Skip to main content

Audit & Compliance

The Patholytix platform is used in GLP and GCP-regulated environments. This guide describes what is logged for integration API calls and the relevant regulatory context.

What is logged per API call

Every authenticated API call produces a synchronous audit log entry containing:

FieldDescription
timestampUTC timestamp of the request
clientIdThe OAuth2 client identifier from the JWT sub claim
organisationIdThe organisation the client is bound to
methodHTTP method (GET, POST, PUT, DELETE)
pathThe request path
statusCodeThe HTTP response status code
operationIdThe API operation identifier (e.g. createStudy)
resourceIdThe ID of the resource affected (where applicable)

Audit log entries are written synchronously — the API response is not returned until the audit entry is committed. This ensures no authenticated write operation can occur without a corresponding audit record.

GLP / GCP context

Good Laboratory Practice (GLP) and Good Clinical Practice (GCP) require that systems used in regulated studies maintain a complete, tamper-evident audit trail of all data-affecting operations.

For integration clients:

  • Every POST, PUT, and DELETE operation is auditable to the clientId that performed it
  • Read operations (GET) are logged but distinguished from write operations
  • Audit records cannot be deleted or modified via the API
  • Audit log retention is governed by Deciphex's data retention policy — contact your account representative for details

What to include in your integration design

If you are building an integration for use in a GLP or GCP study:

  1. Use separate client credentials per environment — use distinct client_id / client_secret pairs for dev, QA, and production. This ensures audit records can be unambiguously attributed to the correct environment.

  2. Do not share credentials — each system or integration pipeline that writes to the API should have its own client credentials.

  3. Log the token acquisition timestamp — if your integration needs to reconstruct an audit trail on your side, record when tokens were acquired and when API calls were made.

  4. Treat client secrets as regulated system credentials — rotate secrets according to your organisation's credential management policy. Contact Deciphex support to rotate a secret.

Regulatory status

note

HIPAA applicability and SaMD (Software as a Medical Device) classification are under legal review and are not yet confirmed. This guide will be updated when the review is complete.