LabValence Platform Sign in Book a demo
LabValence Platform & Security

Secure, auditable, and yours to control.

The foundation every module runs on — fine-grained roles, fail-closed access control, a tamper-evident hash-chained audit trail, encryption at rest, multi-branch isolation, a client portal and public report verification — engineered to ISO/IEC 17025, 21 CFR Part 11, and toward ISO 27001 & SOC.

The security spine.

Four controls behind every screen.

Every module reads the same permission matrix, writes to the same audit trail and honours the same branch boundaries — so security is one system, not scattered settings.

app.labvalence.com/settings/roles
Roles & permissions
Custom role · Senior Analyst · fail-closed by default
ModuleViewEditApprove
SamplesYesYes
ResultsYesYes
ReportsYes
Invoices
app.labvalence.com/audit
Audit trail
Append-only · SHA-256 hash-chained · SIEM export
11:42:07   a.balushi signed report LV-24814 · 10.4.2.19
11:39:55   r.said updated result As 0.061 → 0.059 · 10.4.2.31
11:31:20   m.khan verified LV-24814 / pH · 10.4.2.18
11:02:44   system sealed hash block #48213 · chain intact
app.labvalence.com/settings/branches
Branches & portal
Data scoped per branch · co-branded documents
Branch scope
Muscat — isolated · numbering MCT-####
Sohar — isolated · numbering SHR-####
All branches — admin only, every switch audited
verify.labvalence.com/LV-24814
Public verification & intake
No login · scan the report QR code
LV-24814 / A
Valid — issued 22 Jun 2026 · Global Labs Oman
Tamper-evident · SHA-256 hash chain intact
e-Portal intake validated before it enters the lab
Fail-closed by default Role re-read every request One audit trail, end to end
Access & identity.

You decide who can do what — the server enforces it.

Roles, permissions and identity checks that are read fresh on every request and can never be talked around from the browser.

Built-in & custom roles

Start from sensible role presets or build your own, with a fine-grained view / create / edit / delete / approve permission per module.

Fail-closed central authorization

One authorization layer guards every endpoint. The role is re-read from the database on each request — never trusted from the token — and access defaults to denied.

Optional two-factor & step-up

Each user can turn on TOTP two-factor with one-time recovery codes, and sensitive actions can demand a fresh step-up re-authentication.

Four-eyes & separation of duties

Segregation of duties is enforced server-side — the person who enters a result, raises a payment or requests an approval can never sign it off alone.

Audit, integrity & data protection.

Every change, recorded and provable.

The record that accreditation and audit depend on — written on every action, protected at rest, and recoverable when it matters.

Hash-chained audit trail

An append-only, tamper-evident log of actor, IP and before / after values on every write — exportable to your SIEM and independently verifiable link by link.

Encryption at rest

Secrets, credentials and personal data are encrypted at rest, with transport secured in transit — so a stolen disk or backup file is worthless on its own.

Encrypted backups & DR

Encrypted nightly backups with a tested restore path and a documented disaster-recovery runbook — so recovery is rehearsed, not hoped for.

Soft-delete & purge preview

Deletions go to a restoration window first, with a purge preview before anything is removed for good — and finance and audit records are protected from purge.

app.labvalence.com/audit/verify
Integrity status
Independent tamper check · SIEM export ready
This branch · last 30 days
Hash chain intact — 48,213 records, 0 breaks
Encryption at rest · secrets & PII (AES-256)
Last encrypted backup verified · 03:00 · restore tested
Reach & experience.

Secure on the inside, welcoming on the outside.

The same controls that lock the platform down also let you open the right doors — to branches, to clients, and to the public verifying a report.

Multi-branch & co-branding

Data is isolated per branch with its own document numbering, and each client's display name and logo can co-brand the documents they receive.

Client portal & e-portal intake

Invite external customers to a restricted portal that shows only their own reports, quotations and payments — and let them submit samples through an e-portal that is validated before it enters the lab.

Verification, dashboards & exports

Public report QR / CoA verification without login, plus role-based dashboards and permission-gated one-click Excel exports for the numbers you are allowed to see.

ValenceAI, support & entitlements

An in-app assistant that answers from product docs only — never customer or sample data — fail-closed to staff and rate-limited; built-in support tickets; and entitlements that switch whole modules on or off per deployment.

portal.labvalence.com/muscat-steel
Client portal — Muscat Steel
External view · own data only
DocumentTypeStatus
LV-24814ReportIssued
QT-1180QuotationSent
INV-0642InvoiceDue
Trust, by the numbers.

Security you can hand to an auditor.

100%

Of writes captured in an append-only, tamper-evident audit trail.

0

Endpoints trusted by default — access is fail-closed and re-checked every request.

1

Unbroken hash chain over every audit record — break a link and verification fails.

256-bit

AES encryption at rest for secrets and PII, with TLS in transit.

Figures describe how the platform's controls are designed to behave; exact coverage and settings depend on your configuration, plan and deployment.

Compliant by design.

Controls an assessor can attest to.

Standards the platform is built to Independently attestable — certification in progress where noted
ISO/IEC 17025:2017Testing & calibration competence
21 CFR Part 11Electronic signatures on reports
ISO/IEC 27001:2022Certification in progress
SOC 1 & SOC 2Certification in progress
Hash-chained auditActor · IP · before/after
Encryption at restSecrets & PII protected
Deployment.

Run it where your data needs to live.

Deploy your way

Cloud, private-cloud, on-premise and fully air-gapped deployment options exist — so the platform can sit inside your own network or offline entirely.

Multi-tenant is a planned phase

Each deployment runs a single lab today. Shared multi-tenant hosting is on the roadmap — it is not switched on by default, so your data stays your own.

Government-integration-ready

Hooks for Oman government services — ITA PKI, eOman SSO, ePayment and OeGAF — are built in and ready to activate on a government tender. They are not live in a standard deployment.

Deployment models, the multi-tenant phase and government integrations are described as designed or planned; availability depends on your contract, environment and, for government services, an activated tender.

Questions.

Platform & security, answered.

How is access controlled?+

Through fine-grained roles — built-in or custom — with a view / create / edit / delete / approve permission per module. One central authorization layer guards every endpoint and is fail-closed: the user's role is re-read from the database on each request, never trusted from the token, and anything not explicitly allowed is denied.

Is the audit trail tamper-proof?+

The audit trail is append-only and SHA-256 hash-chained — each record is linked to the one before it, so altering or removing an entry breaks the chain and shows up on verification. Records capture the actor, IP and before / after values, and the whole trail can be exported to your SIEM.

Can we run air-gapped or on-prem?+

Yes. The platform supports cloud, private-cloud, on-premise and fully air-gapped deployments, so it can run inside your own network — or with no external connectivity at all — while keeping the same access, audit and encryption controls.

Do you support SSO?+

External single sign-on — SAML / OIDC / LDAP — is on the Enterprise roadmap and not available yet. Today, two-factor is covered by per-user TOTP with one-time recovery codes and step-up re-authentication for sensitive actions.

Where it fits.

Security on every plan, scaling up with you.

The security foundations are included on every plan; multi-site and enterprise controls scale up with Professional and Enterprise.

Every planFine-grained roles, fail-closed access, TOTP two-factor, encryption at rest and the hash-chained audit trail.— included from Essentials up
ProfessionalMulti-branch data isolation and the external client portal.— from $65 / user / mo · most popular
EnterpriseSSO / SAML & SCIM provisioning (on the roadmap), air-gapped / on-premise deployment and the SOC 1/2 & ISO 27001 evidence package.— custom pricing

SSO / SAML & SCIM are on the Enterprise roadmap and not available yet; air-gapped deployment is an Enterprise capability; TOTP two-factor is available on every plan today.

Security you can hand to an auditor.

See the controls on your own data.

Book a 30-minute demo and we'll walk the roles, the audit trail, branch isolation and report verification — end to end, on a real workflow.