Trust & compliance

Built to be audited.

Public sources in, cited and tamper-evident verdicts out. Here's exactly how we handle your data, our compliance posture, and the proof behind it.

Part 11 hash-chained audit trail on every run.

Compliance posture

Honest about status

What is implemented today, what is a stated design posture, and what is still in progress. We never imply a certification is complete.

21 CFR Part 11
Implemented
Tamper-evident, hash-chained audit trail on every run.
Every feasibility run writes an append-only, hash-chained audit record (electronic records & signatures). Each entry references the cryptographic hash of the prior entry, so any retroactive edit breaks the chain and is detectable. Citations, inputs, scorer versions, and outputs are all captured in the chain.
How the audit chain works →
HIPAA
Posture
No PHI required — engine runs on public data and de-identified protocol inputs.
The feasibility engine is designed to operate on public data sources and protocol-level (non-patient) inputs, so Protected Health Information is not required to produce a verdict. Where customers choose to transmit regulated data, transport is encrypted (TLS) and storage is encrypted at rest (AES-256). This is a stated posture, not a third-party HIPAA attestation.
GDPR
Posture
Data-minimisation by design; EU data-handling alignment.
We follow data-minimisation principles: only the protocol inputs needed to run scorers are processed, and outputs cite public sources. Data-subject and processing terms are addressed contractually. This reflects our design posture and DPA commitments, not a supervisory-authority certification.
SOC 2 Type II
In progress
Audit underway — report not yet issued.
We are actively pursuing a SOC 2 Type II examination. Controls are being implemented and evidenced; the independent report has not yet been issued. We will publish the report status here when available. We do not claim SOC 2 compliance today.

Data handling

Your protocol stays yours

Three commitments that govern how your inputs are processed.

We never train on your data

Protocols you submit are not used to train or fine-tune any model.

Self-hosted LLM fleet

Extraction runs on our own Qwen models inside our tenant; your protocol is never sent to a third-party model provider.

Per-tenant isolation

Your runs, citations, and audit chain are isolated to your tenant.

Provenance & audit

Every number is a citation. Every verdict is hash-chained.

Each feasibility verdict cites the public source behind every figure, then is hashed into a 21 CFR Part 11 tamper-evident chain you can export and replay. Any retroactive edit breaks the chain and is detectable.

Sample verdictillustrative — not real data

ENDO-2b · Endometriosis Phase 2b

Feasibility verdict · every number cited

CONDITIONAL GO

PTRS

58%

Eligible cohort (US)

24,300

Median enrollment

14.2 mo

Est. per-site budget

$1.18M

Part 11 tamper-evident · hash e7a1…9f

Every verdict is hashed into a Part-11 tamper-evident chain you can export and replay.

Data sources

Powered by public data

Every cited number traces back to one of these public, stewarded sources — no proprietary black boxes.

Sources

Built on public data sources

Public, re-verifiable sources — click any number to check it yourself. Your protocol is never used to train a model.

ClinicalTrials.govU.S. National Library of Medicine

PubMedNCBI / U.S. National Library of Medicine

FDAU.S. Food & Drug Administration

EMAEuropean Medicines Agency

Open TargetsOpen Targets Consortium

AACTClinical Trials Transformation Initiative (CTTI)

ChEMBLEMBL-EBI

Clinical AI OS, Inc.

Delaware, United States

About us

Decision-support only — not a medical device.

Built to be audited.

Honest about status

21 CFR Part 11

HIPAA

GDPR

SOC 2 Type II