Compliance is in the code, not the SOP binder.
GMP Native is a system-architecture claim. The compliance posture is encoded as code paths and CI gates. A non-compliant action is rejected at the route layer, blocked by the service layer, or detected by a continuously-running automated gate. Every regulated action that does succeed leaves an immutable, signed, attributable trail.
These are not features you configure. They are constraints encoded in the data layer, the service layer, and the CI pipeline. Regulatory citations appear inline with each claim.
There is no delete route in the codebase for any regulated table. Every production run, lot, batch record, CAPA, and OOS record has voided as its terminal state.
A CI gate parses the codebase AST on every commit and fails the build if anyone tries to add a delete route. The enforcement is continuous. It cannot drift between checks.
§11.10(c) — protection of records to enable accurate and ready retrievalEach signature stores a cryptographic hash over the signer, the action, the target record, the timestamp, and a frozen JSON snapshot of the row at signing time.
The signature survives account deactivation and is verified independently of the user record. Tampering with any field in the signed snapshot breaks verification.
§11.50 — signature manifestations §11.70 — linking signatures to recordsWhen a batch starts, the system writes a frozen JSONB snapshot of the formulation as it existed at that moment. All execution reads from the snapshot, not the live formulation.
R&D can update master records mid-shift without disturbing in-flight batches. The batch record always reflects what was actually used, not what the formula says today.
§11.10(b) — ability to generate accurate and complete copies of recordsRole enforcement is at the decorator layer in code, not in a permissions spreadsheet. Only QA roles can move a CAPA to verified, closed, or effectiveness-confirmed.
A production manager cannot close their own corrective action. The restriction is a Python decorator. It cannot be overridden from the UI or through a request parameter.
§11.10(d) — limiting access to authorised individualsAmbiguous regulated operations abort with an error rather than picking a default. An empty COA upload returns 400 and leaves the lot in pending_qa. A QuickBooks webhook with a malformed signature returns 401. No silent fallbacks, no guessed state.
This design principle is what sits behind the question every experienced FDA inspector asks on day one of a facility review:
§11.10(a) — validation to ensure accuracy and ability to discern invalid records 21 CFR Part 111 §111.68 — laboratory controls; documented review of results“"Show me how this was prevented, not how it was discouraged."
The question every experienced FDA inspector asks on day one. Fail-closed architecture is the only honest answer.
Cross-tenant data boundaries are enforced at the query layer, not the UI permission layer. A misconfigured screen cannot leak one client's batch records to another because the data is filtered before it leaves the database.
Owner-scoping is enforced on every regulated query. Removing the filter is not a UI decision. It requires a service-layer change.
§11.10(d) — limiting system access to authorised individuals only 21 CFR Part 111 §111.14(b) — physical plant requirements; access controlsThe gates span record integrity, role enforcement, webhook security, upload validation, audit chain continuity, and marketing-claim consistency. 11 gates in total, each running on every commit.
Each gate produces an HMAC-signed verdict. The audit-readiness state cannot quietly degrade between checks. One gate worth naming: the marketing-claim manifest gate scans this codebase's own marketing copy on every commit and fails the build if a claimed feature is not yet built. Every claim on this page has passed that gate.
§11.10(a) — validation of systems to ensure consistent intended performance §11.10(e) — use of secure, computer-generated, time-stamped audit trailsA production run cannot advance from planned to in_progress without a completed, signed LineClearanceRecord with all_checks_passed=True.
Enforced at the service layer. No route, UI manipulation, or background task can bypass it. The transaction rolls back on failure.
21 CFR Part 111 §111.127 — what must you do before you begin manufacturing?A finished goods lot shows zero units available for shipment until a second, distinct reviewer signs off. This is enforced at the database schema level via a CHECK constraint. Even a direct database query for available stock returns 0 without the second signature.
The release property is enforced at the data model level. It requires the reviewer to be a provably different user than the attester. This constraint lives in the schema, not in application logic that can be routed around.
§11.10(d) — dual controls 21 CFR Part 111 §111.123 — batch production recordsGMP Native means records, electronic signatures, batch execution, and process gates are enforced at the data layer. It does not mean the software replaces physical-plant GMP requirements: equipment qualification, environmental monitoring, facility maintenance, and calibration schedules remain the manufacturer's responsibility. BatchBuddy enforces what software can enforce. The rest is yours to operate.
GMP Native is a different answer to the same regulatory question, depending on the role you play in the facility.
The system tells you what's required before you can move forward. You don't need to memorise the SOP. The next step won't open until the current one is complete and signed. The path through the batch record is the SOP.
Controls are structural, not procedural. The audit trail is cryptographically chained. Every regulated action requires re-authentication with a logged meaning-of-signature (§11.200). An auditor can verify the chain independently of the system.
Your manufacturing records are defensible by design. Eleven automated compliance gates run continuously. One of them scans your own marketing copy to confirm no unclaimed feature is being advertised. The evidence is already generated before the auditor arrives.
Is GMP Native the same as being GMP certified?
No. Certified means an auditor has reviewed your processes and attested to them. GMP Native means the processes are enforced by the system itself. Certification becomes easier because the evidence is already continuously generated and cryptographically signed.
Does Batch Buddy replace my QMS?
It is your QMS. CAPA, OOS investigations, deviation tracking, training records, and electronic batch records are built-in workflows with enforced state machines, not integrations you configure separately.
Is the audit trail tamper-proof?
The audit trail is detection-based: every record is SHA-256 chained to its predecessor. Any unauthorised change (deletion, modification, reordering) breaks the chain and is cryptographically detectable on verification. This is the 21 CFR Part 11 §11.10(c) standard for electronic records. The system detects tampering; it does not prevent a database administrator from attempting it.
Which industries does GMP Native apply to?
The deepest enforcement is in dietary supplement manufacturing (21 CFR Part 111). Food manufacturers benefit from FSMA traceability and preventive controls. Cosmetics manufacturers get MoCRA-aligned workflows. See the industry pages for detail on each.
What actually happens if someone tries to skip a required step?
Depends on the step. Line clearance and two-person QC release are hard stops: the service layer blocks the action and rolls back the transaction. There is no application path around them. The audit trail is detection-based: any external alteration is exposed on chain verification, and every failed re-authentication attempt is itself logged in a separate micro-transaction.
The architecture claims on this page are verified against the live codebase. The following pages show you the evidence.