Compliance Reports (HIPAA / ISO / GMP / 21 CFR Part 11)
Auditor-ready PDFs + tamper-evident audit chain โ for regulated industries
Compliance Reports is an Enterprise feature that converts your day-to-day FreeMaint data into auditor-ready evidence packs. Five PDF reports, a tamper-evident audit chain on every change, and a daily auto-verification cron come standard. Available from /reports/compliance to anyone with the 'compliance:read' permission on an Enterprise tenant.
The five PDF reports
- Maintenance Compliance โ on-time vs late PM completion + signature status (default 90 days, filter by 'signed only')
- Equipment History โ full lifecycle PDF for one asset: work orders, meter readings, audit trail (default 365 days)
- Calibration / Meter History โ reading log + edit/void audit trail for one meter, including soft-deleted records (FEED-24 audit obligation)
- Audit Trail โ filtered audit-log export with chain hash per row (capped at 5000 rows; refine filters to narrow)
- User & Permission Snapshot โ point-in-time stored artifact of every user + role + permission, immutable after generation
Audit chain (21 CFR Part 11 ยง11.10(e))
Every audit log entry is linked to the previous one via a SHA-256 hash chain. Tampering with any row breaks the chain at the FIRST modified row's successor โ detectable via the 'Verify chain now' button on /reports/compliance/audit-chain, the CLI script verify-audit-chain.js, or the daily 02:00 UTC cron (with Sentry alert on divergence). The latest chain anchor hash is printed in the header of every generated PDF as a visible tamper-evidence marker for auditors.
Inspection e-signatures (21 CFR Part 11 ยง11.200)
Completing a Sprint 3A inspection on Enterprise requires a second authentication component: the user re-enters their password to mint a 5-minute signing token, then draws their signature on a canvas pad. The signature is stored as an immutable PNG with IP, user-agent, role, optional witness and a server timestamp โ and is embedded in the inspection PDF on every re-download. Existing WorkOrder / Lockout / HSE signature flows (Business tier) are unchanged.
User & Permission Snapshots
Snapshots are point-in-time, immutable. Once generated, the cached PDF bytes are stored on the row โ auditors can re-download the exact PDF they reviewed months ago even after users have been added, removed, or had their roles changed.
Permissions
- compliance:read โ list and download all reports, view chain status, list/download artifacts. Seeded for ADMIN by default. MANAGER seeded for new tenants; existing tenants may need to grant it manually (existing MANAGER roles are not auto-updated to preserve tenant customizations).
- compliance:export โ generate the Audit Trail PDF and User Permission Snapshot artifact. Seeded for ADMIN only.
Tip
Related articles
Was this page helpful?