Quilt Web Catalog · For regulated life sciences
Audit trails and provenance for Amazon S3
A versioned, inspectable layer on top of your S3 buckets. Every dataset cryptographically addressed, every change attributed, every package reviewable in a browser without moving data out of your AWS account.
S3 records, ready for inspection
Records in S3 are easy to store and difficult to defend. CloudTrail confirms that an object was written. It does not confirm that revision 3 of a regulated dataset has remained unchanged since it was signed last April. The Quilt Web Catalog provides that confirmation in a form an auditor can read, on data that has not left your AWS account.
Immutable, hashed packages
Every dataset is a versioned bundle of files, metadata, and documentation, addressed by a single top-level cryptographic hash. The hash is the address you cite in submissions, papers, and validation documents.
Tamper-evident audit trail
CloudTrail records object operations. The Quilt Web Catalog records package-level events with attribution, schema validation, and workflow context. Exportable to PDF, CSV, or JSON for any inspection scope.
Lineage and provenance
Every package shows its upstream sources, the pipeline (and version) that produced it, and every downstream package that depends on it. No SQL, no engineering ticket. Open the package in a browser.
Runs in your AWS account
Quilt deploys into your VPC, under your IAM, with your KMS keys. Data stays in your S3 buckets. Object Lock, retention, and access policies stay under your control.
Day-one use
What scientists, engineers, and auditors do on top of the catalog.
Scientists
Search across millions of objects by assay, project, tissue, or instrument. Preview NGS, imaging, and tabular data in the browser. Cite an exact dataset revision in a notebook by hash.
Bioinformatics
Publish pipeline outputs as atomic packages with parameters and version metadata included. Reuse upstream packages by hash so re-runs are deterministic. Trigger automation on every new revision.
QA and compliance
Open any package, review who created which revision and when, view the README and metadata, export the full audit trail to PDF, and verify tamper-evidence with hashes plus S3 Object Lock.
Security and IT
Enforce VPC, IAM, KMS, and Object Lock posture from existing AWS controls. Audit Quilt itself via CloudTrail. Roll out across teams with SSO and SCIM.
How it works
Packages, not files
A regulated record is rarely a single file. It is a sample manifest, a QC report, the FASTQs, a pipeline parameters JSON, and a README, and the integrity claim only makes sense when they travel together. Quilt Packages bind them into one cryptographically addressed unit, so a signature covers all of it and references travel as a whole.
Workflows that refuse non-compliant records
Configurable workflows live in your Quilt deployment as code. An NGS package can be required to include a sample manifest and a QC report. A submission package can be required to declare a study ID. A signed record can be required to include signer identity, timestamp, and meaning of signature. Packages that do not satisfy the contract are not registered. Compliance posture stops depending on people remembering to do the right thing.
One source of truth for humans and machines
Auditors use the same Quilt Web Catalog UI that scientists use. Downstream pipelines and AI agents read the same packages via the quilt3 Python client and the Quilt MCP server. The system that's auditable is the system that gets used.
In production
"Quilt strikes a great balance of being easy to use yet adaptable to many needs around storage and sharing of data and analysis that works at Inari from the server all the way to the field. Its flexibility means we use Quilt in several different ways and continue to find new use cases as we grow."
Matt Eckerle
Enterprise Data Manager, Inari
How it fits into your AWS stack
Amazon S3
Data stays in your buckets, in standard formats. Quilt adds the catalog, not a parallel storage tier.
S3 Object Lock and KMS
Quilt registers packages into Object-Locked, KMS-encrypted buckets. Tamper-evidence is enforced at the storage layer.
CloudTrail and AWS Config
Quilt complements CloudTrail with package-level audit events. Existing monitoring keeps working.
HealthOmics, Batch, Bedrock
Pipelines publish outputs as Quilt packages. AI agents consume packages via the Quilt MCP server.
See the Quilt Web Catalog on your data
Bring three regulated datasets to a working session. In about forty-five minutes we'll show you what they look like as packages, what the audit trail looks like, and what's blocking inspection readiness today.