Available in Enterprise edition and will be enabled in your account on request

What is 21 CFR Part 11?

Closed System and Open System

1. Closed systems
   
2. Open systems
   

21 CFR Part 11 Regulation for Zoho Sign

Subpart B - Electronic Records

11.10 Controls for closed systems

1. Zoho Sign providers the option to download the signed documents and export them with the certificate of completion.
   
2. The audit trail for these documents can be viewed as well as be downloaded in a csv format.

1. All data is protected using AES-256 encryption while at rest and SSL encryption while in transit.
   
2. These electronic records are stored in multiple databases and a copy of the same will be available at anytime to the user, which can be accessed from Zoho Sign's interface.
   

1. Admins are responsible for defining a procedure for system changes for their system configuration and authorized access to the Zoho Sign system. 
   
2. Zoho has implemented physical and logical security controls, limiting system access and documenting the access of authorized individuals.
   
3. Data is secured by both the platform functionality and the custom configuration by utilizing the access management.
   

1. Zoho Sign's activity report will log all actions (both date and time of the document action) in both the document level and user level, which cannot be disabled or modified.
   
2. A certificate of completion is also provided, which captures the history of the document action.
   
3. The certificate of completion will be exported as PDF file and the activity report as CSV format.

1. Documents are sent in the signing order configured by the sender.
   
2. The digitally-signed records cannot be modified in Zoho Sign once the signing request is completed.

1. Zoho Sign authorizes the user using their account credentials and with multi-factor authentication as one of the login methods , before allowing them to access or modify their records in their organization.
   
2. Zoho Sign has two roles: Admins and Users with different permissions.
   
3. Zoho has the following password configuration policies, which should be followed by the admin while creating the password:
   
1. Choose the minimum and maximum character length
   
2. Minimum numeric digits and special characters
   
3. Maximum password age
   
4. Refusal of the already used passwords
   

1. Zoho Sign is capable of validating the device and the IP address of the network.
   
2. Organization can whitelist their IP addresses by configuring them in Zoho Directory.
   
3. The sender has an option to restrict document signing via mobile browser.
   

1. It is the organization admin's responsibility to demonstrate to, educate, and train their users to use electronic signature systems.
   
2. Zoho has various knowledge sharing courses to help the users who develop and maintain the electronic signature systems as per the industry standards.

1. It is the organization administrators' responsibility to create and enforce a policy that states the legal value of the electronically signed document and the signer's responsibility.
   
2. If not, Zoho Sign's default legal disclosure will be sent to the signers.
   
3. The signer must agree to this legal disclosure before starting the document action.
   
4. The legal disclosure agreed by the recipient will be part of the certificate of completion.
   

1. Zoho Sign has the necessary SOP (Standard operating procedure) and relevant documents in place.
   
2. Zoho Sign also periodically revisits the control procedure documentation ensure the compliance standard set by the FDA regulations is being satisfied. 
   
   

11.30 Controls for open systems

1. Zoho Sign follows all the controls identified in the subsection 11.10. For open systems, Zoho Sign follows and has taken the appropriate measures.
   
2. All documents in Zoho Sign are encrypted with AES-256 at rest and SSL/TLS encryption while in transit.
   
3. Zoho Sign follows Public Key Infrastructure (PKI) standards, and also offers trusted document timestamping , with which the authenticity, integrity, and confidentiality of the document is maintained.
   
4. Zoho Sign asks users to log in to their account to access their documents. Additionally, users can also set multi-factor authentication as an additional layer of security.
   
5. The signer must log in to their Zoho Sign account to access the document.
   
6. The signer then needs to enter the access code received via email/SMS.
   
7. All account related actions will be captured in the activity report, which can be viewed in Zoho Sign as well as exported in CSV format.
   
8. The signed document is certified with a digital certificate, which provides the integrity of the document.
   
9. The signed document becomes invalid if the contents or even the signature is modified.
   

11.50 Signature manifestations

1. All controls followed for electronic records will also be applicable while adding visible signature.
   
2. The signature metadata will be present in the signed document, which will be linked with the signed record and in the certificate of completion.
   The signature metadata will be visible on the web, downloaded version and the printed version of the signed record.

11.70 Signature/record linking

1. Zoho Sign restricts the addition of new signature, removal of the existing signature and copying and pasting the signature from its original position, after the signing process is completed.
   
2. If the user tries to falsify, transfer, or copy the original document signature to any other electronic record, the copied signature will not be linked to the electronic record.
   

Subpart C - Electronic Signatures

11.100 General requirements

1. Zoho Sign verifies users with their email address and passwords.
   
2. Every user's electronic signature will be a unique combination of values as per PKI standards and cannot be reused or reassigned to anyone else.
   
3. A unique system generated user ID is mapped to the user and can be found in the visible signature.
   

1. When an admin adds a new user to their Zoho Sign organization, the user receives a confirmation mail to activate their account.
   
2. It is the admin's responsibility to verify the user before adding them to the organization.
   
3. It is the sender's responsibility to assign the document to the correct recipient.
   
4. When signing a document sent from a 21 CFR Part 11 enabled account, the signer has to enter the access code received via SMS/email to access the document.
   
5. While filling the first signature/initial field, the signer would be prompted to re-authenticate themselves with their Zoho Sign credentials and once done, the signer can finish the document signing action.
   
6. If the signing session is interrupted, or refreshed, the signer has to enter the new access code that they would receive and re-authenticate themselves to complete the signing action. 
   

1. Documents signed with digital signatures are legally binding and hold the same value as a hand-written signature for most business agreements and transactions. 
   
2. Documents signed using Zoho Sign are legally compliant under the ESIGN Act in the United States .
   

11.200 Electronic signature components and controls

1. While accessing the document, if the signer has already logged in to their Zoho Sign account, they can enter the access code to view the document. 
   
2. If the user hasn't logged in already, Zoho Sign will prompt the user to log in to their Zoho Sign account, then enter the access code to view the document.
   
3. While filling the first signature/initial field, the signer is prompted to re-enter their Zoho Sign credentials along with multi factor authentication (if enabled).
   

1. Irrespective of the number of documents in a signing request or the number of signature/initial fields, Zoho Sign prompts the signer to re-authenticate themselves once per signing request.
   
2. If there are continuous signing requests, the signer must enter the new access code which they would receive via email/SMS and re-authenticate themselves every single time.
   

1. If the signer doesn't perform a continuous signing action or refreshes the signing window, the signer must re-enter the access code received via email/SMS and re-authenticate themself while filling the first signature/initial field.
   

1. Every Zoho Sign user must authenticate themselves with their credentials and multi-factor authentication (if enabled), which must be confidential and belongs to the user alone.
   
2. It is the organization's responsibility to set up password policy and two-factor authentication policy for their organization.
   
3. It is also the organization's responsibility to educate users from refraining to share their credentials with others.
   

1. Only the assigned recipient can sign the document. 
   
2. If the signer is unavailable to sign the document, the sender/admin must recall and send again later, or change the recipient for the existing document.
   
3. If the sender is unavailable, the admin can also change the ownership of the document.
   

11.300 Controls for identification codes/passwords

1. The combination of email address, password, and user ID identifies the particular user. This combination is also used to authenticate the user while filling the first signature/initial field in the document.
   
2. This combination of email address and password is unique to each user.
   
3. Signers must have logged into their Zoho Sign account using their email address and password and enter the access code received via email/SMS to access a document sent from a 21 CFR Part 11 enabled account.
   

1. Zoho provides the provision for the admin to set the appropriate password policy. It is the admin's responsibility to use those password settings.

1. It is the responsibility of the admin to educate the users about loss management and steps to be taken by users in case their account is compromised.
   
1. Users can change their password. Learn more
   
2. Users can close their account. Learn more
   
3. Users can manage their active sessions and other apps in which they logged with Zoho account. Learn more
   
4. Zoho Sign admins can revoke access of users, remove users from the organization, and change the ownership of the document/template. Learn more
   

1. Users will be notified via email when a login is attempted from a different network. Learn more
   
2. Users can restrict their account access to a certain IP addresses. Learn more
   
3. Account will be temporarily blocked in case of any threat to user's network. Learn more
   
4. It is also the user's responsibility to refrain from sharing their credentials.
   

1. Zoho Sign has no devices or tokens to generate or alter the account's information such as identification code or password information.