FAQ / Compliance

Does the audit log meet FDA 21 CFR Part 11 requirements?

The audit log provides the capabilities §11.10(e) explicitly requires: secure, computer-generated, time-stamped, append-only, named-user attributed, captures create/modify/delete events. Whether your program meets Part 11 depends on the validation work your QA team does around it.

The audit log’s structural properties

§11.10(e) of FDA 21 CFR Part 11 specifies what an audit trail must do. Mapping against our audit log:

§11.10(e) requirement	How we satisfy it
Secure	Append-only by architecture, integrated with tenant access controls
Computer-generated	Events fire automatically on every lifecycle action; users can’t add or omit entries
Time-stamped	Timestamps from SharePoint platform, not user-submitted
Captures create/modify/delete	Every lifecycle event captured — creation, edit, approval, archive, reminder, signature
Does not obscure prior entries	Append-only means earlier entries remain visible regardless of later document changes

Additionally, every entry is attributed to a specific Microsoft Entra identity (not a group, not a shared account), which satisfies §11.10(g) identification requirements and §11.100(a) unique-signature expectations.

What the audit log doesn’t do alone

Part 11 §11.200(a) also requires two-factor authentication. Our audit log captures the authenticated session’s identity, but the two-factor requirement itself is met at the Microsoft Entra tenant level. Customers running Part 11 programs typically enforce MFA on their Entra tenant; every audit-log entry then comes from an MFA-authenticated session by inheritance.

Part 11 §11.50 requires signature manifestations (printed name, date, meaning) — this is handled by the PAdES signature in the DocuSign integration, with the signed PDF binding the manifestation cryptographically. The audit log records that the signing happened; the PDF carries the manifestation visibly.

The validation gap

The audit log meets the §11.10(e) capability requirements structurally. Whether your program passes a Part 11 inspection depends on additional factors that live with you: your validation posture (IQ/OQ/PQ of the deployed system), your SOPs for managing the Part 11 program, your periodic review and change-control practices, and your training documentation for workforce members operating in Part 11 scope.

Customers with mature Part 11 programs typically treat our audit log as a key compliance capability and run their validation scope around it. Customers newer to Part 11 should expect the validation work to be substantial — not because our product is difficult to validate, but because Part 11 validation is inherently substantial for any computerized system in GxP scope.

Related features

Audit log

Every action, every approval, every version — captured against a named user, accessible in 30 seconds.

Deeper context

Compliance · Tier B

FDA 21 CFR Part 11

Pillar guide

Audit trails for ISO 9001 and 21 CFR Part 11

Are you 21 CFR Part 11 validated?

No — and intentionally so. Part 11 validation sits with the customer's QA team as part of their compliance program. We provide the capabilities Part 11 audits reference (audit log, signatures, access control); your QA team runs IQ/OQ/PQ on the deployed instance.

Can we use this for GxP-regulated workflows?

Yes — customers use the capabilities in their Part 11 and GxP compliance programs. We're not positioned as a validated QMS platform (MasterControl and equivalents fill that slot). For SOPs and documented information in GxP scope where the customer's QA team runs validation, we fit well.

How does this fit with Microsoft Purview?

Two different layers that interoperate. Purview handles tenant-level records retention, legal hold, eDiscovery, and DLP. We handle active document governance on top — templates, approvals, review cadence, audit-log evidence. Customers run both together without conflict.

Question not on this list?

A 30-minute assessment is usually the fastest way to get a specific answer to a specific question about your organization's profile.

Book a free assessment or see all FAQs