21 CFR Part 11 compliance with Zoho Sign | FDA

21 CFR Part 11 in Zoho Sign

Available in Enterprise edition and will be enabled in your account on request

What is 21 CFR Part 11?

The part 11 of Title 21 of the Code of Federal Regulations establishes the regulations on electronic records and electronic signatures.Records in electronic form that are created, maintained, retrieved, transferred, or submitted according to any records outlined by the FDA regulations are referred to as "Part 11". With a few specific exceptions, Part 11 applies to businesses in the pharmaceutical and medical device sectors, biotechnology, and other FDA-regulated sectors.

Closed System and Open System

The FDA has defined two types of systems for 21 CFR Part 11:
  1. Closed systems
  2. Open systems
  1. In a closed system , system access is controlled by people who are responsible for the content present in the electronic records. 21 CFR Part 11 requires close systems to have procedures and controls to protect the electronic records.
  2. In an open system , the system access is not controlled by people who are responsible for the content present in the electronic records. Since the access is not controlled by people, necessary security measures must be implemented to protect the records from being compromised by unauthorized users. 21 CFR Part 11 requires open systems to ensure all the electronic records are authentic and tamper-proof, and that confidentiality is maintained.
Zoho Sign allows you to achieve the functionalities of a closed system by enabling all life science controls, which will be useful for FDA-regulated organizations to ensure the authenticity and integrity of records and signatures end-to-end.

21 CFR Part 11 Regulation for Zoho Sign

Subpart B - Electronic Records

11.10 Controls for closed systems

Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records . Subsection 11.10(a)

Zoho Sign validates the functionality of the features by testing and demonstrating to ensure the system's ability to handle the electronic records properly and accurately.  

Learn more about Zoho's security policy here .

The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records . Subsection 11.10(b)  
  1. Zoho Sign providers the option to download the signed documents and export them with the certificate of completion.
  2. The audit trail for these documents can be viewed as well as be downloaded in a csv format.
Protection of records to enable their accurate and ready retrieval throughout the record retention period. Subsection 11.10(c)
  1. All data is protected using AES-256 encryption while at rest and SSL encryption while in transit.
  2. These electronic records are stored in multiple databases and a copy of the same will be available at anytime to the user, which can be accessed from Zoho Sign's interface.
Know more about data availability and retention in Zoho Sign here

Limiting system access to authorized individuals. Subsection 11.10(d)  
  1. Admins are responsible for defining a procedure for system changes for their system configuration and authorized access to the Zoho Sign system. 
  2. Zoho has implemented physical and logical security controls, limiting system access and documenting the access of authorized individuals.
  3. Data is secured by both the platform functionality and the custom configuration by utilizing the access management.
Find more about physical security here , and network security here .

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. Subsection 11.10(e)  
  1. Zoho Sign's activity report will log all actions (both date and time of the document action) in both the document level and user level, which cannot be disabled or modified.
  2. A certificate of completion is also provided, which captures the history of the document action.
  3. The certificate of completion will be exported as PDF file and the activity report as CSV format.
Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. Subsection 11.10(f)  
  1. Documents are sent in the signing order configured by the sender.
  2. The digitally-signed records cannot be modified in Zoho Sign once the signing request is completed.
Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. Subsection 11.10(g)  
  1. Zoho Sign authorizes the user using their account credentials and with multi-factor authentication as one of the login methods , before allowing them to access or modify their records in their organization.
  2. Zoho Sign has two roles: Admins and Users with different permissions.
  3. Zoho has the following password configuration policies, which should be followed by the admin while creating the password:
    1. Choose the minimum and maximum character length
    2. Minimum numeric digits and special characters
    3. Maximum password age
    4. Refusal of the already used passwords
Find more about Zoho's password policy here

Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. Subsection 11.10(h)
  1. Zoho Sign is capable of validating the device and the IP address of the network.
  2. Organization can whitelist their IP addresses by configuring them in Zoho Directory.
  3. The sender has an option to restrict document signing via mobile browser.
Find more about configuring IP addresses in Zoho Directory here

Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. Subsection 11.10(i)  
  1. It is the organization admin's responsibility to demonstrate to, educate, and train their users to use electronic signature systems.
  2. Zoho has various knowledge sharing courses to help the users who develop and maintain the electronic signature systems as per the industry standards.
The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Subsection 11.10(j)
  1. It is the organization administrators' responsibility to create and enforce a policy that states the legal value of the electronically signed document and the signer's responsibility.
  2. If not, Zoho Sign's default legal disclosure will be sent to the signers.
  3. The signer must agree to this legal disclosure before starting the document action.
  4. The legal disclosure agreed by the recipient will be part of the certificate of completion.
Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance . Subsection 11.10(k)(1)
Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation . Subsection 11.10(k)(2)
  1. Zoho Sign has the necessary SOP (Standard operating procedure) and relevant documents in place.
  2. Zoho Sign also periodically revisits the control procedure documentation ensure the compliance standard set by the FDA regulations is being satisfied. 

11.30 Controls for open systems

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.                  
  1. Zoho Sign follows all the controls identified in the subsection 11.10. For open systems, Zoho Sign follows and has taken the appropriate measures.
  2. All documents in Zoho Sign are encrypted with AES-256 at rest and SSL/TLS encryption while in transit.
  3. Zoho Sign follows Public Key Infrastructure (PKI) standards, and also offers trusted document timestamping , with which the authenticity, integrity, and confidentiality of the document is maintained.
  4. Zoho Sign asks users to log in to their account to access their documents. Additionally, users can also set multi-factor authentication as an additional layer of security.
  5. The signer must log in to their Zoho Sign account to access the document.
  6. The signer then needs to enter the access code received via email/SMS.
  7. All account related actions will be captured in the activity report, which can be viewed in Zoho Sign as well as exported in CSV format.
  8. The signed document is certified with a digital certificate, which provides the integrity of the document.
  9. The signed document becomes invalid if the contents or even the signature is modified.
Find more about multi-factor authentication here

11.50 Signature manifestations

( a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: 
(1) The printed name of the signer; 
(2) The date and time when the signature was executed; and 
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. 

Zoho Sign collects all this information via visible signature .

(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
  1. All controls followed for electronic records will also be applicable while adding visible signature.
  2. The signature metadata will be present in the signed document, which will be linked with the signed record and in the certificate of completion.
    The signature metadata will be visible on the web, downloaded version and the printed version of the signed record.
Find more about visible signatures here

11.70 Signature/record linking

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
  1. Zoho Sign restricts the addition of new signature, removal of the existing signature and copying and pasting the signature from its original position, after the signing process is completed.
  2. If the user tries to falsify, transfer, or copy the original document signature to any other electronic record, the copied signature will not be linked to the electronic record.

Subpart C - Electronic Signatures

11.100 General requirements

( a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
  1. Zoho Sign verifies users with their email address and passwords.
  2. Every user's electronic signature will be a unique combination of values as per PKI standards and cannot be reused or reassigned to anyone else.
  3. A unique system generated user ID is mapped to the user and can be found in the visible signature.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
  1. When an admin adds a new user to their Zoho Sign organization, the user receives a confirmation mail to activate their account.
  2. It is the admin's responsibility to verify the user before adding them to the organization.
  3. It is the sender's responsibility to assign the document to the correct recipient.
  4. When signing a document sent from a 21 CFR Part 11 enabled account, the signer has to enter the access code received via SMS/email to access the document.
  5. While filling the first signature/initial field, the signer would be prompted to re-authenticate themselves with their Zoho Sign credentials and once done, the signer can finish the document signing action.
  6. If the signing session is interrupted, or refreshed, the signer has to enter the new access code that they would receive and re-authenticate themselves to complete the signing action. 
( c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.  
  1. Documents signed with digital signatures are legally binding and hold the same value as a hand-written signature for most business agreements and transactions. 
  2. Documents signed using Zoho Sign are legally compliant under the ESIGN Act in the United States .
You can refer to Zoho Sign's legality guide here .

11.200 Electronic signature components and controls

(a) Electronic signatures that are not based upon biometrics shall: 
(1) Employ at least two distinct identification components such as an identification code and password.  
  1. While accessing the document, if the signer has already logged in to their Zoho Sign account, they can enter the access code to view the document. 
  2. If the user hasn't logged in already, Zoho Sign will prompt the user to log in to their Zoho Sign account, then enter the access code to view the document.
  3. While filling the first signature/initial field, the signer is prompted to re-enter their Zoho Sign credentials along with multi factor authentication (if enabled).
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.  
  1. Irrespective of the number of documents in a signing request or the number of signature/initial fields, Zoho Sign prompts the signer to re-authenticate themselves once per signing request.
  2. If there are continuous signing requests, the signer must enter the new access code which they would receive via email/SMS and re-authenticate themselves every single time.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.  
  1. If the signer doesn't perform a continuous signing action or refreshes the signing window, the signer must re-enter the access code received via email/SMS and re-authenticate themself while filling the first signature/initial field.
(2) Be used only by their genuine owners; and
  1. Every Zoho Sign user must authenticate themselves with their credentials and multi-factor authentication (if enabled), which must be confidential and belongs to the user alone.
  2. It is the organization's responsibility to set up password policy and two-factor authentication policy for their organization.
  3. It is also the organization's responsibility to educate users from refraining to share their credentials with others.
Find more about the password policy here and about multi-factor authentication here

(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.  
  1. Only the assigned recipient can sign the document. 
  2. If the signer is unavailable to sign the document, the sender/admin must recall and send again later, or change the recipient for the existing document.
  3. If the sender is unavailable, the admin can also change the ownership of the document.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. 

Zoho Sign currently does not support biometric-based document signing.

11.300 Controls for identification codes/passwords

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
  1. The combination of email address, password, and user ID identifies the particular user. This combination is also used to authenticate the user while filling the first signature/initial field in the document.
  2. This combination of email address and password is unique to each user.
  3. Signers must have logged into their Zoho Sign account using their email address and password and enter the access code received via email/SMS to access a document sent from a 21 CFR Part 11 enabled account.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
  1. Zoho provides the provision for the admin to set the appropriate password policy. It is the admin's responsibility to use those password settings.
Know more about the password policy here

(c) Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
  1. It is the responsibility of the admin to educate the users about loss management and steps to be taken by users in case their account is compromised.
    1. Users can change their password. Learn more
    2. Users can close their account. Learn more
    3. Users can manage their active sessions and other apps in which they logged with Zoho account. Learn more
    4. Zoho Sign admins can revoke access of users, remove users from the organization, and change the ownership of the document/template. Learn more
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.  
  1. Users will be notified via email when a login is attempted from a different network. Learn more
  2. Users can restrict their account access to a certain IP addresses. Learn more
  3. Account will be temporarily blocked in case of any threat to user's network. Learn more
  4. It is also the user's responsibility to refrain from sharing their credentials.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
  1. Zoho Sign has no devices or tokens to generate or alter the account's information such as identification code or password information.

    Zoho CRM Training Programs

    Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

    Zoho CRM Training
      Redefine the way you work
      with Zoho Workplace

        Zoho DataPrep Personalized Demo

        If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

        Zoho CRM Training

          Create, share, and deliver

          beautiful slides from anywhere.

          Get Started Now

            Zoho Sign now offers specialized one-on-one training for both administrators and developers.

            BOOK A SESSION

                                    You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.

                                        Manage your brands on social media

                                          Zoho Desk Resources

                                          • Desk Community Learning Series

                                          • Digest

                                          • Functions

                                          • Meetups

                                          • Kbase

                                          • Resources

                                          • Glossary

                                          • Desk Marketplace

                                          • MVP Corner

                                          • Word of the Day

                                            Zoho Marketing Automation

                                              Zoho Sheet Resources


                                                  Zoho Forms Resources

                                                    Secure your business
                                                    communication with Zoho Mail

                                                    Mail on the move with
                                                    Zoho Mail mobile application

                                                      Stay on top of your schedule
                                                      at all times

                                                      Carry your calendar with you
                                                      Anytime, anywhere

                                                            Zoho Sign Resources

                                                              Sign, Paperless!

                                                              Sign and send business documents on the go!

                                                              Get Started Now

                                                                      Zoho TeamInbox Resources

                                                                              Zoho DataPrep Resources

                                                                                Zoho DataPrep Demo

                                                                                Get a personalized demo or POC

                                                                                REGISTER NOW

                                                                                  Design. Discuss. Deliver.

                                                                                  Create visually engaging stories with Zoho Show.

                                                                                  Get Started Now

                                                                                                      • Related Articles

                                                                                                      • 21 CFR Part 11- Overview

                                                                                                        Available in Enterprise edition and will be enabled in your account on request Zoho Sign now aids businesses and individuals operating in the Food and Drug Administration (FDA)-regulated industries, such as pharmaceutical, biotech, cosmetic, food and ...
                                                                                                      • Zoho Sign controls for life sciences

                                                                                                        Available in the Enterprise edition and enabled upon request Today, life sciences companies are facing many challenges, which include improving patient/employee experience, reducing costs, and increasing overall efficiency by automating workflows ...
                                                                                                      • Sending and signing documents from a life science controls enabled Zoho Sign account

                                                                                                        Available in Enterprise edition and will be enabled in your account on request Enabling Life Science controls in Zoho sign This action can only be performed by administrators. Follow the below steps to enable controls for Life Science in your Zoho ...
                                                                                                      • Qualified Electronic Signatures via itsme for EU

                                                                                                        Available only in Enterprise edition and in EU data center This integration allows document signing with Qualified Electronic Signature (QES) and meets the electronic signature specifications laid out by the eIDAS regulation (EU 910/2014). This ...
                                                                                                      • Qualified Electronic Signatures via InfoCert for EU

                                                                                                        Available only in Enterprise Edition InfoCert is a Qualified Trust Service Provider (QTSP), and is also one of the trusted identity verification services in the European Union. InfoCert allows signers to sign documents through Qualified Electronic ...
                                                                                                        Wherever you are is as good as
                                                                                                        your workplace



                                                                                                          Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.


                                                                                                          Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.


                                                                                                          Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.

                                                                                                          CRM Tips

                                                                                                          Make the most of Zoho CRM with these useful tips.

                                                                                                            Zoho Show Resources