FAQ / Compliance

Are you 21 CFR Part 11 validated?

No — and intentionally so. Part 11 validation sits with the customer's QA team as part of their compliance program. We provide the capabilities Part 11 audits reference (audit log, signatures, access control); your QA team runs IQ/OQ/PQ on the deployed instance.

Why we don’t claim Part 11 validation

Vendors who claim “Part 11 validated product” are usually overstating what validation means. In GxP contexts, validation is an activity applied to a deployed computerized system, executed by the customer’s QA team, documented in their validation master plan, and maintained through their change-control procedures. The vendor’s role is supplying a product whose capabilities are appropriate for use in a Part 11 compliance program — not delivering “compliance” as a finished assertion.

What we actually provide

The capabilities Part 11 audits reference:

  • §11.10(e) — secure, computer-generated, time-stamped audit trail. Our audit log provides this.
  • §11.10(d) — limiting system access to authorized individuals. Microsoft Entra provides this; our layer inherits it.
  • §11.50 — signature manifestations including printed name, date, meaning of signature. Our DocuSign PAdES integration provides this.
  • §11.70 — signatures cannot be excised, copied, or transferred. PAdES cryptographic binding provides this.
  • §11.200(a) — two-factor authentication. Microsoft Entra MFA provides this; our layer inherits.
  • §11.100(a) — unique electronic signatures. Our named-Entra-identity attribution provides this.

What your QA team owns

  • IQ (Installation Qualification) of the deployed instance in your tenant.
  • OQ (Operational Qualification) documenting that the system functions as designed in your environment.
  • PQ (Performance Qualification) documenting that it operates correctly during actual use.
  • The validation master plan, change-control procedures, and periodic-review schedule.
  • Documented risk assessment appropriate to the GxP scope.

This separation matches how Part 11 validation actually works. Italfarmaco runs this model; the customer’s QA team owns the validated-system assertion for their deployment.

See FDA 21 CFR Part 11 compliance and the Italfarmaco case study for deeper context.

Related features

Audit log

Every action, every approval, every version — captured against a named user, accessible in 30 seconds.

DocuSign e-signature integration

PAdES signatures — simple and advanced — cryptographically bound to the approved PDF, inside the same approval flow.

Deeper context

Compliance · Tier B

FDA 21 CFR Part 11

More in Compliance

?

Does the audit log meet FDA 21 CFR Part 11 requirements?

The audit log provides the capabilities §11.10(e) explicitly requires: secure, computer-generated, time-stamped, append-only, named-user attributed, captures create/modify/delete events. Whether your program meets Part 11 depends on the validation work your QA team does around it.

?

Can we use this for GxP-regulated workflows?

Yes — customers use the capabilities in their Part 11 and GxP compliance programs. We're not positioned as a validated QMS platform (MasterControl and equivalents fill that slot). For SOPs and documented information in GxP scope where the customer's QA team runs validation, we fit well.

?

How does this fit with Microsoft Purview?

Two different layers that interoperate. Purview handles tenant-level records retention, legal hold, eDiscovery, and DLP. We handle active document governance on top — templates, approvals, review cadence, audit-log evidence. Customers run both together without conflict.

Question not on this list?

A 30-minute assessment is usually the fastest way to get a specific answer to a specific question about your organization's profile.

Book a free assessment or see all FAQs