Regulatory action items — open TBDs
| Document metadata |
|
| Generated |
2026-05-22 (L21 follow-up) |
| Scope |
All remaining TBD / [TODO] / [REGULATORY] / XXX placeholders in site-docs/compliance/*.md after L21 mechanical fill |
| Status |
Action items pending external decision / sign-off |
| Owners |
Regulatory consultant, Legal counsel, Clinical lead, IT-Security lead |
This file lists every placeholder that cannot be derived from repository
state. Each requires a human decision, an external lookup, or a signature.
The L21 follow-up automatically filled all "mechanically derivable" items
(SOUP versions, the LABIS UCA security@ / privacy@ mailbox, security.txt
expiry, etc.). What remains below is the genuine regulatory backlog.
1. Pending items — by file
30-gdpr-dpia.md
| # |
File:line |
Current placeholder |
Decision needed |
Owner |
| 1 |
30-gdpr-dpia.md:31 |
Joint / sub-processors: TBD per deployment (Cloudflare R2, hosting provider, SMTP relay) |
Identify the specific sub-processors that will be contracted for the first production deployment (hosting, R2, SMTP); record vendor names and DPA reference. |
Regulatory consultant + IT-Sec |
| 2 |
30-gdpr-dpia.md:65 |
The hosting provider acting as a processor under an Art. 28 DPA (TBD). |
Sign Art. 28 DPA with the chosen hosting vendor and cite the executed DPA reference here. |
Legal counsel |
| 3 |
30-gdpr-dpia.md:74 |
Cloudflare Workers / R2 transfer row, "Status: TBD" |
Confirm Cloudflare SCCs + DPA are in place for the EU clinic deployment and flip status to OK (with execution date). |
Legal counsel |
| 4 |
30-gdpr-dpia.md:248 |
Controller address: TBD |
Provide the legal address of LABIS UCA / UCA registered office for the ROPA. |
Legal counsel |
| 5 |
30-gdpr-dpia.md:249 |
Controller contact: TBD (privacy@… email pending) |
Confirm whether privacy@labis-uca.com.ar is provisioned and routed; otherwise designate the correct controller contact. |
IT-Sec |
| 6 |
30-gdpr-dpia.md:250 |
DPO contact: TBD |
Appoint a DPO (or formally document that none is required under Art. 37) and record contact details. |
Legal counsel |
| 7 |
30-gdpr-dpia.md:252 |
Processors (Art. 28): TBD per deployment |
Same as item 1 — name each Art. 28 processor per deployment. |
Legal counsel |
| 8 |
30-gdpr-dpia.md:282 |
Sign-off row "Controller (LABIS UCA) — TBD, TBD, TBD" |
Name, decision, date for the controller-level sign-off. |
LABIS UCA leadership |
| 9 |
30-gdpr-dpia.md:283 |
Sign-off row "DPO — TBD, TBD, TBD" |
DPO sign-off (after item 6 is resolved). |
DPO |
| 10 |
30-gdpr-dpia.md:284 |
Sign-off row "Head of Clinical — TBD, TBD, TBD" |
Identify Head of Clinical and obtain sign-off. |
Clinical lead |
| 11 |
30-gdpr-dpia.md:285 |
Sign-off row "Head of Quality — TBD, TBD, TBD" |
Identify Head of Quality and obtain sign-off. |
Quality lead |
34-de-gdpr-bdsg.md
| # |
File:line |
Current placeholder |
Decision needed |
Owner |
| 12 |
34-de-gdpr-bdsg.md:273 |
with the protocol [TBD reference]. |
Provide the formal reference (ID and URL) of the German clinical research protocol approved by the local Ethik-Kommission. |
Clinical lead |
| 13 |
34-de-gdpr-bdsg.md:299 |
The essence of this agreement is published at [URL TBD] |
Draft and publish the Art. 26(2) GDPR joint-controller "essence" page; provide the canonical URL. |
Legal counsel |
32-ar-lopdp.md
| # |
File:line |
Current placeholder |
Decision needed |
Owner |
| 14 |
32-ar-lopdp.md:225 |
LABIS UCA … con domicilio en [TBD] |
Legal domicile of LABIS UCA / UCA for the Aviso de Privacidad. |
Legal counsel |
| 15 |
32-ar-lopdp.md:226 |
CUIT [TBD] |
UCA CUIT number (Argentine tax ID) to print in the Aviso de Privacidad. |
Legal counsel |
| 16 |
32-ar-lopdp.md:297 |
Multa: ARS [TBD — Disp. AAIP 71/2010 amended several times for inflation] |
Look up the current ARS fine schedule under the latest AAIP resolution updating Disp. 71/2010 for inflation. |
Regulatory consultant |
33-br-lgpd.md
| # |
File:line |
Current placeholder |
Decision needed |
Owner |
| 17 |
33-br-lgpd.md:42 |
on data subject rights handling [TBD verify]. |
Verify the cited LGPD / ANPD guidance reference for data-subject rights handling. |
Regulatory consultant |
| 18 |
33-br-lgpd.md:137 |
Argentina-EU-Brazil adequacy chain TBD; ANPD has not published an adequacy decision list… |
Re-check ANPD publications for any adequacy decision list (recurring task). |
Regulatory consultant |
| 19 |
33-br-lgpd.md:138 |
Resolução CD/ANPD 19/2024 [TBD verify number] |
Verify resolution number and publication date for the ANPD standard contractual clauses. |
Regulatory consultant |
| 20 |
33-br-lgpd.md:189 |
Resolução CD/ANPD 15/2024 [TBD verify… |
Same verification task for Resolução CD/ANPD 15/2024. |
Regulatory consultant |
| 21 |
33-br-lgpd.md:231 |
"Reasonable time" — ANPD guidance ≈ 2 business days [TBD] |
Confirm the current ANPD guidance on the incident-notification reasonable-time benchmark. |
Regulatory consultant |
20-fda-samd-path.md
| # |
File:line |
Current placeholder |
Decision needed |
Owner |
| 22 |
20-fda-samd-path.md:173 |
Formetric / DIERS Formetric 4D … TBD |
Look up the specific 510(k) K-number(s) for any US-cleared variant of the DIERS Formetric 4D family. |
Regulatory consultant |
| 23 |
20-fda-samd-path.md:174 |
Spinal Mouse … TBD |
Confirm whether Idiag Spinal Mouse is FDA-listed and provide K-number or registration number. |
Regulatory consultant |
| 24 |
20-fda-samd-path.md:175 |
Surface Topography systems … TBD |
Identify representative US-cleared surface-topography systems (K-numbers). |
Regulatory consultant |
| 25 |
20-fda-samd-path.md:176 |
GAITRite … TBD |
Confirm GAITRite (CIR Systems) FDA listing and provide K-number. |
Regulatory consultant |
91-non-device-disclaimer.md
| # |
File:line |
Current placeholder |
Decision needed |
Owner |
| 26 |
91-non-device-disclaimer.md:186 |
**TBD** — FDA Warning Letter to a vendor of mobile-camera-based diagnostic… |
Source the specific FDA Warning Letter from the public FDA Warning Letter database and replace TBD with the case identifier. |
Regulatory consultant |
| 27 |
91-non-device-disclaimer.md:190 |
*URL: TBD — regulatory team to source from |
Provide the FDA database URL for the Warning Letter in item 26. |
Regulatory consultant |
| 28 |
91-non-device-disclaimer.md:192 |
**TBD** — FDA Warning Letter to a developer of image-analysis software… |
Same as item 26 for the second cited Warning Letter. |
Regulatory consultant |
| 29 |
91-non-device-disclaimer.md:194 |
*URL: TBD — same… |
Provide the FDA database URL for the Warning Letter in item 28. |
Regulatory consultant |
50-secdev-checklist.md
| # |
File:line |
Current placeholder |
Decision needed |
Owner |
| 30 |
50-secdev-checklist.md:91 |
Pydantic models in FastAPI; comprehensive coverage TBD |
Engineering decision (not a regulatory one strictly): confirm input-validation coverage status — leave the partial-implementation marker until ASVS V5.1.x is fully covered. |
IT-Sec / engineering |
2. Summary
- Total open items: 30 (L21 started with 42; 12 were mechanically filled, plus 1 listed here for completeness because it reflects an ongoing engineering decision rather than a fillable value).
- By owner:
- Legal counsel: 8 items
- Regulatory consultant: 13 items
- Clinical lead: 2 items
- DPO / Quality / Controller sign-off: 4 items
- IT-Security / engineering: 3 items
- Suggested next step: schedule a regulatory review meeting to assign owners and target dates per row above.