Documents

Document downloads

Every external-document view, download, print preview, or AI-agent access — recorded with the actor, the document, the context, and the SHA256 of the bytes delivered, so you can answer "who pulled SOP-007 last quarter?" from data, not memory.

For
Org admins
Find it at
Admin → Documents → Document Downloads
Reading time
4 min

In one sentence

The Document Downloads page is the record of who has been pulling external documents out of QFormance — every view, download, print preview, and AI-agent access of a controlled file, with the SHA256 the user actually received so you can prove the bytes delivered matched the approved version.

Three things to remember
  • Every access is logged. Opening the detail page, downloading the file, generating a print preview, or letting Ask the Library reference the file all write a row here.
  • The file hash travels with each access. SHA256 of the bytes delivered is captured at access time, so an inspector can correlate the served copy to the hash recorded on the approved version of the document.
  • Admin-only. Reading the page is gated on the Access audit admin permission.

What gets recorded

Every external-document access writes a row, tagged with one of four contexts:

ContextWhat triggers it
Page viewSomeone opened the document detail page in the dashboard
DownloadSomeone clicked Download, or a signed URL was minted for the file
Print previewSomeone opened the print-friendly view (typically before saving as PDF)
AI agent accessAsk the Library, the document agent, or another AI feature referenced the file's content while answering a user prompt

The four contexts carry colored badges in the table so an admin scanning the page can distinguish reading from exfiltrating at a glance.

What each column means

The viewer shows the most recent 200 access events, newest-first.

ColumnWhat it carries
WhenDate and time of the access
WhoActor's name and role at the time. Snapshotted at write so deleting the user later doesn't erase the trail.
DocumentDocument number and title, linking to the live document. (deleted) if the document has been removed since.
ContextOne of the four context badges above
File hashFirst 12 characters of the SHA256 of the served bytes (full hash is in the database)

File hash and content integrity

QFormance computes a SHA256 of every external document's bytes at the moment of approval, storing it alongside the document and the matching version snapshot. Every download / print / view re-captures the hash of what was actually served and records it on this page.

The pair of hashes lets an inspector answer the highest-stakes audit-trail question: "is the copy this person pulled the same one that was approved?" If the served hash matches the approved-version hash, the answer is yes. If they don't match, the served copy is different from the version of record — which shouldn't happen, because the external-document file store refuses overwrites and deletes (controlled-record immutability is enforced at the storage layer, not just the application).

This is part of the §11.10(e) controlled-record access trail. Inspectors looking for "prove to me that what was downloaded was the approved version" get the answer from the File hash column on this page paired with the version snapshot on the document.

Why this matters — 21 CFR §11 framing

Part 11 §11.10(e) requires a secure, computer-generated audit trail of operations on regulated electronic records. For controlled documents — SOPs, customer specs, regulatory standards — the "operation" inspectors care about most after creation and approval is who accessed it, when, and with what content integrity. This page is the answer.

The trail covers external documents specifically. Internal (HTML-content) documents render their content live from the database without minting a separate file, so the question "who pulled SOP-007's PDF?" is answered by "nobody — they read it in the app", with the page-view captured on the underlying documents row history.

Who can read this page

Gated on the Access audit admin permission. The default Admin role has it; Standard User does not. If you've built a custom role for regulatory review, grant Access audit admin on that role so the reviewer can open this page without admin role on everything else.

Was this helpful?
Suggest an edit →