Compliance Reports (HIPAA / ISO / GMP / 21 CFR Part 11)

Auditor-ready PDFs + tamper-evident audit chain โ€” for regulated industries

5 min read

Compliance Reports is an Enterprise feature that converts your day-to-day FreeMaint data into auditor-ready evidence packs. Five PDF reports, a tamper-evident audit chain on every change, and a daily auto-verification cron come standard. Available from /reports/compliance to anyone with the 'compliance:read' permission on an Enterprise tenant.

The five PDF reports

  • Maintenance Compliance โ€” on-time vs late PM completion + signature status (default 90 days, filter by 'signed only')
  • Equipment History โ€” full lifecycle PDF for one asset: work orders, meter readings, audit trail (default 365 days)
  • Calibration / Meter History โ€” reading log + edit/void audit trail for one meter, including soft-deleted records (FEED-24 audit obligation)
  • Audit Trail โ€” filtered audit-log export with chain hash per row (capped at 5000 rows; refine filters to narrow)
  • User & Permission Snapshot โ€” point-in-time stored artifact of every user + role + permission, immutable after generation

Audit chain (21 CFR Part 11 ยง11.10(e))

Every audit log entry is linked to the previous one via a SHA-256 hash chain. Tampering with any row breaks the chain at the FIRST modified row's successor โ€” detectable via the 'Verify chain now' button on /reports/compliance/audit-chain, the CLI script verify-audit-chain.js, or the daily 02:00 UTC cron (with Sentry alert on divergence). The latest chain anchor hash is printed in the header of every generated PDF as a visible tamper-evidence marker for auditors.

Inspection e-signatures (21 CFR Part 11 ยง11.200)

Completing a Sprint 3A inspection on Enterprise requires a second authentication component: the user re-enters their password to mint a 5-minute signing token, then draws their signature on a canvas pad. The signature is stored as an immutable PNG with IP, user-agent, role, optional witness and a server timestamp โ€” and is embedded in the inspection PDF on every re-download. Existing WorkOrder / Lockout / HSE signature flows (Business tier) are unchanged.

User & Permission Snapshots

Snapshots are point-in-time, immutable. Once generated, the cached PDF bytes are stored on the row โ€” auditors can re-download the exact PDF they reviewed months ago even after users have been added, removed, or had their roles changed.

Permissions

  • compliance:read โ€” list and download all reports, view chain status, list/download artifacts. Seeded for ADMIN by default. MANAGER seeded for new tenants; existing tenants may need to grant it manually (existing MANAGER roles are not auto-updated to preserve tenant customizations).
  • compliance:export โ€” generate the Audit Trail PDF and User Permission Snapshot artifact. Seeded for ADMIN only.

Tip

The chain anchor appears in the header of every generated PDF. If you're preparing for a regulator visit, generate a User & Permission Snapshot right before the audit โ€” the cached PDF is your immutable evidence of who-had-access-on-day-X.

Was this page helpful?