 awareness training.

Need to validate Tawqee for your environment?

We provide the complete IQ/OQ/PQ package, sign a Quality Agreement, and host a kickoff with our Solutions Engineer at no cost. Most customers complete validation in 2–3 weeks.