Nessa Documentation
Enterprise pharmaceutical data integrity for FDA-regulated environments
Nessa by Clinivion is an enterprise-grade pharmaceutical data integrity engine built for FDA-regulated R&D environments. It provides cryptographic verification, immutable audit trails, AI-powered risk assessment, and comprehensive compliance monitoring, all in one platform designed from the ground up for GxP compliance.
Why Nessa?
- Cryptographic Data Integrity — Every data entry is protected by ED25519 digital signatures and Merkle tree proofs, providing mathematical proof of data authenticity
- AI Risk Prediction — Machine learning models (k-means anomaly detection, logistic regression) continuously score data quality risk in real time
- FDA-Ready Audit Package — Generate a comprehensive 25-page PDF audit report at any time, covering all 21 CFR Part 11 requirements
- ALCOA+ Compliance Scoring — Automated scoring across all nine ALCOA+ principles with actionable recommendations
- Certificate Transparency — Borrowed from Google's PKI model, our CT log provides an append-only tamper-evident record of all operations
- Real-Time IoT Monitoring — Ingest and validate sensor data (temperature, humidity, particle counts) with cryptographic integrity
Compliance Standards
FDA 21 CFR Part 11
Electronic records and signatures, complete audit trails, access controls
EMA ALCOA+
Attributable, Legible, Contemporaneous, Original, Accurate + Complete, Consistent, Enduring, Available
GAMP 5
Risk-based validation approach with immutable audit trail and full traceability
ISO 27001
Role-based access control with five defined roles, encryption at rest and in transit
GDPR
Consent management supporting six legal bases, PII/PHI redaction, data classification
HIPAA
Access controls, integrity verification via Certificate Transparency logs
Getting Started
Login
Navigate to the application login page. Nessa supports credential-based authentication as well as SSO via Auth0, Azure AD, and Google.
Default Credentials
| Role | Password | Access Level | |
|---|---|---|---|
| Admin | admin@pharma.local | Admin123! | Full system access |
| Scientist | scientist@pharma.local | Science123! | Data entry, reports, signatures |
| Auditor | auditor@pharma.local | Audit123! | Read-only audit and compliance |
First-Time Setup Checklist
- Log in with administrator credentials
- Review the QA Dashboard for current compliance status
- Configure user accounts and assign roles
- Set up validation rules for your data types
- Configure IoT sensor thresholds (if applicable)
- Run the Live Demo to see the full platform in action
- Generate a test FDA audit report
QA Dashboard
The QA Command Center provides a real-time overview of your organization's compliance posture. It aggregates metrics from all subsystems into a single view optimized for quality assurance managers.
Key Metrics
- FDA Readiness Score — Percentage of 21 CFR Part 11 requirements met, weighted by criticality
- ALCOA+ Compliance — Aggregate score across all nine data integrity principles
- Cryptographic Verification — Percentage of data entries with valid ED25519 signatures and Merkle proofs
- Real-time Validation — Current pass rate of automated validation rules
AI Risk Prediction
Nessa uses machine learning models trained on pharmaceutical data patterns to predict compliance risks before they become findings. The risk engine combines k-means clustering for anomaly detection with logistic regression for risk classification, scoring each data entry on a 0-100 scale.
- 0-30: Low Risk — Data meets all quality standards
- 31-70: Medium Risk — Potential issues detected, review recommended
- 71-100: High Risk — Immediate attention required
Data Management
Nessa provides a complete data lifecycle management system, from submission through verification to archival. Every operation is cryptographically signed and logged to the immutable audit trail.
Submit Data
Create new data entries with full traceability. Each submission captures the operator identity, timestamp (NTP-verified), study ID, CAPA reference, and data classification level. Upon submission, the entry receives an ED25519 digital signature and is appended to the Merkle tree.
Data Explorer
Browse, search, and filter all data entries in the system. The explorer provides full-text search, column filtering, and sorting. Each entry displays its verification status, signature validity, and risk score.
Import Data
Bulk import data from CSV or JSON files. The importer validates each record against configured validation rules before committing. Failed records are reported with specific error details. Successful imports receive batch signatures.
Audit Trail
Every action in Nessa is recorded in an immutable, cryptographically verified audit log. The audit trail cannot be modified, deleted, or tampered with — any attempt to alter records is immediately detectable through hash chain verification.
How It Works
- Hash Chain — Each audit entry includes the SHA-256 hash of the previous entry, forming an unbreakable chain
- Merkle Tree — Entries are organized into a Merkle tree, enabling efficient proof of inclusion for any record
- NTP Timestamps — All timestamps are verified against NTP servers to prevent clock manipulation
- Non-Repudiation — Each action is tied to an authenticated user identity with ED25519 signatures
Logged Actions
The following operations are automatically captured in the audit trail:
- User authentication (login, logout, failed attempts)
- Data creation, modification, and deletion
- Digital signature operations
- Compliance report generation
- Configuration changes
- Role and permission modifications
- IoT sensor data ingestion
- Validation rule changes
ALCOA+ Compliance
ALCOA+ is the gold standard framework for pharmaceutical data integrity, originally defined by the FDA and expanded by the WHO. Nessa continuously scores your data against all nine principles and provides actionable recommendations for improvement.
The Nine Principles
Attributable
Who performed the action and when
Legible
Data is readable and permanently recorded
Contemporaneous
Recorded at the time of activity
Original
First-capture or true copy
Accurate
No errors or unauthorized edits
Complete
All data including retests and repeats
Consistent
Chronologically ordered, date/time stamped
Enduring
Recorded on permanent media
Available
Accessible for review throughout retention
Scoring Methodology
Each ALCOA+ principle is scored from 0 to 100 based on automated checks. Nessa evaluates your data entries, audit trail completeness, signature coverage, and system configuration to compute each score. Scores below 80 trigger recommendations; scores below 60 generate alerts.
FDA Reports
Generate comprehensive FDA audit packages on demand. The report covers all 21 CFR Part 11 requirements and provides documented evidence of compliance across electronic records, electronic signatures, and audit trail integrity.
Report Sections
- Executive Summary — Overall compliance status and key metrics
- System Description — Architecture, security controls, and validation approach
- Electronic Records (11.10) — Controls for closed systems, record integrity, and retention
- Electronic Signatures (11.50-11.200) — Signature manifestations, uniqueness, and non-repudiation
- Audit Trail Analysis — Hash chain verification, Merkle proof validation, completeness check
- ALCOA+ Compliance Matrix — Detailed scoring across all nine principles
- Risk Assessment — AI-generated risk scores and trend analysis
- Appendices — Technical specifications, cryptographic details, and methodology
Generating a Report
- Navigate to Reports in the sidebar
- Click Preview to review the report in-browser
- Click Download PDF to generate the full 25-page audit package
Sample report: Download Sample FDA Audit Report (PDF)
Electronic Signatures
Nessa implements electronic signatures in full compliance with 21 CFR Part 11, Sections 11.50 through 11.200. Every signature uses ED25519 elliptic-curve cryptography, providing mathematical proof of signer identity and document integrity.
Signature Workflow
- User re-authenticates with their credentials (two-factor verification)
- The system generates an ED25519 signature over the data hash
- The signature, public key, timestamp, and meaning are recorded
- The signed record is appended to the Merkle tree and CT log
- An audit trail entry captures the complete operation
Compliance Guarantees
- Non-repudiation — Signatures are cryptographically bound to the signer's unique key pair
- Integrity — Any modification to signed data invalidates the signature
- Meaning — Each signature includes its intent (approval, review, authoring)
- Timestamp — NTP-verified timestamps prevent backdating
IoT Sensor Monitoring
Monitor laboratory and cleanroom environmental conditions in real time. Nessa ingests sensor data via secure API endpoints and applies the same cryptographic integrity guarantees as all other data in the system.
Supported Sensor Types
| Sensor Type | Unit | Typical Range | Alert Threshold |
|---|---|---|---|
| Temperature | °C | 15-25 | > 25 or < 15 |
| Humidity | % RH | 30-60 | > 65 or < 25 |
| Particle Count | particles/m³ | 0-3,520 | > 3,520 (ISO 7) |
| Pressure Differential | Pa | 10-15 | < 10 |
Data Integrity for Sensors
Every sensor reading is timestamped with NTP verification, signed, and appended to the audit trail. Out-of-specification readings automatically trigger OOS events and notifications to quality managers.
Certificate Transparency Log
Inspired by Google's Certificate Transparency framework for PKI security, Nessa implements an append-only, cryptographically verifiable log of all data operations. This provides an independent, tamper-evident record that can be audited by third parties.
How CT Logs Work
- Append-Only — Entries can only be added, never modified or deleted
- Merkle Tree — All entries are organized in a Merkle hash tree, enabling efficient proofs
- Inclusion Proofs — Anyone can verify that a specific entry exists in the log without downloading the entire log
- Consistency Proofs — Verify that the log has only grown (no entries removed or changed) between two points in time
Tamper Detection
If any historical entry in the CT log is modified, the Merkle root hash changes, immediately invalidating all subsequent consistency proofs. This makes undetected tampering mathematically impossible.
User Management
Nessa implements role-based access control (RBAC) with five predefined roles aligned to pharmaceutical organizational structures. User management is restricted to administrators.
Role Permissions
| Role | Data Entry | View Data | Sign | Reports | Manage Users | System Config |
|---|---|---|---|---|---|---|
| Admin | Yes | Yes | Yes | Yes | Yes | Yes |
| QA Manager | Yes | Yes | Yes | Yes | No | No |
| QA User | Yes | Yes | Yes | No | No | No |
| Auditor | No | Yes | No | Yes | No | No |
| Viewer | No | Yes | No | No | No | No |
Live Demo
The interactive demo simulates a full pharmaceutical data workflow, generating realistic data entries from multiple sources (LIMS, EDC, IoT sensors) and demonstrating compliance monitoring, cryptographic verification, and risk scoring in real time.
Running the Demo
- Navigate to Demo in the sidebar
- Click Start Simulation to begin
- Watch as data entries are generated, validated, signed, and logged
- Observe real-time compliance scores updating as data flows through the system
Integration Sources Simulated
- LIMS — Laboratory Information Management System data (analytical results, sample tracking)
- EDC — Electronic Data Capture (clinical trial data entry)
- IoT — Environmental sensor readings (temperature, humidity, particles)
Auditor View
The Auditor View provides a read-only interface for compliance auditors to retrieve and inspect the immutable audit ledger. Enter a study ID to retrieve all associated audit events, verify hash chain integrity, and export evidence packages.
Scientist Workstation
The Scientist Workstation provides a streamlined interface for researchers to submit data entries and apply electronic signatures. Data entries are automatically validated, signed with ED25519 keys, and appended to the Merkle tree.
Validation Rules
Configure automated validation rules that are applied to every data entry in real time. Rules define acceptable ranges, required fields, and custom logic for specific data types. Failed validations trigger OOS events and quality notifications.
Out-of-Specification Events
When data entries fail validation rules, OOS events are automatically generated and tracked. Quality managers can review, investigate, and acknowledge each event. All OOS actions are recorded in the immutable audit trail.
Lab Results & OOS Detection
Nessa replaces untyped data blobs with structured lab result entry, capturing every field needed for regulatory traceability. Each result is hash-chained per study using SHA-256, and the system automatically checks results against specification limits to detect out-of-specification conditions.
Structured Result Fields
| Field | Type | Description |
|---|---|---|
study_id | String | Study identifier for grouping results |
batch_number | String | Manufacturing or analytical batch |
sample_id | String | Unique sample identifier |
parameter_name | String | Analytical parameter being measured |
value_numeric | Float | Numeric result value |
value_text | String | Text result (for non-numeric parameters) |
unit_of_measure | String | Unit of measurement (from reference data) |
instrument_id | UUID | Equipment used for measurement |
method_reference | String | Analytical method reference |
observation_time | Timestamp | Mandatory — ALCOA Contemporaneous requirement |
Hash Chain Integrity
Results are SHA-256 hash-chained per study on the server side. No client pre-computation is needed — the backend automatically computes and links each result's hash to its predecessor, forming a tamper-evident chain for every study.
Automatic OOS Detection
When a result is submitted, the system checks the value against specification limits defined for that parameter and study. If the result falls outside the acceptable range, an OOS investigation is automatically opened with all relevant context pre-populated.
API Endpoint
POST /api/v1/resultsResult Specifications
Define acceptance criteria for each analytical parameter on a per-study basis. Specifications drive automatic OOS detection and are the foundation for data quality assessment in regulated environments.
Specification Fields
| Field | Type | Description |
|---|---|---|
spec_min | Float | Minimum acceptable value |
spec_max | Float | Maximum acceptable value |
spec_target | Float | Target (nominal) value |
unit | String | Unit of measurement |
is_critical | Boolean | Critical parameters auto-require electronic signature |
Specification Hierarchy
- Study-specific specs override product-level defaults when defined
- Critical parameters (
is_critical: true) automatically require an electronic signature before the result is accepted - Specifications are versioned — changes are tracked in the audit trail
API Endpoint
POST /api/v1/results/specificationsOOS Investigations
When a lab result violates specification limits, Nessa automatically creates an OOS investigation following the FDA OOS Guidance (2006) two-phase workflow. Investigations are tracked end-to-end with full audit trail coverage.
Two-Phase Workflow
- Phase 1 (Lab Investigation) — Initial laboratory assessment: check calculations, verify instrument performance, inspect sample preparation. Determines if the OOS result is attributable to a laboratory error.
- Phase 2 (Full Investigation) — Extended investigation involving manufacturing review, additional testing, and root cause analysis. Triggered when Phase 1 does not identify a clear laboratory cause.
Root Cause Categories
Laboratory Error
Sample preparation, dilution, or technique issue
Calculation Error
Formula, transcription, or rounding mistake
Instrument Failure
Equipment malfunction or calibration drift
Genuine OOS
True out-of-specification material condition
Undetermined
Root cause could not be conclusively identified
Investigation Numbering
Each investigation receives an auto-generated number in the format OOS-YYYY-NNN (e.g., OOS-2026-001), ensuring unique, chronological tracking across the organization.
API Endpoint
GET /api/v1/results/oosEquipment Qualification
Manage the full IQ/OQ/PQ lifecycle for laboratory and manufacturing equipment per FDA 21 CFR 211.63 and 211.68. Track qualification status, calibration schedules, and preventive maintenance with full audit trail coverage.
Qualification Lifecycle
Each piece of equipment progresses through a defined qualification workflow:
Unqualified
Equipment registered, qualification not started
IQ Complete
Installation Qualification verified
OQ Complete
Operational Qualification verified
PQ Complete
Performance Qualification verified
Fully Qualified
All qualification stages passed
Calibration Management
- As-Found / As-Left Results — Record instrument readings before and after calibration adjustments
- Next-Due Dates — Automatic tracking of calibration due dates with overdue alerts
- Calibration Dashboard — Overview of all calibrations with status indicators for overdue, due soon, and current
Preventive Maintenance
Schedule maintenance activities and assess their impact on equipment qualification status. Maintenance events that affect qualification trigger re-qualification workflows automatically.
API Endpoints
GET /api/v1/equipment
POST /api/v1/equipment
GET /api/v1/equipment/{id}/qualifications
POST /api/v1/equipment/{id}/qualifications
GET /api/v1/equipment/{id}/calibrations
POST /api/v1/equipment/{id}/calibrationsData Governance (FDA 2018 Guidance)
Define and enforce data integrity policies aligned with FDA's 2018 Data Integrity and Compliance guidance. Assign data owners, set retention requirements, and conduct periodic governance reviews across all data domains.
Core Capabilities
- Policy Management — Define data integrity policies for data ownership, retention, access control, backup, and archival
- Data Owners — Assign responsible owners per data domain (lab_results, audit_trails, equipment, training, etc.)
- Governance Reviews — Schedule and conduct periodic reviews to assess policy adherence
Dashboard
The governance dashboard provides a real-time view of policy status, data owner coverage across all domains, and overdue review alerts. Gaps in owner assignment or expired policies are highlighted for immediate action.
API Endpoints
GET /api/v1/governance/policies
POST /api/v1/governance/policies
GET /api/v1/governance/owners
POST /api/v1/governance/owners
GET /api/v1/governance/reviews
POST /api/v1/governance/reviewsAudit Trail Review (FDA 2018 Guidance)
Nessa provides automated anomaly detection across audit logs, implementing the FDA's 2018 guidance requirement for periodic, risk-based audit trail review. The system detects suspicious patterns and supports a QA sign-off workflow for reviewed periods.
Anomaly Detection
The automated review engine scans audit logs for the following anomalies:
- Backdating — Entries with timestamps earlier than their creation order suggests
- Time Gaps — Unexplained gaps in audit trail continuity
- Excessive Modifications — Unusual frequency of edits to a single record
- Unauthorized Access — Access attempts outside normal role permissions
QA Sign-Off Workflow
Quality assurance reviewers can sign off on reviewed time periods, creating a documented record that the audit trail has been examined and any anomalies have been investigated. Reviews can be scheduled periodically by data domain.
API Endpoint
GET /api/v1/audit-reviews
POST /api/v1/audit-reviewsData Lifecycle Management (FDA 2018 + WHO 2021)
Manage the complete data lifecycle from creation through destruction, aligned with both the FDA 2018 Data Integrity guidance and WHO 2021 Technical Report Series No. 1033. Each stage transition is gated by electronic signatures and recorded in the audit trail.
Six-Stage Lifecycle
1. Creation
Initial data capture and recording
2. Review
Data review and verification
3. Approval
Formal approval with e-signature
4. Active Use
Data in operational use
5. Archive
Retained per retention policy
6. Destruction
Controlled, documented disposal
Retention Management
- Configurable Retention Periods — Default 7 years for lab results, customizable per data type and regulatory requirement
- Signature-Gated Transitions — Stage transitions require electronic signatures with documented justification
- Expiry Tracking — Automated reports for records approaching or past their retention expiry date
API Endpoint
GET /api/v1/lifecycle
POST /api/v1/lifecycleDI Risk Assessment (FDA 2018 Guidance)
Conduct data integrity-specific risk assessments using industry-standard methodologies. The risk module implements a 5×5 matrix (likelihood × impact) and supports FMEA, hazard analysis, and gap analysis approaches.
Risk Matrix (5×5)
| Score Range | Risk Level | Action Required |
|---|---|---|
| 1 – 4 | Low | Monitor during routine reviews |
| 5 – 9 | Medium | Mitigation plan within 30 days |
| 10 – 16 | High | Immediate mitigation required |
| 17 – 25 | Critical | Stop activity, escalate to management |
Assessment Methodologies
- FMEA — Failure Mode and Effects Analysis for systematic risk identification
- Hazard Analysis — Identify data integrity hazards and evaluate controls
- Gap Analysis — Compare current state against regulatory expectations
Mitigation Tracking
Each identified risk can have mitigation actions assigned with an owner and due date. The system tracks completion status and sends overdue notifications to responsible parties.
API Endpoint
GET /api/v1/di-risk
POST /api/v1/di-riskReference Data (Lookup Tables)
Standardized dropdown values for regulated fields, preventing freetext typos and ensuring data consistency across the organization. Eight pre-seeded reference lists ship with every Nessa deployment, and custom lists can be added per tenant.
Pre-Seeded Lists
Units of Measure
mg, mL, %, pH, CFU/mL, etc.
Test Methods
HPLC, GC, Karl Fischer, USP, etc.
Analytical Parameters
Assay, Purity, Moisture, pH, etc.
Equipment Types
HPLC System, Balance, pH Meter, etc.
Deviation Categories
Late entry, Correction, Format violation
Root Cause Methods
5-Why, Fishbone, FMEA, Fault Tree
Risk Levels
Low, Medium, High, Critical
Document Types
SOP, WI, Form, Policy, Spec
Search & Custom Lists
All reference data is searchable via a unified endpoint. Custom lists can be created per tenant to support site-specific or product-specific terminology.
GET /api/v1/reference-data/search?q=mgAPI Endpoint
GET /api/v1/reference-data
POST /api/v1/reference-dataDeviations
Track data integrity deviations with a structured workflow that captures the type, severity, and scientific justification for each event. All deviations flow through an approval process and are linked to the audit trail.
Deviation Types
- Late Entry — Data recorded after the observation time
- Correction — Amendment to a previously recorded value
- Deletion Request — Request to remove erroneous data (requires approval)
- Format Violation — Data not recorded in the prescribed format
Approval Workflow
Each deviation requires a scientific justification from the originator and approval from a quality reviewer. The system enforces separation of duties — the person who created the deviation cannot approve it.
API Endpoint
GET /api/v1/deviations
POST /api/v1/deviationsCAPA Management
Corrective and Preventive Actions (CAPA) are linked to deviations, complaints, and audit findings. The CAPA module supports structured root cause analysis and tracks effectiveness verification to closure.
Root Cause Analysis Methods
5-Why Analysis
Iterative questioning to identify root cause
Fishbone Diagram
Ishikawa cause-and-effect analysis
FMEA
Failure Mode and Effects Analysis
Fault Tree
Top-down deductive failure analysis
CAPA Lifecycle
- Initiation — Link to source (deviation, complaint, audit finding) with initial assessment
- Root Cause Analysis — Structured investigation using selected methodology
- Action Plan — Define corrective and preventive actions with owners and due dates
- Implementation — Track action completion and collect evidence
- Effectiveness Verification — Verify that actions resolved the root cause and prevented recurrence
API Endpoint
GET /api/v1/capa
POST /api/v1/capaComplaints
Register, investigate, and resolve complaints with auto-numbered tracking. Each complaint can be linked to CAPA records for corrective actions and flagged for regulatory reporting when required.
Complaint Workflow
- Registration — Auto-numbered ID in format
CMP-YYYY-NNN(e.g.,CMP-2026-015) - Severity Classification — Categorize by impact level to drive investigation priority
- Investigation — Document findings with structured fields and evidence attachments
- Regulatory Reporting — Flag complaints that require notification to regulatory authorities
- CAPA Linkage — Create or link existing CAPA records for corrective and preventive actions
API Endpoint
GET /api/v1/complaints
POST /api/v1/complaintsDocument Control
Manage SOPs, Work Instructions, Forms, Policies, and Specifications with full version control and a review/approval workflow. Original documents are always preserved — superseded versions remain accessible for audit purposes.
Document Types
SOP
Standard Operating Procedures
Work Instruction
Step-by-step task guidance
Form
Data collection templates
Policy
Organizational policies
Specification
Product and method specifications
Version Control
Documents follow a superseded_by pattern: when a new version is created, the original is preserved and linked to its successor. This maintains a complete version history for regulatory inspection.
Review & Approval Workflow
- Draft — Document in preparation
- Under Review — Submitted for review by designated reviewers
- Approved — Approved for use, effective date recorded
- Retired — No longer in active use, retained per retention policy
Training Linkage
Documents can be linked to training programs, ensuring that personnel are trained on the latest approved version before performing regulated activities.
API Endpoint
GET /api/v1/documents
POST /api/v1/documentsTraining Management
Track GxP training programs with enrollment, completion, assessment scoring, and competency verification. The training module supports a role-SOP matrix to ensure every person is trained on the procedures relevant to their responsibilities.
Core Capabilities
- Training Programs — Define programs with curriculum, duration, and assessment criteria
- Enrollment & Completion — Track who is enrolled, in progress, and completed
- Assessment Scoring — Record assessment scores and competency results (pass/fail with minimum threshold)
- Certificate Generation — Auto-generate training certificates upon successful completion
Role-SOP Matrix
| Status | Meaning |
|---|---|
| Required | Full training and assessment required before performing the activity |
| Awareness | Read and acknowledge understanding |
| Not Applicable | SOP not relevant to this role |
API Endpoint
GET /api/v1/training
POST /api/v1/trainingPKI Certificate Management
Register and manage X.509 certificates for cryptographic signature verification. The PKI module supports RSA, ECDSA, and Ed25519 algorithms via the ring crate, with full lifecycle tracking from issuance through revocation.
Certificate Registration
- X.509 Certificate Import — Register certificates with automatic SHA-256 fingerprint computation
- Subject & Issuer Parsing — Extract and store certificate metadata for searchability
- Validity Tracking — Monitor not-before and not-after dates with expiry alerts
Signature Verification
Verify cryptographic signatures against registered certificates. Supported algorithms:
RSA
RSA PKCS#1 v1.5 and PSS signatures
ECDSA
Elliptic Curve Digital Signature Algorithm
Ed25519
Edwards-curve Digital Signature Algorithm
Certificate Lifecycle
- Active — Certificate is valid and available for signature verification
- Expired — Certificate has passed its not-after date
- Revoked — Certificate has been explicitly revoked
Signature Audit Log
Every signature verification links the certificate used to the record being verified, creating a complete chain of evidence for regulatory inspection.
API Endpoint
GET /api/v1/pki
POST /api/v1/pkiAPI Reference
Nessa exposes a RESTful API for programmatic access. All endpoints require JWT authentication unless otherwise noted.
Base URL
https://app.clinivion.com/api/v1/Authentication
Include a JWT Bearer token in the Authorization header for all requests:
Authorization: Bearer <your-jwt-token>Endpoints (80+ endpoints across 17 categories)
Click any category to expand and view its endpoints. All paths are relative to /api/v1/.
Authentication — 3 endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /auth/login | Authenticate user |
| POST | /auth/refresh | Refresh JWT token |
| POST | /auth/logout | Logout / invalidate token |
Users — 3 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /users | List all users |
| GET | /users/{id}/entries | Get user's data entries |
| POST | /admin/provision | Provision new tenant/user |
Data Management — 5 endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /data | Submit new data entry |
| GET | /data/{id} | Get data entry by ID |
| PUT | /data/{id} | Update data entry |
| GET | /data/entries | List data entries (paginated) |
| GET | /data/entries/export | Export data entries |
Audit Trail — 5 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /audit-trail | Paginated audit trail |
| GET | /audit/logs | Audit logs |
| GET | /audit/{study_id} | Audit for specific study |
| GET | /auditor/logs | Auditor-specific logs |
| POST | /auditor/generate_report | Generate audit report |
Compliance & ALCOA+ — 5 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /compliance/dashboard | Compliance dashboard metrics |
| GET | /compliance/alcoa | ALCOA+ compliance status |
| GET | /compliance/study/{study_id} | Study compliance |
| GET | /compliance/entry/{entry_id}/risk | Entry risk assessment |
| GET | /compliance/timeline | Compliance timeline |
Dashboard & Analytics — 4 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /dashboard/compliance/{tenant_id} | Tenant compliance |
| GET | /dashboard/compliance/{tenant_id}/trends | Compliance trends |
| GET | /dashboard/system/health | System health |
| GET | /dashboard/audit/{tenant_id}/metrics | Audit metrics |
Digital Signatures & PKI — 4 endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /sign | Sign a data entry |
| GET | /signatures/pending | Pending signatures |
| POST | /pki/enroll | Enroll public key |
| POST | /pki/challenge | PKI challenge |
Merkle Tree & Cryptographic Verification — 6 endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /merkle | Create Merkle entry |
| GET | /merkle/root/{tenant_id} | Get Merkle root |
| GET | /merkle/stats/{tenant_id} | Merkle tree statistics |
| GET | /merkle/proof | Get Merkle proof |
| POST | /merkle/verify | Verify Merkle proof |
| POST | /merkle/leaf | Add leaf node |
Risk Scoring & ML — 6 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /risk-scoring/entry/{entry_id}/ml | ML risk prediction |
| GET | /risk-scoring/study/{study_id} | Study risk scores |
| GET | /risk-scoring/study/{study_id}/history | Risk score history |
| GET | /risk-scoring/tenant/{tenant_id}/overview | Tenant risk overview |
| GET | /risk-scoring/tenant/{tenant_id}/vsr | Validation Status Report |
| POST | /risk-scoring/train | Train ML model |
Validation — 8 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /validation | Validation status |
| GET | /validation/rules | List validation rules |
| POST | /validation/rules | Create validation rule |
| PUT | /validation/rules/{rule_id} | Update rule |
| GET | /validation/results/{entry_id} | Validation results |
| GET | /validation/oos | Out-of-specification events |
| POST | /validation/oos/{result_id}/acknowledge | Acknowledge OOS |
| GET | /validation/summary | Validation summary |
Exports & Reports — 6 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /exports/audit-trail/{tenant_id}/csv | Export audit trail CSV |
| GET | /exports/compliance-report/{tenant_id}/pdf | Compliance report PDF |
| GET | /exports/data-entries/{tenant_id}/csv | Export data entries CSV |
| GET | /exports/fda-audit-package/{tenant_id}/preview | FDA audit preview |
| GET | /exports/fda-audit-package/{tenant_id}/pdf | FDA audit package PDF (25 pages) |
| POST | /reports/generate | Generate custom report |
Change Control — 6 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /change-control/requests | List change requests |
| POST | /change-control/requests | Create change request |
| GET | /change-control/requests/{id} | Get change request |
| POST | /change-control/requests/{id}/approve | Approve change |
| POST | /change-control/requests/{id}/reject | Reject change |
| GET | /change-control/tenant/{tenant_id}/requests | Tenant changes |
GDPR & Data Privacy — 6 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /gdpr | GDPR compliance status |
| POST | /gdpr/dsr | Create Data Subject Request |
| GET | /gdpr/dsr/{id} | Get DSR details |
| POST | /gdpr/dsr/{id}/erase | Execute erasure |
| POST | /gdpr/dsr/{id}/export | Export subject data |
| GET | /gdpr/dsr/overdue | Overdue DSRs |
Consent Management — 8 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /consent | List consents |
| POST | /consent | Record consent |
| GET | /consent/{id} | Get consent details |
| PUT | /consent/{id} | Update consent |
| GET | /consent/summary | Consent summary |
| GET | /consent/user/{user_id} | User consents |
| GET | /consent/purpose | Consent purposes |
| GET | /consent/purposes | All purposes |
Incident Management — 8 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /incidents | List incidents |
| POST | /incidents | Create incident |
| GET | /incidents/{id} | Get incident details |
| PUT | /incidents/{id} | Update incident |
| POST | /incidents/{id}/assess | Risk assessment |
| POST | /incidents/{id}/notify | Send notifications |
| GET | /incidents/dashboard | Incident dashboard |
| GET | /incidents/notifications/overdue | Overdue notifications |
Integrations — 3 endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /integrations/medidata/webhook | Medidata webhook |
| POST | /integrations/labvantage/webhook | LabVantage webhook |
| GET | /integrations/{integration_name}/status | Integration status |
Data Import — 3 endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /imports/upload | Upload data file |
| POST | /imports/execute/{import_id} | Execute import |
| GET | /imports/history | Import history |
System — 2 endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /health | Health check |
| GET | /records | Records overview |
Example Requests
POST /auth/login
Authenticate and receive a JWT token.
Request:curl -X POST https://app.clinivion.com/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "admin@pharma.local",
"password": "Admin123!"
}'{
"token": "eyJhbGciOiJIUzI1NiIs...",
"user": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "admin@pharma.local",
"role": "Admin",
"name": "System Administrator"
},
"expires_at": "2026-03-18T19:00:00Z"
}GET /compliance/dashboard
Retrieve current compliance metrics.
Request:curl -X GET https://app.clinivion.com/api/v1/compliance/dashboard \
-H "Authorization: Bearer <token>"{
"fda_readiness": 94.5,
"alcoa_score": 91.2,
"crypto_verification": 100.0,
"validation_pass_rate": 97.8,
"total_entries": 1247,
"signed_entries": 1247,
"risk_distribution": {
"low": 1089,
"medium": 134,
"high": 24
}
}GET /data/entries
List data entries with pagination and filtering.
Request:curl -X GET "https://app.clinivion.com/api/v1/data/entries?page=1&limit=20&study_id=STUDY-001" \
-H "Authorization: Bearer <token>"{
"data": [
{
"id": "entry-uuid",
"study_id": "STUDY-001",
"value": "98.7",
"unit": "mg/mL",
"created_by": "scientist@pharma.local",
"created_at": "2026-03-17T14:30:00Z",
"signature_valid": true,
"risk_score": 12,
"merkle_proof": "verified"
}
],
"total": 456,
"page": 1,
"per_page": 20
}POST /data
Submit a new data entry.
Request:curl -X POST https://app.clinivion.com/api/v1/data \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"study_id": "STUDY-001",
"parameter": "API Purity",
"value": "99.2",
"unit": "%",
"classification": "critical",
"capa_reference": "CAPA-2026-042"
}'{
"id": "new-entry-uuid",
"signature": "base64-ed25519-signature",
"merkle_root": "sha256-hash",
"audit_log_id": "audit-uuid",
"created_at": "2026-03-17T14:35:00Z"
}GET /exports/fda-audit-package/{tenant}/pdf
Download the complete FDA audit package as a PDF.
Request:curl -X GET https://app.clinivion.com/api/v1/exports/fda-audit-package/default/pdf \
-H "Authorization: Bearer <token>" \
-o fda-audit-report.pdfReturns a PDF file (application/pdf) containing the complete 25-page FDA audit package.
Architecture
Nessa is built on a modern, security-first architecture designed for pharmaceutical compliance. The system uses a Rust backend for performance and memory safety, with a Next.js frontend for responsive user experience.
System Overview
Security Layers
| Layer | Technology | Purpose |
|---|---|---|
| Transport | TLS 1.3 | Encryption in transit |
| Authentication | JWT (24h expiry) | Identity verification |
| Password | bcrypt (cost 12) | Password hashing |
| Field Encryption | AES-256-GCM | Sensitive data at rest |
| Digital Signatures | ED25519 | Data authenticity and non-repudiation |
| Integrity | Merkle Trees | Efficient proof of data inclusion |
| Transparency | CT Logs | Tamper-evident operation record |
| Key Management | AWS KMS | Hardware-backed key storage |
| Rate Limiting | Custom Tower middleware | 2 req/sec, 50-burst protection |
Deployment
- Backend — AWS ECS Fargate (auto-scaling, multi-AZ)
- Frontend — Vercel (edge network, automatic SSL)
- Database — PostgreSQL 16 with PgBouncer connection pooling
- Cache — Redis 7 for session and query caching
- CI/CD — GitHub Actions with 9-stage pipeline (lint, security, test, build, integration, publish, deploy staging, validate, deploy production)
Quick Links
Live Application
app.clinivion.com
Product Demo
Interactive walkthrough
Sales Brochure
Product overview PDF
Sample FDA Report
25-page audit package
Landing Page
nessa.clinivion.com
Nessa by Clinivion — Enterprise Pharmaceutical Data Integrity Engine
FDA 21 CFR Part 11 • ALCOA+ • GAMP 5 • ISO 27001 • GDPR • HIPAA