Foundational System Component · Copyright 2026
The central piece of Medical Device Content Generation — where every artifact lives, every change is recorded, every approval is captured, and every billable event has a timestamped chain of custody behind it.
Regulated medical-device work has lived for too long on shared drives, version-suffixed filenames, and email threads. The artifacts that matter — Design Inputs, Risk Files, Verification Protocols, 510(k) sections, customer-approved drawings — get drafted, redlined, sent for review, and re-saved as “_v2_FINAL_FINAL.docx” with no defensible record of who approved what, when, or against which version. When a regulator or a customer asks the simple question “show me the chain of custody on this artifact,” the answer is a forensic exercise rather than a query.
The Document Vault is the answer. Every artifact produced in Med Journey AI — AI-drafted or manually authored — lands in the Vault as an immutable, versioned, audit-logged snapshot. The Vault is not a folder. It is the substrate beneath every generated artifact, every customer approval, and every billable event.
AI-drafted content without provenance is a guess. The Vault is what turns it into a defensible artifact — versioned, audited, signed.
Version management
Every save creates a new immutable snapshot. The previous version is not overwritten and not deleted — it sits permanently in the version chain, tagged with its predecessor and the change reason supplied at save-time. The Vault enforces 21 CFR §820.40’s requirement that obsolete documents remain available for review — superseded versions never disappear.
01
Immutable snapshots
Each Save creates a new row. The bytes of the prior version are preserved forever; nothing is mutated in place. Reproducible from any point in history.
02
Linked version chain
Every snapshot carries a stable lineage key. The Vault reconstructs the full chain newest-first across every save, every reviewer response, and every state transition.
03
Pinned canonical versions
Mark a snapshot as the canonical version for a given submission package, customer review cycle, or design freeze. The pin is the source of truth; downstream cards reference it explicitly.
04
Change-reason capture
Every save prompts for a brief change reason. The reason becomes part of the permanent record — the audit explanation auditors and reviewers actually want.
Audit trail
The Vault records every action ever taken against any document. Creation, edit, save-to-Vault, send-for-review, customer response, state transition, supersession, soft-delete — each is captured with actor, timestamp, IP, and metadata payload. The audit trail is queryable by document, by version chain, by actor, by time window, or by action type. There is no “mostly logged” tier; if it happened to a Vault document, it’s in the audit.
The audit trail is the 21 CFR Part 11 e-records substrate. The Vault produces signed, attributed, time-stamped, immutable records of every action — the regulatory requirement, not the marketing claim. When the question is “who approved this, and when, and against what version,” the answer is one query, not a forensic exercise across email threads.
Multi-reviewer approval workflows
Any Vault document can be sent for customer approval. The send-for-review flow accepts one reviewer or up to twenty in a single batch; each receives their own magic-link token in their email. The reviewer opens the link, sees a read-only snapshot of the document at the moment of send (not the latest live edits), and responds with approval, changes-requested, or rejection — with optional comments.
The aggregate state machine resolves the document’s status automatically as responses arrive: one rejection from any reviewer resolves the document to rejected; any reviewer requesting changes resolves it to changes_requested; the document only resolves to approved once every reviewer has explicitly approved. This is the right safety posture for regulated artifacts — one veto is enough.
Foundational System Component · Copyright 2026
Customer approval — the billable event
Most CMO ↔ customer relationships have a quiet ambiguity baked into their Statement of Work: when does a deliverable become billable? At draft? At first send? At the customer’s informal “looks good” on a Zoom call? At a signed PDF returned by email weeks later? Every CMO has lost margin to a customer claiming the SOW deliverable was never finalized; every customer has paid for work they later contested.
The Vault makes the billable event unambiguous. When a Statement of Work ties a deliverable’s billable trigger to customer approval, the Vault’s approval timestamp is the trigger. The customer’s magic-link response, the IP address it came from, the version of the document they approved, and the comment they attached — all permanently recorded, immune to dispute.
How it works in practice
The SOW references the Vault. Rather than “deliverable X is billable upon customer acceptance,” the SOW says “deliverable X is billable when the Med Journey AI Document Vault registers approval_state = approved for document <doc_key>.” The trigger is mechanical, the audit is automatic.
The aggregate state machine resolves automatically. Multi-reviewer workflows don’t require a project manager chasing approvers. The Vault waits for every reviewer’s response and resolves the document the moment the last one lands.
Disputes become queryable. A customer who later contests an approval can be answered in seconds: here is the version they approved, the timestamp, the IP, the comment they attached. The audit trail does not forget.
Additional capabilities
05
Semantic search
Voyage-3 embeddings (1024-dimensional vectors) on every Vault document, auto-indexed on save. Find the right requirement, test report, or risk control by what you mean — not by filename. No manual tagging.
06
Document state machine
Pending → Saved → Sent → Approved (or Rejected / Changes-Requested). Every transition logs to the audit trail. State is the single source of truth for downstream Submission Readiness scoring.
07
Per-app data isolation
Five-tier multi-tenancy via RLS: tenants never see each other’s Vaults. AI never reads cross-app data. Customer A’s artifacts cannot be searched, embedded, or referenced from Customer B’s workspace.
08
AI-grounded drafting
Every AI affordance reads from the Vault. Drafts cite their upstream sources by document key + version. Outputs are reproducible — given the same input version chain, the prompt context is deterministic.
09
Customer-review magic links
Reviewers don’t need a Med Journey AI account. They click an email link, see a read-only snapshot, and respond. Token TTL configurable (default 30 days). Expired tokens auto-resolve to Expired in the aggregate.
10
Cross-version diff (roadmap)
Side-by-side or unified diff between any two versions of the same document, with redline output. Useful for design-history audit reviews and for showing customers exactly what changed since their last approval.
The Vault as commercialization substrate
A medical-device program produces hundreds to thousands of artifacts — Design Inputs, Risk Files, Verification Protocols, Validation Reports, Process Flows, dFMEAs, Batch Records, Manufacturing RFQs, 510(k) sections, Clinical Evaluation Reports, Post-Market Surveillance reports. The submission package itself is just the surface; underneath sits the full design history file (DHF) that an FDA reviewer, an EU Notified Body auditor, or a customer’s quality team can demand at any time.
Without a Vault, that demand is a fire drill. With the Vault, it’s a query. Every artifact has a version chain. Every version has an audit trail. Every approval has a timestamped signature with the reviewer’s response payload attached. The Vault is the difference between content that lives in scattered files and content that arrives with its own evidence — version chain, audit trail, approval signatures — rendered on demand.
That same substrate is what makes Med Journey AI’s AI affordances trustworthy. The model is not freelancing — it is reading from the Vault, citing its sources by document key + version, and producing output that traces back to the upstream artifacts the user has actually approved. The Vault is what keeps the platform’s output carefully and diligently crafted, not speculative.
Standards the Vault produces records that satisfy: 21 CFR Part 11 (electronic records & signatures), 21 CFR §820.40 (document controls), 21 CFR §820.30 (design controls), 21 CFR §820.180 (records retention), ISO 13485 §4.2 (documentation requirements), ISO 13485 §7.3.10 (design and development files), MDR 2017/745 Annex II / III (Technical File). The Vault produces records that satisfy the strictest of these out of the box; downstream readers (FDA reviewer, Notified Body auditor, customer quality lead) consume the same audit trail.
Next step
Start a 14-day trial at app.bollong.ai/upgrade. Walk through the seeded MNCMO demo set — ten enriched programs with full Vault history, multi-reviewer approval workflows, and audit-trail drill-down. See the Vault in operation against the artifacts you actually produce, not against a hypothetical demo.
About the Document Vault. The Document Vault is a tier-1 capability across the Bollong.AI ecosystem. The shared
@brentbollong-ui/doc-vault library provides the state machine, versioning, audit, approval, and embedding primitives; per-app isolation keeps tenants’ data separate. The Vault first shipped in Med Journey AI; the same primitives ship with Entrepreneur’s Journey and every future Bollong.AI workspace.
