Compliance

Everything compliance — on one page, and one record.

Frameworks, regulatory reports, 21 CFR Part 11 e-signatures, the audit trail, and the trust controls behind them — all bound to the evidence already in your ForgeSOP workspace, so the coverage matrix stays live instead of becoming a quarterly re-mapping project.

Eight seeded frameworks · the right form for the right jurisdiction · a chain your auditor can re-derive

Frameworks

The framework library.

Eight regulatory frameworks, seeded and ready to bind per workspace. Turn on the ones you're held to; ignore the rest.

ISO 45001

Occupational health & safety management systems

The international standard for OH&S management systems — hazard identification, worker participation, and incident management.

Binds to: Incidents, hazard reports, JSAs, permits-to-work, safety SOPs, and the CAPAs they spawn.

ISO 9001

Quality management systems

The quality management standard — documented information, nonconformity, and corrective action (clauses 7.5, 9.2, 10.2).

Binds to: SOPs and versions, deviations, CAPAs, internal audits, and inspection findings.

ISO 14001

Environmental management systems

The environmental management standard — aspects, impacts, and environmental nonconformity.

Binds to: Environmental incidents, spill/release records, and environmental CAPAs.

ISO 27001

Information security management systems

The information-security management standard — Annex A controls, access management, and incident response.

Binds to: Security and IT incidents, access reviews, and security SOPs.

ISO 22000

Food safety management systems

The food-safety management standard — HACCP, prerequisite programs, and control of nonconforming product.

Binds to: HACCP plans, deviations, CAPAs, and inspections.

OSHA 29 CFR 1904

Injury & illness recordkeeping

The US recordkeeping rule governing which work-related injuries and illnesses must be logged and reported.

Binds to: Injury and illness incidents, recordability and case classification.

RIDDOR 2013

UK reporting of injuries, diseases & dangerous occurrences

The UK regulation requiring certain workplace injuries, occupational diseases, and dangerous occurrences to be reported to the HSE.

Binds to: Reportable injuries and dangerous occurrences, with time-zone-aware deadlines.

GDPR

EU General Data Protection Regulation

The EU data-protection regulation, including the Article 33 obligation to notify a personal-data breach within 72 hours.

Binds to: Security incidents involving personal data and their containment actions.

Regulatory reports

The Regulatory Report Engine.

One incident becomes the right form for the right jurisdiction — generated from the record, never re-keyed.

OSHA 300

Log of Work-Related Injuries and Illnesses

The running log of every recordable work-related injury and illness for an establishment in a calendar year.

United States · OSHA 29 CFR 1904

OSHA 300A

Summary of Work-Related Injuries and Illnesses

The annual summary posted Feb 1–Apr 30, totaling the cases on the 300 log with hours-worked context.

United States · OSHA 29 CFR 1904

OSHA 301

Injury and Illness Incident Report

The detailed individual incident report that accompanies each entry on the 300 log.

United States · OSHA 29 CFR 1904

RIDDOR F2508

Report of an Injury or Dangerous Occurrence

The UK form for reporting specified injuries, over-7-day incapacitation, and dangerous occurrences to the HSE.

United Kingdom · HSE RIDDOR 2013

ISO 45001 IR

Incident Report

The structured OH&S incident report used for internal management-system records and audits.

ISO 45001 (OH&S)

ISO 9001 NCR

Nonconformity Report

The nonconformity report documenting a quality deviation and the corrective action taken (clause 10.2).

ISO 9001 (Quality)

ISO 14001 NCR

Environmental Nonconformity Report

The environmental nonconformity report covering an aspect/impact deviation and its corrective action.

ISO 14001 (Environmental)

GDPR Art. 33

Personal Data Breach Notification

The notification to a supervisory authority of a personal-data breach, due within 72 hours of awareness.

EU · GDPR Article 33 (5 supervisory-authority variants)

E-signatures · 21 CFR Part 11 shape

Re-authentication, content binding, separation of duties.

Three properties make an e-signature usable as evidence under 21 CFR Part 11 and EU Annex 11. ForgeSOP enforces all three.

Re-authentication

Signing requires a fresh credential check. You cannot sign with a session token someone else opened.

Content binding

The signature record includes a SHA-256 of the exact bytes signed. Substitute the content and the signature stops verifying.

Separation of duties

Default policy: the assessor cannot approve their own work. Configurable per workspace and per role.

Every signature carries a typed meaning, so the audit trail records not just that someone signed, but what the signature asserts:

SOP_PUBLISHEDCAPA_CLOSEDINSPECTION_RUNRISK_ASSESSMENTREPORT_FILEDINCIDENT_CLOSED

Standards shape: 21 CFR Part 11, EU GMP Annex 11, ISO 13485 §4.1.6. We say “Part 11-shaped” deliberately — we mirror the regulation’s evidence and signature requirements in the data model; formal compliance is a customer-side validation activity, not a claim the software makes on its own.

The moat

A hash-chained, byte-exact audit trail your auditor can verify themselves.

Every state change is written to an append-only ledger as canonical JSON. Each entry records:

  1. Actoruser_id and a re-authentication assertion
  2. Actiona typed enum, e.g. SOP_PUBLISHED
  3. Subjectthe row affected, with a content hash of the bytes
  4. TimestampUTC, monotonic
  5. Previous-event hashthe chain link

Tamper with one row and every subsequent hash breaks. Every export PDF embeds the chain head and a verifier description, so your auditor re-derives the chain on their own machine — they aren’t asked to trust our word.

event:        SOP_PUBLISHED
actor:        u_8f2a (re-auth: TOTP at 14:02:11Z)
subject:      sop_p201_calibration v3
content_hash: sha256:3c6a…b91f
prev_hash:    sha256:a08e…472d
chain_head:   sha256:7d11…0c4b

Trust & Security

The controls behind every record.

Access, tenancy, snapshot integrity, and authentication were primary design constraints — not add-ons.

RBAC v2 & capability grants

Nine roles, scoped to specific sites and time-boxed so contractor access auto-lapses — with per-user capability overrides, all recorded on the audit trail.

Tenancy isolation

Every multi-tenant row carries a workspace_id, and row-level security is enforced at the database — not in app code — so a forgotten WHERE clause cannot leak across tenants.

Snapshot integrity

The methodology or template in force is frozen onto a record when it is approved or run, so re-banding a matrix tomorrow never silently re-rates yesterday’s decisions.

SSO & MFA

SAML/OIDC single sign-on and enforced multi-factor authentication, with re-authentication required at the moment of signing.

FAQ

Frequently asked

Yes. The Regulatory Report Engine generates the OSHA 300 log, the 300A annual summary, and the 301 incident report directly from your injury and illness incident records. Recordability, restricted- and transfer-day counts, and case classification are computed by the engine rather than hand-typed, and the 300A annual posting rolls up from the 300 log in one click.

ForgeSOP generates the RIDDOR F2508 — the UK HSE report for specified injuries, over-7-day incapacitation, occupational diseases, and dangerous occurrences. It is generated from the same incident record as the OSHA forms, with time-zone-aware reporting deadlines, so multi-jurisdiction operators never re-key the same event.

When a security incident is flagged as involving personal data, ForgeSOP starts a 72-hour regulatory clock and offers the GDPR Article 33 personal-data-breach notification in five supervisory-authority variants. The notification is pre-filled from the incident's scope-of-data and containment-action fields, and filing it mints a REPORT_FILED e-signature with the regulator's confirmation reference recorded on the audit trail.

Each framework in the library maps its clauses to the ForgeSOP record types that satisfy them — SOPs, audits, CAPAs, incidents, training, and more. As you create those records they link to the clauses they support, so the coverage matrix updates itself. There is no separate mapping document to maintain, and an auditor can trace any clause to the live evidence behind it.

ForgeSOP provides 21 CFR Part 11-shaped e-signatures — re-authenticated, content-bound, with enforced separation of duties and a hash-chained audit trail that mirrors Part 11's evidence and signature requirements. Whether a deployment is "Part 11 compliant" depends on your validated processes and controls as well as the software, not the software alone.

Forge better processes

One platform. Always audit-ready.

Bring SOPs, checklists, audits, incidents, and CAPAs into one connected system for safer, clearer, and more consistent operations.

No credit card required · Built for teams that run on process