Skip to content
Daviah IO
Daviah IO
PlatformsPricingDesign PartnersKnowledge BaseBlogAbout
Daviah IO
Daviah IO

  • Platforms
  • Pricing
  • Design Partners
  • Knowledge Base
  • Blog
  • About
All posts
data quality
compliance data
normalization
regulatory intelligence
eudr
uflpa
csddd
lksg
flr

Data Quality as Infrastructure

Daviah
July 1, 2026
Data Quality as Infrastructure — Daviah IO
Daviah. Field Notes
Vol. 01 · No. 14
Perspective

Data Quality as Infrastructure

The record that looks complete cannot answer for itself. Four pillars of what compliance data has to be — clean at the source, normalized on the way in, tamper-evident in the record, and current against the world — before the record it assembles into is worth signing.

Almost every compliance record in a supply chain is built from the same underlying reality: data assembled by analysts across spreadsheets, SharePoint folders, and supplier email threads, translated between formats by hand, and filed as done. The record looks orderly. The data underneath it is a stack of quiet assumptions — that the supplier's spelling was consistent, that the certificate is still valid, that nobody pasted a phone number into the wrong column, that the regulation hasn't been amended since the file was last opened.

Good data looks different. It arrives from the source with its origin attached. It normalizes into one shape without losing what it started as. It carries a mark that shows whether it has moved. It knows how old it is, and whether the world it describes has moved on since. Good data doesn't ask the person reading it to remember any of that on its behalf.

Data quality in supply-chain compliance has to be treated as infrastructure — built into the way information enters, moves, and ages through the system, not applied as a cleanup pass at the end. That's the argument this piece makes, in four pillars, each one a specific way the data either holds or doesn't.

— The Thesis

The four pillars aren't a feature list. They're what has to be true about the data itself before the record on top of it means anything:

Data that is clean at the source. Data that arrives in one shape. Data that cannot move without leaving a mark. Data that ages honestly.

Miss any one of the four, and the record on top is a story the data can't back up.

The Contrast, at a Glance
Four Pillars, Two Realities
The Data Property
Data as Infrastructure · Daviah
Data as Byproduct · Manual
Cleanliness at the Source
A server-side gate runs ~48 rules across five frameworks and refuses to accept a record the data cannot support (HTTP 409).
A file marked "complete" that nobody stress-tested. The green cell is a story about the record, not the data.
Normalization on Arrival
AI maps every supplier's messy columns into one canonical schema; deterministic validators enforce it; PII is redacted, encrypted, and lawful-basis-gated.
"United Kingdom" vs "GB," "Med" vs "medium," a personal phone in a shared column, days lost to reformatting.
Integrity in the Record
Hash-chained audit log, immutable in the database; 261 permissions / 30 roles; every access justified and logged for 7 years.
Certificates in email threads; "who saw the UBO data?" answered from memory.
Freshness Against the World
The system watches the regulations and the clock — detects amended law and decayed evidence, and turns both back into blockers.
The biggest lie in a spreadsheet is that it's current. You find out at customs.
Pillar 01 · Cleanliness at the Source

The gate that says "no"

Data that either supports the record on top of it, or doesn't
Manual upkeep

An analyst ticks a box that says the supplier dossier is done. No one re-checked whether the data behind it — the certificate scope, the plot geolocation, the ownership graph — actually says what the dossier is claiming. The certificate might cover the parent org but not the facility that produced the goods; the plot might have no coordinates at all; the whole file might be procedurally complete and evidentially hollow. The record and the data have quietly parted ways, and only enforcement will reveal it.

The software contrast

Daviah runs a server-side gate — roughly 48 rules spanning five regulatory frameworks (EUDR, UFLPA, CSDDD, LkSG, FLR) plus cross-cutting evidence hygiene, each carrying a paragraph-level statutory citation (EUDR Art. 9(1)(d), UFLPA §3(b), CSDDD Arts. 11–12, LkSG §10, FLR Art. 17(2)). It doesn't ask "is the box ticked?" It asks "does the data actually say what the record claims?"

Missing plot geolocation, an expired certificate, evidence that covers the parent but not the producing facility (the "audit-shopping" pattern), a plot flagged high-risk by third-party satellite screening with no accepted false-positive override — each fires as a blocker while you build, and the dossier export is refused until it clears. Every verdict — even a blocked one — is written to an immutable snapshot with a SHA-256 content hash and a pinned RULESET_VERSION, so a later reader can prove the same engine would still reach the same conclusion.

What this gets you
The gate turns a soft assumption — "the data behind this record is fine" — into a hard, cited answer. When the record is accepted, it's accepted because the data underneath survived examination against the specific rule and the specific paragraph of the specific regulation. That is what "clean" is supposed to mean.
Pillar 02 · Normalization on Arrival

One blueprint vs. reformatting hell

Data cleaned by a system that carries its provenance
Manual upkeep

Every supplier, cooperative, and certifier sends data in a different shape. Analysts spend days translating "United Kingdom" into "GB," "Med" into "medium," aligning regional naming, and retyping figures into a master sheet — silently introducing the exact errors they're paid to prevent. Worse, someone pastes a farmer's personal phone number into a shared column and it lives there forever.

The software contrast

AI-assisted ingestion (Claude Haiku 4.5, temperature 0.1 for near-determinism) proposes a mapping from messy source columns into a fixed 14-entity canonical schema, with a confidence score and written reasoning on every suggestion — and a human approves each one (the uploader can't approve their own mappings; SOX separation of duties).

Then deterministic validators enforce VAT / DUNS / LEI / EORI regexes and ISO-2 / enum membership; "United Kingdom" → GB and "Med" → medium auto-normalize with a reviewable flag; placeholders like "N/A," "TBD," "asdf" are flagged, never trusted; detected personal data is redacted from the AI's view, encrypted (AES-256-GCM), routed to governed contact fields, and blocked entirely unless a GDPR lawful basis is recorded.

Nothing is silently dropped — the original value is always preserved with its provenance. And it ingests other systems' exports (Fairtrade Plot Insights, Sourcemap): bring your data, Daviah makes it defensible and portable.

What this gets you
Buyers stop playing formatting referee — but the real win isn't saved hours. It's that the normalized record carries its flags and its origin trail, so you know precisely what was cleaned, why, and by whom. Clean data you can't account for is just a tidier lie.
Pillar 03 · Integrity in the Record

The immutable ledger vs. security by trust

Data that can prove it hasn't moved
Manual upkeep

Supplier certificates and beneficial-ownership data move through email chains, thumb drives, and loosely managed Drive folders. There's no record of who viewed the sensitive file, and the "audit trail" is whatever someone remembers. Security is a hope.

The software contrast

Every mutation is written to a hash-chained audit log — each record's SHA-256 chained to the one before it — protected by a database-level trigger that raises an error on any UPDATE or DELETE (SOX/SOC2 CC7.2). The ledger is immutable in the database, not merely in the application. At export, the chain is re-verified; if it's been tampered with, the dossier is refused (HTTP 409), not flagged with a soft warning.

Access is governed by 261 permissions across 30 roles, scope-enforced (own / business-unit / global), and every grant or revoke requires a written justification and lands in a separate 7-year immutable permission log. Tenants are isolated by URL-derived subdomain and region, with Postgres row-level security on 33 tables and per-region database, storage, and secrets; PII is AES-256-GCM encrypted at rest with key rotation.

And a dossier requires two-person signoff — if the underlying data changes between the first signer and the cosigner, the signoff goes stale and export is blocked, so no one can rubber-stamp a snapshot that already moved.

What this gets you
Manual upkeep relies on trusting that nobody mishandled a sensitive file. Here the data itself carries the proof — tamper-evident — so you can show not just what the record says, but that the data behind it hasn't been altered since it was signed, and exactly who was cleared to touch it.
Pillar 04 · Freshness Against the World

Data that stays current vs. the freshest-looking lie

The system watches the law and the clock so the data doesn't quietly age past it
Manual upkeep

The biggest lie in a spreadsheet is that it's current. Regulations get amended, certificates expire, and evidence quietly ages past the point where it would still hold up — but the cell still shows green. Your data ages faster than you can update it, and the moment you discover the gap is the moment customs asks about it.

The software contrast

Daviah watches the regulations for you. The regulatory-intelligence service fetches official sources (EUR-Lex, OECD, US govinfo, Germany's BAFA) on a weekly cadence, fingerprints each with SHA-256, and detects amendments — including EUR-Lex consolidated-version tracking that catches a regulation being quietly superseded — then AI-compares your framework configuration against the current law and surfaces gaps, with deadlines, for a human to review.

It also watches the clock on your own evidence: certificates carry hard expiry dates and operator-set re-verification cadences, so when a piece of evidence decays, the record it supported is flagged as exactly that — a claim resting on data that has aged past it — and the gate turns it back into a blocker.

(When you do need to find something, one indexed search spans cases, evidence, observations, grievances, entities, and actions in a single round-trip — retrieval in service of defensibility, not a stopwatch.)

What this gets you
Data that stays honest about its own age. When a certificate has expired or a regulation has moved, the record stops pretending otherwise — before customs, or a customer's audit, notices first.
— The close

A compliance record can be complete, tidy, and current-looking — and none of those three things is the same as data that will hold under examination.

That's the whole distinction. Data quality treated as a cleanup pass produces the appearance of order. Data quality treated as infrastructure produces something else: information that carries its own proof, from the source, through every hand it passes through, all the way to the record on top.

The line worth ending on isn't about the record. It's about what the data can do when someone asks it a question:

— The Payoff
The data can answer for itself.
· · ·
Daviah IO

Daviah

Regulator-ready due diligence for companies whose supply chains carry regulatory exposure.

admin@daviah.io

Platform

ProductPricingDesign PartnersKnowledge BaseBlogAboutSecurityContact
Admin

© 2026 Daviah IO. All rights reserved.

Enterprise SaaS. Purpose-built.

Data resident in your elected region (US / EU) · SOX-grade audit logs · Per-tenant isolation · 30-day post-termination export window · Privacy policy · DPA