Case study · Compliance & regulated industry

GIMS Compliance Relay

A tamper-proof audit trail for environments that answer to regulators. It records who touched what and when, signs it cryptographically, and exports evidence anyone can verify offline, built against 21 CFR Part 11.

Active pharma pilot 21 CFR Part 11 HMAC-sealed exports
01

The problem

In regulated industries (pharma, healthcare, anything the FDA watches), you don't just have to do the work correctly. You have to prove it: who performed each action, when, and that the record hasn't been altered since. That's the heart of 21 CFR Part 11, the rule governing electronic records and signatures.

Done manually, this is slow, error-prone, and fragile. A trail nobody can trust is worthless. The record has to be immutable by construction and verifiable by an auditor who wasn't there and doesn't trust your database.

02

What I built

The Compliance Relay sits alongside the work and captures it automatically. A file watcher records operations under an authenticated operator identity and writes them to an append-only, cryptographically-verifiable trail. When it's time to hand evidence to an auditor, a sealed export binds the selected records to a chain-of-custody report with an HMAC signature, verifiable offline, without access to the live system.

03

How it works

  • Immutable audit trail — every capture, signature, access, export, and system change is logged append-only with cryptographic verification.
  • File watcher — automatically captures file operations under the acting operator's identity, so the trail writes itself.
  • Sealed export — binds a set of records to a chain-of-custody report via HMAC, so tampering after the fact is detectable offline.
  • Electronic signatures — password re-authentication per signing event, meeting 21 CFR Part 11 §11.200.
  • Authorization layer — only authorized reviewers can view or export the trail.
  • Multi-format export — CSV and JSON, watermarked in demonstration mode.
04

Try it

The live demo walks through capture, signing, and a sealed export end to end.

05

Status & traction

The Relay is in an active pilot with a pharma company, with a paid engagement close to signed. It's built to a real regulatory standard rather than a generic "audit log": the compliance detail is the product. Honest status: deployed, in a live sales conversation, and being pushed toward a first production deployment.

It's the compliance organ of the broader GIMS system →