Our position
Compliance is architectural,
not contractual.
Every vendor in regulated software makes the same promise: we are compliant. It arrives as a data processing agreement, a certification logo, a page of attestations. Those are contracts, and contracts are promises about behaviour. In regulated logistics, a promise is not the same as a property.
A data processing agreement says your data will be handled a certain way. An architecture decides whether it can be handled any other way. A certification says a control existed on the day of the audit. An append-only table enforced at the database layer says the control exists on every day, for everyone, including the administrator.
We built PharmaLogiks on a simple position: the compliance that matters is the compliance you cannot switch off. It is in the architecture, not the contract. Four principles follow.
Sovereign by architecture
The product is single-tenant and deploys into your own infrastructure. Not private cloud, not a dedicated instance of a shared platform: your Kubernetes, your storage, your network policy, and if you need it, no connection to the outside world at all.
Data residency is not a setting we honour; it is wherever your cluster runs. There is no control plane we operate that your compliance depends on. Sovereignty is a fact of the deployment, not a clause.
One record
A regulated shipment is one thing, so it should be one record. Compliance approval, denied-party screening, cold-chain telemetry, custody handovers, electronic signatures and the generated documents all attach to the same shipment, behind the same audit trail.
The alternative, a screening tool, a monitoring portal, a courier tracker and a spreadsheet, does not fail because any one of them is bad. It fails at the seams, where the audit pack has to be reassembled by hand and the gaps hide. One record removes the seams.
Part 11 throughout
Electronic signatures are not a feature bolted onto approval. Every workflow action, submit, approve, reject, ship, deliver, carries a two-component signature whose hash binds it to the exact record state at signing.
Audit, custody and signature tables reject changes at the database layer, so the trail is immutable even with direct database access. Part 11 is not a module you turn on; it runs through every action the system takes.
AI on-box
The automation that makes the system fast, risk scoring, customs enrichment, breach prediction, runs on a local model inside your cluster, with zero data egress by default. Intelligence does not require sending regulated data to a third party.
The AI is on your box, under your control, or it is off. There is no third option where your shipment data trains a vendor's model.
Contracts have their place. But when the question is whether a regulated record can be altered, whether your data leaves your network, or whether a signature means what it says, the answer should be in the architecture, where it cannot be renegotiated. That is the product. That is the position.
See it live in 25 minutes.
Eight guided flows: compliance review, DPS screening, Part 11 e-signature, custody chain, breach prediction, GDPR erasure and the validation report. Then a 90-day pilot on your own programme, fully creditable.
