Tier B · can be used in your compliance program

FDA 21 CFR Part 11 controls for electronic records and e-signatures

Audit trails, controlled approval, and PAdES e-signature for pharma and medical-device documentation.

The product provides document-governance capabilities — unique user authentication, access control, complete audit trail, versioning, and PAdES e-signature via DocuSign — that pharma and medical-device customers can use in their 21 CFR Part 11 compliance program. The product itself is not positioned as a 21 CFR Part 11 validated solution; validation and regulatory responsibility remain with the customer.

Book a free assessment

What 21 CFR Part 11 asks for — in plain language

21 CFR Part 11 is the FDA's regulation on electronic records and electronic signatures. For pharma, biotech, and medical-device organizations subject to FDA oversight, Part 11 establishes the criteria under which electronic records (in lieu of paper) and electronic signatures (in lieu of handwritten) are considered trustworthy and reliable.

The regulation has two main parts:

Subpart B — Electronic Records. Systems handling electronic records must include:

Access controls — limit system access to authorized individuals (§11.10(d)).
Audit trails — secure, computer-generated, time-stamped records of operator entries and actions that create, modify, or delete records (§11.10(e)). Audit trail information must be retained for at least as long as the underlying record.
Record integrity — procedures and controls to ensure the records' authenticity, integrity, and confidentiality (§11.10(c)).
Record retrieval — records must be ready and accurate for review (§11.10(a), (b)).
System validation — the system must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records (§11.10(a)).

Subpart C — Electronic Signatures. Electronic signatures must:

Be unique to one individual (§11.100, §11.200).
Contain the printed name of the signer, date/time, and meaning of the signature (§11.50).
Be linked to their respective electronic records (§11.70) so they can't be transferred or copied.
Use at least two distinct identification components (e.g., user ID + password) (§11.200).

docs365.ai provides capabilities in each of these areas that pharma customers use as part of their Part 11 compliance program — with the explicit understanding that validation and the ongoing compliance posture remain the customer's responsibility.

Capability-to-control mapping

Access control (§11.10(d))

Capability: Unique user authentication via Microsoft Entra ID (Azure AD). Every action is tied to a named user. Per-document and per-library SharePoint permissions control who can create, read, edit, or approve. External users (contractors, consultants) can be granted narrow access without joining the organization's primary identity provider, if the customer's security model allows.

Audit trail (§11.10(e))

Capability: A complete, time-stamped audit log of every action on every document — creation, modification, approval, rejection, publication, archive. Tied to named user identities. Accessible per document from the document's context menu, not an administrative back-end. Retained alongside the document for the document's full lifecycle.

The audit log captures what was done (approval, edit, publication), who did it (named Entra user), when (timestamped to the second), against which version (the audit log is version-specific), and what role the actor held (approver, reviewer, editor, auditor, supervisor).

Record integrity (§11.10(c))

Capability: During an approval flow, the document is automatically checked out — it cannot be edited. An approval therefore applies to a specific, unambiguous version. After publication, the PDF in the public area cannot be modified. Version history preserves every prior state; prior versions are recoverable but are not the canonical "in effect" version.

Record retrieval (§11.10(a), (b))

Capability: Documents are searchable and filterable by protocol code, document type, status, publication date, and any custom metadata the customer configures. Historical versions are retrievable through the version history. Archived documents are retrievable through the archived-documents view.

Electronic signatures (Subpart C)

Capability: DocuSign integration for PAdES simple or PAdES advanced electronic signature. DocuSign's signature framework provides signer identity (via email or stricter verification options configured by the customer), timestamping, cryptographic binding of the signature to the document, and a separate signature certificate embedded in the signed PDF that records the signer's name, the date and time, and the signature's meaning.

The signed PDF returns to the library with the approval-and-signature history intact. The linkage between the document and the signature is preserved by PAdES' cryptographic binding — the signature cannot be transferred to another document.

The validation posture

21 CFR Part 11 §11.10(a) says the system must be validated. Validation is the customer's responsibility — it is an activity the customer's QA or Computer System Validation team performs to demonstrate, to the FDA or to internal assurance bodies, that the specific installation of the system performs reliably for the specific regulated use case.

intranet.ai does not provide pre-validated-for-Part-11 binaries, and we do not position the product as "validated" in the Part 11 sense. What we provide is:

A software product whose documented capabilities map to the specific Part 11 expectations above.
Implementation support during the initial configuration.
Software maintenance (bug fixes, security patches) under the annual subscription.
A stable change-management model (documented releases, new features every six months, communicated changelogs) that the customer's validation team can incorporate into their ongoing verification activities.

The customer's QA team performs validation — installation qualification, operational qualification, performance qualification — against their specific intended use of the product. Customers running processes under Part 11 do exactly this, successfully, with this product. See the Italfarmaco reference below.

What unique authentication looks like in practice

Because the product is Microsoft-365-native, unique user identification flows from Entra ID. Every action on every document is tied to the acting user's Entra identity. The identification token is not a user-generated password typed into a form — it's a cryptographically bound session backed by the tenant's identity provider, with whatever conditional-access policies the organization requires.

For organizations that require multi-factor authentication for 21 CFR Part 11 signature events, MFA is configured at the Entra level and applies uniformly. The e-signature step through DocuSign adds its own identity re-verification — DocuSign can be configured to re-authenticate the signer via email, SMS, knowledge-based authentication, or stronger ID-verification flows, depending on the customer's risk profile.

Logo

Italfarmaco

Customer story

"We centralized every active procedure across our departments into one governed repository with a structured approval flow — while our QA team owns the 21 CFR Part 11 validation posture."

— QA Operations — Italfarmaco

Read the full Italfarmaco story

A customer who relies on this

Italfarmaco centralized all active procedures across their departments into a single governed repository with a structured approval flow. Their QA team owns the validation posture for 21 CFR Part 11 — including the Part 11 fit of this product as it operates in their specific environment. docs365.ai provides the unique authentication, audit trail, versioning, and PAdES e-signature capabilities they use.

Read the Italfarmaco story →

What's explicitly out of scope

CAdES signatures. CAdES (.p7m envelope format, often used for signing non-PDF artifacts in some European contexts) is not supported by the DocuSign integration or by the product. Customers who require CAdES for specific documents maintain a parallel signature workflow for those documents.

Qualified electronic signatures (QES). Qualified e-signatures under eIDAS (the EU framework that includes SPID-identified tokens) are not supported. Customers who require QES for specific documents — typically a small subset of pharma documentation — use an alternative mechanism for those signatures.

Pre-validated installation. We don't ship a pre-validated-for-Part-11 installation. Validation is the customer's responsibility, conducted by the customer's QA or CSV team.

Turnkey QMS. The product is a document-management system, not a quality-management system in the full pharma sense. Broader QMS concerns (training-compliance management beyond document acknowledgment, deviations, CAPAs, supplier-quality management) are not in scope. For customers seeking a full validated QMS with turnkey Part 11 fit, MasterControl and similar vendors operate in that category. See the comparison page intranet.ai vs. MasterControl →.

FAQ

Is the product "validated" for 21 CFR Part 11? We do not claim pre-validation. Validation is conducted by the customer's QA team for their specific installation and intended use. We provide capabilities that customers use; we support the customer's validation effort with documentation and stable releases.

Does the product handle Part 11 record retention? The product preserves every version of every document through SharePoint's native versioning. Retention periods can be enforced at the tenant level through Microsoft Purview retention policies, and at the product level by archive-rather-than-delete discipline.

What about ICH-GCP, GMP, GLP documents? The product's lifecycle applies to any controlled document that pharma or biotech organizations need to manage: SOPs, master batch records, laboratory notebooks (as documents, not as native lab systems), change-control documents, deviation records, protocol-specific work instructions. Fit with specific ICH and GxP expectations is verified by the customer's QA team.

Can I use this for regulatory submissions (eCTD)? The product is not an eCTD submission tool. It manages the documents that go into submissions — the sponsor's internal SOPs, the protocol documents, the change-control records — with the audit and versioning discipline those documents need. The eCTD assembly and submission itself uses specialized tools.

Pharma industry page → — applied to SOPs, change control, training records.
Audit trails for ISO 9001 and 21 CFR Part 11 → — the deep dive on audit-log architecture for Part 11.
intranet.ai vs. MasterControl → — when a specialist validated QMS is the right call instead.
DocuSign integration → — PAdES e-signature detail.
Audit log → — feature detail.
Versioning → — feature detail.

Ready to align your FDA 21 CFR Part 11 documentation?

Thirty minutes. No cost. No obligation. We'll walk through your current library and identify where this product would change the evidence shape.

Book a free assessment or see all compliance pages