Skip to main content

Data integrity (ALCOA+)

This page maps the Better Comply controls to ALCOA+, the data-integrity framework auditors use when they assess whether an electronic record can be trusted.

Who this is for

Quality and compliance owners and auditors. It assumes you have read the four pillars on the compliance overview.

What ALCOA+ is

ALCOA+ is a set of expectations for trustworthy records: each record must be Attributable, Legible, Contemporaneous, Original, and Accurate, plus the "+" attributes complete, consistent, enduring, and available. Regulators in pharma and medical device apply it directly. The table below maps each principle to the Better Comply mechanism that supports it.

The mapping

Attributable - who did it

Every regulated action records the acting user and is written to the audit trail by a single server-side function. Roles live in a separate table from profiles, are never trusted from the client, and are enforced by Row Level Security.

Attributable even without an email

Shop-floor workers who have no corporate email still get a real authenticated principal. They are created with a non-deliverable internal address that is never displayed, and their durable attributable key is their employee number. Every action they take resolves to that identity, so there are no anonymous sessions and auth.uid() always resolves. See the users and access area for how emailless accounts are created.

Legible - readable and understandable

Records are stored as structured data, not free-form blobs, and surfaced through the audit log and evidence views. Certificates are generated server-side. The signature manifestation text is human-readable and records the meaning of the signature in plain language.

Contemporaneous - recorded at the time

The timestamp on an audit entry and on a signature is server-generated at the moment of the action, not supplied by the client. A signature and its audit entry are written atomically by the same server function, so the record and its trail share the same instant.

Original - the first capture, preserved

Once a completion record references a training version, that version is frozen by a database trigger and cannot be edited or deleted. Approval signatures and acknowledgements are append-only. The original is preserved as the original; you cannot overwrite it. See Evidence and immutability.

Accurate - correct and free of unauthorised change

The audit trail is fail-loud: a compliance-critical action that cannot be audited is aborted, so the record and its trail never disagree. A correction never overwrites the original; it appends a new entry that references it. Segregation of duties means a single person cannot both produce and bless a record. The signed IP is captured server-side, so it cannot be falsified by the client.

The "+" attributes

AttributeHow Better Comply supports it
CompleteFail-loud auditing means a regulated change cannot persist without its audit entry, so the trail has no silent gaps.
ConsistentOne server function writes all audit rows; one lifecycle governs documents; one governs training versions. The action taxonomy is a fixed set.
EnduringRecords are retained, not deleted. Retirement (obsolete, superseded) replaces destructive deletion for regulated rows.
AvailableAdmins can read the audit log, evidence, certificates, approvals, and acknowledgements and export them for an inspection. See Exporting evidence.
Retention is a documented commitment

Retention windows for regulated entities (on the order of seven years for evidence, audit logs, and approved versions) are recorded as policy. Automatic purge at end-of-retention is a planned operational job, not yet an enforced deletion. Treat the retention windows as a commitment you implement in your own operations until that job is in place.

What to tell an auditor

  • Attributable: every action carries the acting identity, including emailless workers.
  • Contemporaneous: timestamps and IPs are server-generated, not client-supplied.
  • Original and accurate: evidenced records are frozen, corrections append, and the audit trail is fail-loud.