21 CFR Part 11 EU & US hosting

The fastest path to a compliant medical device.

Threeqa is a QMS and ALM platform built for medical device teams. Designed around IEC 62304, ISO 14971 and ISO 13485 workflows, so your engineers stay on the device.

Book a 30-min demo
Up and running in minutes Your data, your export (no lock-in) QMS without the overhead
Threeqa operational dashboard
Platform

Everything a regulated medical device team needs, in one place.

Replace scattered spreadsheets, doc trees, and side-of-desk Confluence pages with a purpose-built platform that ensures traceability and compliance with the regulations and standards that apply to your device.

Traceability graph

A real traceability graph, not a copy-pasted matrix.

Threeqa is built on a graph-on-relational model: every requirement, hazard, design output, test case and risk control is a typed object, and every link between them is a typed, attributed, audited edge. Change one node and downstream impacts are surfaced before you merge.

  • Bidirectional links across user needs, requirements, design, V&V, and risk
  • Impact analysis on every change. Surface affected items in a click
  • Suspect-link and stale-artifact indicators surface broken trace as soon as it appears
ItemUNREQDESVERVALRSK
UN-001
UN-002
UN-003
UN-004
UN-005
UN-006
UN-007
Risk management

ISO 14971 risk register that reflects real risks, kept live.

A risk-based approach grounded in hazard identification, severity × probability matrices, and residual-risk evaluation tied to verification evidence. Not a 200-row spreadsheet.

  • Pre/post mitigation comparison views
  • FMEA, fault-tree and hazard analysis templates
Severity →
Probability →
Negligible · Minor · Serious · Critical · Catastrophic
Document control

Structured eDocs on a hash-chained audit trail.

Documents are assembled from structured data, not copy-pasted into Word. Every approval, redline and superseded version is recorded as an immutable, hash-chained audit event, attributed to a typed actor (user, system, integration or AI). No role, including admin, can edit a signature or delete an audit event.

SDD-002 · Architecture
v3.1 · APPROVED2026-04-12
RMF-014 · Risk file
v2.7 · APPROVED2026-04-09
VVP-008 · V&V plan
v1.4 · APPROVED2026-04-02
21 CFR Part 11

e-Signatures with full chain of custody.

Re-authenticated signing bound to the exact revision, with a signature meaning the regulator can read. Approval authority is separated from edit authority by design; signatures, once placed, are immutable.

RM
Rachel Mendez
QA Director · Author
Signed
AS
Amir Soltani
Reg. Affairs · Reviewer
Signed
DL
Dr. Diana Lee
VP Quality · Approver
Required
Standards-aligned

Mapped to the regulations and standards that apply.

Artifacts are linked, by your team, to the clauses of IEC 62304, ISO 14971, ISO 13485 and MDR they answer to. Regulatory bodies and notified bodies get a coherent story; your team gets a checklist.

62304 14971 13485 MDR QMSR Part 11 Threeqa
AI

AI in regulated workflows, not against them.

Threeqa treats AI as a controlled assistant, never an authority. Every AI suggestion is itself a governed artifact: auditable, attributable, and gated behind a human approval. AI can draft, link and triage, but it can't sign, approve or transition a workflow on its own.

  • AI is a typed actor in the audit trail, alongside users, systems and integrations
  • AI outputs require explicit human promotion before they enter your trace
  • Provider, model and policy are governed by your organization, not by Threeqa
AI suggests
DRAFT · LINK · CLASSIFY
Required human review
AI_PROMOTE PERMISSION
Promoted to your trace
AUDITED · ATTRIBUTED · SIGNED
How it works

Live in days, not the next budget cycle.

A guided onboarding moves you from spreadsheets to a working setup quickly, with our team alongside you the whole way.

Bring your existing artifacts

Bring your DHF exports, requirement spreadsheets, and risk files. Threeqa imports them in place, no schema cleanup required.

Wire up your trace

Link requirements, design, V&V, risk and documents to the clauses of IEC 62304, ISO 14971, ISO 13485 and MDR they answer to. Your team curates; Threeqa keeps every link typed, attributed and audited.

Close gaps with confidence

Every missing artifact, broken trace, and unsigned deliverable is surfaced in a prioritized work-down list.

Walk into your conformity assessment

Export a content-hashed evidence bundle for your Medical Device File. DHF in the US, Technical File in the EU. Every export carries per-artifact provenance and a manifest hash your notified body or FDA reviewer can verify, or invite them in directly with read-only access.

By the numbers

Built by people with deep experience in complex medical device programs.

3
Workflows designed for the standards medical device teams face: IEC 62304, ISO 14971, ISO 13485, alongside MDR and FDA QMSR.
100%
Bidirectional traceability across user needs, requirements, design, V&V and risk. Every link, both directions, by construction.
−63%
Target reduction in time to assemble your design history records (DHF under FDA QMSR, Technical Documentation under MDR), modeled against typical Class IIb programs running on spreadsheets and shared drives.
Standards coverage

Aligned to the regulations and standards behind your conformity assessment.

Threeqa's workflows are designed around the regulations medical device companies actually face. Your team curates the clause-level mapping that fits your device. Not a generic "compliance" wrapper.

IEC 62304:2006/AMD1:2015
Medical device software lifecycle
Class A/B/C software safety classification, planning, requirements, architecture, unit and integration verification, problem resolution.
Class A/B/CSOUP & legacy code
ISO 14971:2019
Risk management for medical devices
Hazard identification, risk evaluation, risk control measures, residual-risk acceptability, post-market risk monitoring.
FMEA & fault-treePost-market surveillance
ISO 13485:2016
Quality management system
Document & record control, design controls, CAPA, supplier management, internal audit, management review.
Design controlsCAPA & audit
EU 2017/745 MDR · 21 CFR Part 820
EU MDR & FDA QMSR (2026)
Annex II technical documentation, GSPR mapping, FDA QMSR alignment with ISO 13485:2016 (in force since February 2026), 510(k) and PMA support.
Annex II / GSPR510(k) & PMA
FAQ

Questions teams ask before switching.

Don't see what you're looking for? We're happy to talk through specifics, including a clause-level review of your existing setup.

Talk to a regulatory engineer Skip sales. Email hello@threeqa.com and you'll hear back from a regulatory engineer, not a sales rep.
Is Threeqa a replacement for a notified body or auditor?
No, and we'll never claim to be. Threeqa is the platform your team uses to prepare for notified body audits, FDA inspections and internal reviews. Your notified body and FDA relationships stay exactly where they are; we just make sure the artifacts you hand them are complete and traceable.
How do we migrate from our existing tools?
As long as your existing tool can produce a structured export (CSV/XLSX, XML, JSON, or a documented API), we can take it from there. That covers the common sources we see (Greenlight Guru, Polarion, Confluence, Jira, SharePoint, Word/Excel).
Where is our data hosted, and is it encrypted?
Production data is hosted in your choice of an EU-based or US-based region. All data is encrypted at rest and in transit.
What happens to our data if we stop using Threeqa?
It comes with you. Records, traces, signed artifacts and the full audit trail can be exported in structured formats your next system can read. We treat data portability as a baseline expectation for a QMS - your audits depend on records that span years, so they shouldn't be hostage to a vendor relationship.
Will Threeqa work for SaMD that isn't a physical device?
Yes. In fact, that's where Threeqa started. SaMD-specific workflows cover IEC 62304 software safety classes and IEC 82304-1 health software.
Can we run multiple legal entities or subsidiaries on Threeqa?
Yes. Threeqa is multi-tenant by design, with strict isolation between organizations. Each legal entity has its own governed artifacts, signatures, baselines and audit trail. Cross-organization links exist but require an explicit permission, a documented reason and an audit event. Never silent cross-org access.
Get started

Stop re-assembling your Medical Device File the week before your conformity assessment.

Book a 30-minute walkthrough with our team. We'll review where you stand, show Threeqa against your real artifacts, and give you a frank read on what it would take to be certification-ready and get your device cleared for market.

Book a demo
What you'll get on the call
A real demo, not a slideshowWalked through using your standards & device class.
First read on alignmentAn initial look at where you stand against IEC 62304, ISO 14971 and ISO 13485.
Migration sketchA rough sense of how your existing setup would land in Threeqa.
Your records stay yoursWe'll show how export works on day one, so the audit trail isn't hostage to a vendor relationship.