Available in Enterprise edition and will be enabled in your account on request.
European Union (EU) Annex 11 is part of the EudraLex Volume 4 of Good Manufacturing Practice, establishes the criteria for life science industries such as pharmaceutical manufacturers, medical device producers, medicinal products, medicine producers/distributors for humans and veterinary use operating in EU markets. Over the years, these guidelines have been updated to accommodate technological advancements and shifts within the pharmaceutical sector.
The various sections of EU Annex 11 offer a systematic approach and precise instructions for the various phases of implementing and operating a computerized system. It highlights the importance of validating and qualifying the application of the system and its supporting IT infrastructure. To align with the basic EU GMP principles, EU Annex 11 states that when a computerized system replaces a manual operation, there should not be a:
- Decrease in product quality
- Reduced level of process control
- Lowered standard of quality assurance
- Increase in overall risk of the process
Zoho Sign is categorized as a computer system to help you comply with the regulations of EU GMP Annex 11. EU GMP Annex 11 is divided into three parts:
- General
- Project Phase
- Operational Phase
General
1. Risk Management
Risk management should be applied throughout the lifecycle of the computerized system taking into account patient safety, data integrity, and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.
- Zoho Sign has well-defined validation strategy on evaluating the application while making any changes ensuring that the system meets its intended purpose and performs as expected.
- Zoho Sign is ISO 9001 compliant and follows the approaches that covers risk management as stated in various clauses from Clause 4 to Clause 10. It is also compliant with ISO/IEC 27001, where in clause 6.1 provides actions to address risk and opportunities.
Organizations using Zoho Sign are responsible for documenting and educating their users and ensuring the necessary risk management by:
- Assessing the risks related to patient safety, data integrity, and product quality involved while using Zoho Sign and implementing strategies to eliminate the risks defined by the organization if they should occur.
- Documenting the defined risks as part of risk assessment measure.
2. Personnel
There should be close cooperation between all relevant personnel, such as the process owner, system owner, qualified persons, and IT. All personnel should have appropriate qualifications, level of access, and defined responsibilities to carry out their assigned duties.
- All Zoho employees must undergo periodic training with respect to the required standards and certifications as promised to the customer, and also cover other areas like data privacy, protection, and integrity. It is crucial for all employees to fulfill their designated roles and responsibilities.
Organizations using Zoho Sign must be responsible for periodically re-evaluating Zoho Sign's compliance with accepted standards and implement a process:
- For users to train and manage electronic records.
- To govern the use of Zoho Sign and ensure ample training is given to both senders and signers prior using the application.
- To provide adequate training to administrators governing the system before performing administrative actions in the system.
3. Suppliers and Service Providers
3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify, or retain a computerized system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT departments should be considered analogous.
- Zoho Sign maintains formal contracts in place with third-party vendors that store or process Zoho Sign's data by ensuring risk mitigation strategies.
- Zoho Sign also evaluates the suppliers for compliance as per the defined supplier management process.
3.2 The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.
- Zoho Sign is certified as compliant with ISO 9001, and clause 8.4 clearly states the external products and services the platform adheres to.
- Zoho Sign periodically audits all its vendors.
- The organization using Zoho Sign should document and follow a vendor assessment procedure to qualify Zoho Sign as their digital signature solution provider.
3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.
Zoho Sign is not a commercial-off-the-shelf solution
3.4 Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.
- Zoho Sign is certified as compliant with several standards, regulations, and certifications such as GDPR, SOC 2 Type 2, ISO 27001, which users can download. The procedures are followed periodically to check for inconsistencies and the findings are documented as per our vendor assessment policy.
The organization using Zoho Sign is responsible for:
- Documenting and following a vendor assessment procedure to qualify Zoho Sign as their digital signature solution. This assessment may consist of reviewing third-party reports and other required compliance certificates.
- Reviewing all the documents provided by Zoho Sign to support the system activities that fulfill the user's requirement.
Project Phase
4. Validation
4.1 The validation documentation and reports should cover the relevant steps of the lifecycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures, and records based on their risk assessment.
- Zoho Sign validates the system as per the applicable life science regulations by preparing the necessary validation reports.
- Zoho Sign is also compliant with industry standards including HIPAA, SOC 2 Type 2, ISO/IEC 27001, and ISO 9001.
4.2 Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process.
- Zoho Sign has necessary change management and impact assessment procedures as per ISO 9001.
- Zoho Sign has necessary SDLC procedure to categorize, track, control, and monitor the system changes.
- Organizations using Zoho Sign are responsible for following the necessary change management procedure.
4.3 An up-to-date listing of all relevant systems and their GMP functionality (inventory) should be available. For critical systems, an up-to-date system description detailing the physical and logical arrangements, data flows, and interfaces with other systems or processes, any hardware and software prerequisites, and security measures should be available.
- Zoho Sign has implemented necessary control measures to manage assets.
- Zoho Sign providers system description as per the standards or SOC 2 Type 2, which includes architecture design and process description.
4.4 User Requirements Specifications should describe the required functions of the computerized system and be based on documented risk assessment and GMP impact. User requirements should be traceable throughout the lifecycle.
- The User Requirements Specifications (URS) document outlines the specific needs, expectations, and requirements of a product from the perspective of the end-user, and will serve as a foundation for validation.
- URS also serves as a foundation for technical specifications outlining the system functionality, including the product's interfaces and the workflows.
- Change management procedures are in place, ensuring that changes to the system happen in a controlled manner and all the changes are tested and observations are documented.
- URS provides an initial framework for the design and development of the system, and with this design, specifications such as user interface design and backend flows are documented.
4.5 The regulated user should take all reasonable steps to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.
- Zoho Sign has implemented the necessary SDLC procedure to ensure secure software delivery and service.
Organizations using Zoho Sign are responsible for:
- Validating every step of the process as per their requirement.
- Designing and maintaining the necessary control procedures to verify the system's intended functionality.
4.6 For the validation of bespoke or customized computerized systems, there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the lifecycle stages of the system.
- Zoho Sign validates the system by preparing validation deliverables. Zoho Sign also provides the validation package to users to meet the intended requirement of the tool.
- Organizations can customize Zoho Sign, and they are responsible for managing the customizations' quality and performance.
4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system (process) parameter limits, data limits, and error handling should be considered. Automated testing tools and test environments should have documented assessments for their adequacy.
- Zoho Sign maintains a validation package, which will consider parameter limits, data limits, and error handling methods during validation.
- All test cases must be documented and available for use.
4.8 If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process.
- Zoho Sign follows industry best practices and is also certified compliant with ISO 9001.
- Necessary processes are well-defined, ensuring the product's functionalities are tested and the observations are documented.
- The User Requirements Specifications (URS) document, which outlines the specific needs, expectations, and requirements of a product from the perspective of the end-user, will serve as a foundation for validation.
- URS also serves as foundation for technical specifications and outlines the system functionality, including the products interfaces and the workflows.
- URS provides an initial framework for the design and development of the system, and with this design, specifications such as user interface design and backend flows are documented.
- Operational and performance qualification phases are carried out. In the operational qualification phase, test cases are executed to confirm that the system operates as expected; the performance qualification phase evaluates the application's ability to handle real world data volumes, ensuring responsiveness and stability of the system.
- Additionally, testing is carried out to satisfy the documented requirements.
- Results of these validations, along with any deviations, are captured as a comprehensive validation report.
- Post-validation, a robust change control process is followed to perform any modifications to the system.
- All these changes are captured as a release and are published via release notes.
Operational Phase
5. Data
Computerized systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.
- All electronic records in Zoho Sign are encrypted with AES-256 at rest and SSL/TLS encryption while in transit.
- Zoho Sign offers a Send in order option, with which the electronic document will be sent to the signers sequentially.
- It is the organization's responsibility to follow both data integrity and system security while handling sensitive electronic records (signed record and activity history) outside the application.
6. Accuracy Checks
For critical data entered manually, there should be an additional check on the accuracy of the data. This check may be done by a second operator or by validated electronic means. The criticality and the potential consequences of erroneous or incorrectly entered data to a system should be covered by risk management.
- Zoho Sign treats all the data entered into the system as important data and encrypts it in motion and in rest.
- Zoho Sign doesn't allow for the altering contents in the electronic record once submitted (treating electronic record as critical data). It performs a predefined set of validations that organizations can configure to meet their needs.
- Zoho Sign generates a record of the unalterable signature events, which are captured in both the activity report and the certificate of completion.
7. Data Storage
7.1 Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability, and accuracy. Access to data should be ensured throughout the retention period.
- All data is protected using AES-256 encryption while at rest and SSL encryption while in transit.
- Zoho Sign follows Public Key Infrastructure (PKI) standards, and also offers trusted document timestamping, with which the authenticity, integrity, and confidentiality of the document is maintained.
- Zoho Sign's activity report will log all actions (both date and time of the document action) at both the document level and user level; this cannot be disabled or modified.
7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.
- Electronic records are encrypted along with their data and stored in multiple databases.
- All the records will be retained as long as the Zoho Sign account is active, unless the user deletes them.
- Organizations using Zoho Sign are responsible for:
- Ensuring the downloaded or printed records are maintained securely.
- Having a backup of all the electronic records before deletion from the application.
8. Printouts
8.1 It should be possible to obtain clear printed copies of electronically stored data.
- Zoho Sign allows users to view or print the signed electronic record and its activity report. The downloaded documents can be viewed on a PDF viewer or on any paper printout.
- With visible signatures, the signature metadata will be visible on the downloaded version and the printed version.
- Organization using Zoho Sign is responsible for ensuring the physical security of the printed records.
8.2 For records supporting batch release, it should be possible to generate printouts indicating if any of the data has been changed since the original entry.
This sections is not applicable.
9. Audit Trails
Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.
- Zoho Sign's activity report logs all the actions, both at the user level and document level. This contains details on who performed the action, what action is performed, and on which electronic record or other settings it is performed.
- This audit trail cannot be modified or deleted, thus providing a proof of integrity and preventing tampering.
- This activity report is auto-enabled and cannot be disabled by the user. This activity report can be viewed online within Zoho Sign's UI or exported in CSV format.
- The activity report and the associated signed document can be downloaded along with the certificate of completion.
- The certificate of completion captures every signature event, including the signer's name, email address, and signing reason.
- The timestamp present in the activity report and certificate of completion follows the time zone set by the user in their Zoho accounts.
- The organization using Zoho Sign is responsible for regularly reviewing the activity history captured.
10. Change and Configuration Management
Any changes to a computerized system including system configurations should only be made in a controlled manner in accordance with a defined procedure.
- Zoho Sign establishes a controlled process to make changes to the system, including impact assessment and change request documentation.
- Zoho Sign documents all changes related to system design. Zoho Sign publishes all feature releases enhancements via release notes.
11. Periodic evaluation
Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security, and validation status reports.
Zoho Sign is ISO 9001 compliant, which requires process control, documentation, and management of non-conformity. This applies to deviations and incidents aligning with GMP principles and the system undergoes this evaluation once a year.
12. Security
12.1 Physical and/or logical controls should be in place to restrict access to computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.
- Zoho has implemented physical and logical security controls, limiting system access and documenting the access of authorized individuals.
- Data is secured by both the platform functionality and the custom configuration by utilizing the access management.
- Zoho Sign authorizes the user with their account credentials and with multi-factor authentication before allowing the user to access or modify their records in their organization.
- To log in to Zoho Sign, users must authenticate themselves by entering their credentials (email and password).
12.2 The extent of security controls depends on the criticality of the computerized system.
- Zoho has the following password configuration policies, which should be followed by the admin while creating the password:
- Choose the minimum and maximum character length.
- Set the minimum numeric digits and special characters.
- Decide the maximum password age.
- Refuse the reuse of previous passwords.
- Depending on the criticality of the document, the sender can require signers to use one of the supported authentication methods offered by Zoho Sign:
- Email/SMS OTP
- Offline OTP
- Recipient authentication via EU eID
- Recipient authentication via knowledge-based authentication
12.3 Creation, change, and cancellation of access authorizations should be recorded.
- Zoho Sign's activity report will log all actions (both date and time of the document action) at both the document level and user level; this cannot be disabled or modified.
- Additionally, account activity of the user, including attempted logins and successful logins, can be monitored.
12.4 Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming, or deleting data including date and time.
- Zoho Sign uses a role-based model to control authorization and system access.
- Users with administrative privileges can add and assign users to the system.
- Only administrators will have access to certain functions in the system.
- Zoho Sign's activity report will log all actions (both date and time of the document action) at both the document level and user level; this cannot be disabled or modified.
- Organizations using Zoho Sign are responsible for:
- Setting up a password policy and two-factor authentication policy for their organization.
- Educating their users about refraining from sharing their credentials with others.
- Defining a procedure for system configuration changes and authorized access to the Zoho Sign system.
13. Incident Management
All incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions.
- Zoho has a dedicated incident management team with an established procedure for handling incidents, including recording, tracking, and closing the incidents with appropriate corrective actions.
- We also have a breach notification process to let involved parties become aware of any breaches through various medium.
14. Electronic Signature
Electronic records may be signed electronically. Electronic signatures are expected to:
- have the same impact as hand-written signatures within the boundaries of the company,
- be permanently linked to their respective record,
- include the time and date that they were applied.
- Electronic records signed with digital signatures are legally binding and hold the same value as a hand-written signature for most business agreements and transactions.
- Documents signed using Zoho Sign are legally compliant under the eIDAS Regulation.
- However, organizations must discuss with their legal team regarding the legality of the signed document in their region.
- All electronic records will have a visible signature, which collects the signer's name, date of signing, and reason for execution.
- The signature metadata will be present in the signed record. In case of tampering, the altered signature will not be linked to the electronic record.
15. Business Continuity
For the availability of computerized systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested.
- Zoho's data centers are present in multiple geographical locations and are monitored 24/7.
- Processes are in place to ensure Zoho operates based on the business continuity and disaster recovery (BC/DR) plan in the event of a disaster.
- Every component within a data center is designed with redundancy in mind; the DR site provides active replication from the main site and will be brought to action in case of failure to the main site.
- At least once a year, the DR site is brought into action as part of the business continuity plan (BCP) compliance, and the testing is done ensuring system availability.
16. Archiving
Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested.
- The electronic records, along with their data, are encrypted and stored in multiple databases; and a copy of the same information will be available at any time to the user from Zoho Sign's interface.
- Until users perform a delete operation, all the records are retained as long as the Zoho Sign account is active.