Trust built from primitives, not bolt-ons.
Consent records, append-only audit, versioned scientific rules, and scoped access are part of the data model. That is the foundation diligence actually rests on.
The principle
Compliance follows from how the platform is built.
When audit, consent, versioning, and access control are primitives rather than features, the controls that standards ask for are already where they need to be, and so is the evidence.
Security highlights
What's in the architecture.
Append-only audit
Audit events are append-only, with no updates or deletes, capturing actor, organization context, and reason for sensitive operations.
Scoped access
Organization-scoped access with a permission service enforced in application logic; cross-tenant access fails closed.
Consent gating
Secondary uses such as discovery, analytics, and sharing require active per-purpose consent and fail closed when it is absent.
Verifiable report snapshots
Released reports are immutable content-hash snapshots that can be independently verified as authentic and unaltered.
Versioned scientific rules
Interpretation rule sets and reference panels are versioned and promoted through review, so released facts are reproducible.
Encryption in transit & at rest
TLS protects data in transit; the production datastore, object storage, and backups are encrypted at rest.
We describe our security posture as it is. Most controls above are present in the implementation today; a few land as the production environment hardens. During an evaluation we'll walk you through exactly where each one stands.
Standards posture
Architected toward the standards that matter.
We design toward recognized frameworks and don't claim certifications we haven't earned. Certification follows operation and the evidence that comes with it.
ISO/IEC 17025-supporting
Method versioning, chain of custody, explicit release control, and audit traceability support a lab's own accreditation, which the lab earns.
Toward ISO 27001 / SOC 2
Access control, change management, cryptography, and audit accountability are designed in; full operationalization (auth, observability, backups) is in progress.
GDPR / CCPA-aware
Per-purpose consent, data-subject request workflows, and erasure reconciled against an immutable audit trail are part of the model, not a banner.
Consent & data rights
Consent is a record, withdrawal is honored.
Consent is per purpose, versioned, and revocable. Withdrawing it stops future use without rewriting the history the audit trail must keep.
Download the readiness one-pager
Our compliance readiness and remediation posture, written for diligence, including what is done and what is in progress.
Compliance readiness (PDF)Audit trail
Every change has a name, a time, and a reason.
The audit trail is append-only. Records are never updated or deleted, so the history of an animal, a result, or a release is a permanent, defensible record rather than a best guess.
Answers the hard question
When a result is challenged, show exactly which source, which rule version, and which reviewer produced it. No archaeology.
Captures the why
Sensitive operations record the actor, the organization context, and the reason, not just that something changed.
Built in, not bolted on
Audit isn't a logging add-on. It's a platform primitive every workflow writes to by design.
Diligence-grade answers, straight.
If you're evaluating AnimalTrace and need to go deeper on security or compliance, get in touch and we'll walk you through the full posture.