Zoho Sign allows you to achieve the functionalities of a closed system by enabling all life science controls, which will be useful for FDA-regulated organizations to ensure the authenticity and integrity of records and signatures end-to-end.
21 CFR Part 11 Regulation for Zoho Sign
Subpart B - Electronic Records
11.10 Controls for closed systems
Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records
.
Subsection 11.10(a)
Zoho Sign validates the functionality of the features by testing and demonstrating to ensure the system's ability to handle the electronic records properly and accurately.
Learn more about Zoho's security policy
here
.
The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records
.
Subsection 11.10(b)
-
Zoho Sign providers the option to download the signed documents and export them with the certificate of completion.
-
The audit trail for these documents can be viewed as well as be downloaded in a csv format.
Protection of records to enable their accurate and ready retrieval throughout the record retention period.
Subsection 11.10(c)
-
All data is protected using AES-256 encryption while at rest and SSL encryption while in transit.
-
These electronic records are stored in multiple databases and a copy of the same will be available at anytime to the user, which can be accessed from Zoho Sign's interface.
Know more about data availability and retention in Zoho Sign
here
Limiting system access to authorized individuals.
Subsection 11.10(d)
-
Admins are responsible for defining a procedure for system changes for their system configuration and authorized access to the Zoho Sign system.
-
Zoho has implemented physical and logical security controls, limiting system access and documenting the access of authorized individuals.
-
Data is secured by both the platform functionality and the custom configuration by utilizing the access management.
Find more about physical security
here
, and network security
here
.
Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
Subsection 11.10(e)
-
Zoho Sign's activity report will log all actions (both date and time of the document action) in both the document level and user level, which cannot be disabled or modified.
-
A
certificate of completion
is also provided, which captures the history of the document action.
-
The certificate of completion will be exported as PDF file and the activity report as CSV format.
Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
Subsection 11.10(f)
-
Documents are sent in the signing order configured by the sender.
-
The digitally-signed records cannot be modified in Zoho Sign once the signing request is completed.
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
Subsection 11.10(g)
-
Zoho Sign authorizes the user using their account credentials and with multi-factor authentication as one of the
login methods
, before allowing them to access or modify their records in their organization.
-
Zoho Sign has two roles: Admins and Users with different permissions.
-
Zoho has the following password configuration policies, which should be followed by the admin while creating the password:
-
Choose the minimum and maximum character length
-
Minimum numeric digits and special characters
-
Maximum password age
-
Refusal of the already used passwords
Find more about Zoho's password policy
here
Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
Subsection
11.10(h)
-
Zoho Sign is capable of validating the device and the IP address of the network.
-
Organization can whitelist their IP addresses by configuring them in Zoho Directory.
-
The sender has an option to restrict document signing via mobile browser.
Find more about configuring IP addresses in Zoho Directory
here
Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
Subsection 11.10(i)
-
It is the organization admin's responsibility to demonstrate to, educate, and train their users to use electronic signature systems.
-
Zoho has various knowledge sharing courses to help the users who develop and maintain the electronic signature systems as per the industry standards.
The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
Subsection 11.10(j)
-
It is the organization administrators' responsibility to create and enforce a policy that states the legal value of the electronically signed document and the signer's responsibility.
-
If not, Zoho Sign's default legal disclosure will be sent to the signers.
-
The signer must agree to this legal disclosure before starting the document action.
-
The legal disclosure agreed by the recipient will be part of the certificate of completion.
Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance
.
Subsection 11.10(k)(1)
Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation
.
Subsection 11.10(k)(2)
-
Zoho Sign has the necessary SOP (Standard operating procedure) and relevant documents in place.
-
Zoho Sign also periodically revisits the control procedure documentation ensure the compliance standard set by the FDA regulations is being satisfied.
11.30 Controls for open systems
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.
-
Zoho Sign follows all the controls identified in the subsection 11.10. For open systems, Zoho Sign follows and has taken the appropriate measures.
-
All documents in Zoho Sign are encrypted with AES-256 at rest and SSL/TLS encryption while in transit.
-
Zoho Sign follows Public Key Infrastructure (PKI) standards, and also offers
trusted document timestamping
, with which the authenticity, integrity, and confidentiality of the document is maintained.
-
Zoho Sign asks users to log in to their account to access their documents. Additionally, users can also set multi-factor authentication as an additional layer of security.
-
The signer must log in to their Zoho Sign account to access the document.
-
The signer then needs to enter the access code received via email/SMS.
-
All account related actions will be captured in the activity report, which can be viewed in Zoho Sign as well as exported in CSV format.
-
The signed document is certified with a digital certificate, which provides the integrity of the document.
-
The signed document becomes invalid if the contents or even the signature is modified.
Find more about multi-factor authentication
here
11.50 Signature manifestations
(
a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
Zoho Sign collects all this information via
visible signature
.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
-
All controls followed for electronic records will also be applicable while adding visible signature.
-
The signature metadata will be present in the signed document, which will be linked with the signed record and in the certificate of completion.
The signature metadata will be visible on the web, downloaded version and the printed version of the signed record.
Find more about visible signatures
here
.
11.70 Signature/record linking
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
-
Zoho Sign restricts the addition of new signature, removal of the existing signature and copying and pasting the signature from its original position, after the signing process is completed.
-
If the user tries to falsify, transfer, or copy the original document signature to any other electronic record, the copied signature will not be linked to the electronic record.
Subpart C - Electronic Signatures
11.100 General requirements
(
a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
-
Zoho Sign verifies users with their email address and passwords.
-
Every user's electronic signature will be a unique combination of values as per PKI standards and cannot be reused or reassigned to anyone else.
-
A unique system generated user ID is mapped to the user and can be found in the visible signature.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
-
When an admin adds a new user to their Zoho Sign organization, the user receives a confirmation mail to activate their account.
-
It is the admin's responsibility to verify the user before adding them to the organization.
-
It is the sender's responsibility to assign the document to the correct recipient.
-
When signing a document sent from a 21 CFR Part 11 enabled account, the signer has to enter the access code received via SMS/email to access the document.
-
While filling the first signature/initial field, the signer would be prompted to re-authenticate themselves with their Zoho Sign credentials and once done, the signer can finish the document signing action.
-
If the signing session is interrupted, or refreshed, the signer has to enter the new access code that they would receive and re-authenticate themselves to complete the signing action.
(
c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
-
Documents signed with digital signatures are legally binding and hold the same value as a hand-written signature for most business agreements and transactions.
-
Documents signed using Zoho Sign are legally compliant under the
ESIGN Act in the United States
.
You can refer to Zoho Sign's legality guide
here
.
11.200 Electronic signature components and controls
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
-
While accessing the document, if the signer has already logged in to their Zoho Sign account, they can enter the access code to view the document.
-
If the user hasn't logged in already, Zoho Sign will prompt the user to log in to their Zoho Sign account, then enter the access code to view the document.
-
While filling the first signature/initial field, the signer is prompted to re-enter their Zoho Sign credentials along with multi factor authentication (if enabled).
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
-
Irrespective of the number of documents in a signing request or the number of signature/initial fields, Zoho Sign prompts the signer to re-authenticate themselves once per signing request.
-
If there are continuous signing requests, the signer must enter the new access code which they would receive via email/SMS and re-authenticate themselves every single time.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
-
If the signer doesn't perform a continuous signing action or refreshes the signing window, the signer must re-enter the access code received via email/SMS and re-authenticate themself while filling the first signature/initial field.
(2) Be used only by their genuine owners; and
-
Every Zoho Sign user must authenticate themselves with their credentials and multi-factor authentication (if enabled), which must be confidential and belongs to the user alone.
-
It is the organization's responsibility to set up password policy and two-factor authentication policy for their organization.
-
It is also the organization's responsibility to educate users from refraining to share their credentials with others.
Find more about the password policy
here
and about multi-factor authentication
here
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
-
Only the assigned recipient can sign the document.
-
If the signer is unavailable to sign the document, the sender/admin must recall and send again later, or change the recipient for the existing document.
-
If the sender is unavailable, the admin can also change the ownership of the document.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
Zoho Sign currently does not support biometric-based document signing.
11.300 Controls for identification codes/passwords
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
-
The combination of email address, password, and user ID identifies the particular user. This combination is also used to authenticate the user while filling the first signature/initial field in the document.
-
This combination of email address and password is unique to each user.
-
Signers must have logged into their Zoho Sign account using their email address and password and enter the access code received via email/SMS to access a document sent from a 21 CFR Part 11 enabled account.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
-
Zoho provides the provision for the admin to set the appropriate password policy. It is the admin's responsibility to use those password settings.
Know more about the password policy
here
(c) Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
-
It is the responsibility of the admin to educate the users about loss management and steps to be taken by users in case their account is compromised.
-
Users can change their password.
Learn more
-
Users can close their account.
Learn more
-
Users can manage their active sessions and other apps in which they logged with Zoho account.
Learn more
-
Zoho Sign admins can revoke access of users, remove users from the organization, and change the ownership of the document/template.
Learn more
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
-
Users will be notified via email when a login is attempted from a different network.
Learn more
-
Users can restrict their account access to a certain IP addresses.
Learn more
-
Account will be temporarily blocked in case of any threat to user's network.
Learn more
-
It is also the user's responsibility to refrain from sharing their credentials.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
-
Zoho Sign has no devices or tokens to generate or alter the account's information such as identification code or password information.