FDA 21 CFR Part 11 compliance

[Korijn]

If this tool is compliant with FDA 21 CFR Part 11 it can be adopted in regulated environments. It's the reason my company is a docusign client.

Requirements can be found here: https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11

[AlexBTurchyn]

@Korijn Thanks for sharing - i'll examine this document. Also worth to mention that those are the regulations from FDA (USA) - other countries have their own digital signature regulations.

[MarleTangible]

Summary: Just asking users for their password or an approval code delivered to via email/phone can easily make DocuSeal compliant.

Edit: Please let us know if there is an existing procedure in DocuSeal, like e-signatures etc. that already asks for a password at the time of signing.

Although the regulation is from FDA and other countries have different regulations, the general concept of what is required is quite useful and can be used to cover various other regulations all at once. Most of the requirements are things that DocuSeal already meets, things like each user should use a dedicated username and password, etc. The regulation also contains guidance about how to manage the system, like creating policies that keeps individuals responsible for their electronic signatures.

The most tricky part of this compliance is the part below. Practically saying that if the user is signing a document, they should be asked to reauthenticate to ensure it is really them. It is just a precaution to prevent bad actors from using someone unlocked computer to sign documents. Our Quality Management System (QMS) UniPoint just asks the user for their password every time they are signing a form, training, or providing approval for a request. That's it.

11.200 (a)(1)(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.