1. Decrease in product quality
2. Reduced level of process control
3. Lowered standard of quality assurance
4. Increase in overall risk of the process
   

1. General
2. Project Phase
3. Operational Phase

General 

1. Risk Management

1. Zoho Sign has well-defined validation strategy on evaluating the application while making any changes ensuring that the system meets its intended purpose and performs as expected. 
   
2. Zoho Sign is ISO 9001 compliant and follows the approaches that covers risk management as stated in various clauses from Clause 4 to Clause 10. It is also compliant with ISO/IEC 27001, where in clause 6.1 provides actions to address risk and opportunities.

1. Assessing the risks related to patient safety, data integrity, and product quality involved while using Zoho Sign and implementing strategies to eliminate the risks defined by the organization if they should occur.
2. Documenting the defined risks as part of risk assessment measure. 
   

2. Personnel

1. All Zoho employees must undergo periodic training with respect to the required standards and certifications as promised to the customer, and also cover other areas like data privacy, protection, and integrity. It is crucial for all employees to fulfill their designated roles and responsibilities. 

1. For users to train and manage electronic records.
2. To govern the use of Zoho Sign and ensure ample training is given to both senders and signers prior using the application.
3. To provide adequate training to administrators governing the system before performing administrative actions in the system.

3. Suppliers and Service Providers

1. Zoho Sign maintains formal contracts in place with third-party vendors that store or process Zoho Sign's data by ensuring risk mitigation strategies.
   
2. Zoho Sign also evaluates the suppliers for compliance as per the defined supplier management process. 

1. Zoho Sign is certified as compliant with ISO 9001, and clause 8.4 clearly states the external products and services the platform adheres to.
2. Zoho Sign periodically audits all its vendors.
3. The organization using Zoho Sign should document and follow a vendor assessment procedure to qualify Zoho Sign as their digital signature solution provider.

1. Zoho Sign is certified as compliant with several standards, regulations, and certifications such as GDPR, SOC 2 Type 2, ISO 27001, which users can download. The procedures are followed periodically to check for inconsistencies and the findings are documented as per our vendor assessment policy.

1. Documenting and following a vendor assessment procedure to qualify Zoho Sign as their digital signature solution. This assessment may consist of reviewing third-party reports and other required compliance certificates.
2. Reviewing all the documents provided by Zoho Sign to support the system activities that fulfill the user's requirement.

Project Phase

4. Validation

1. Zoho Sign validates the system as per the applicable life science regulations by preparing the necessary validation reports.
   
2. Zoho Sign is also compliant with industry standards including HIPAA, SOC 2 Type 2, ISO/IEC 27001, and ISO 9001.
   

1. Zoho Sign has necessary change management and impact assessment procedures as per ISO 9001. 
2. Zoho Sign has necessary SDLC procedure to categorize, track, control, and monitor the system changes.
3. Organizations using Zoho Sign are responsible for following the necessary change management procedure.
   

1. Zoho Sign has implemented necessary control measures to manage assets.
   
2. Zoho Sign providers system description as per the standards or SOC 2 Type 2, which includes architecture design and process description.
   

1. The User Requirements Specifications (URS) document outlines the specific needs, expectations, and requirements of a product from the perspective of the end-user, and will serve as a foundation for validation.
   
2. URS also serves as a foundation for technical specifications outlining the system functionality, including the product's interfaces and the workflows.
   
3. Change management procedures are in place, ensuring that changes to the system happen in a controlled manner and all the changes are tested and observations are documented.
   
4. URS provides an initial framework for the design and development of the system, and with this design, specifications such as user interface design and backend flows are documented.

1. Zoho Sign has implemented the necessary SDLC procedure to ensure secure software delivery and service.
   

1. Validating every step of the process as per their requirement.
   
2. Designing and maintaining the necessary control procedures to verify the system's intended functionality.

1. Zoho Sign validates the system by preparing validation deliverables. Zoho Sign also provides the validation package to users to meet the intended requirement of the tool.
2. Organizations can customize Zoho Sign, and they are responsible for managing the customizations' quality and performance.
   

1. Zoho Sign maintains a validation package, which will consider parameter limits, data limits, and error handling methods during validation.
2. All test cases must be documented and available for use.

1. Zoho Sign follows industry best practices and is also certified compliant with ISO 9001.
2. Necessary processes are well-defined, ensuring the product's functionalities are tested and the observations are documented.
3. The User Requirements Specifications (URS) document, which outlines the specific needs, expectations, and requirements of a product from the perspective of the end-user, will serve as a foundation for validation.
4. URS also serves as foundation for technical specifications and outlines the system functionality, including the products interfaces and the workflows. 
5. URS provides an initial framework for the design and development of the system, and with this design, specifications such as user interface design and backend flows are documented.
6. Operational and performance qualification phases are carried out. In the operational qualification phase, test cases are executed to confirm that the system operates as expected; the performance qualification phase evaluates the application's ability to handle real world data volumes, ensuring responsiveness and stability of the system.
7. Additionally, testing is carried out to satisfy the documented requirements.
8. Results of these validations, along with any deviations, are captured as a comprehensive validation report. 
9. Post-validation, a robust change control process is followed to perform any modifications to the system.
10. All these changes are captured as a release and are published via release notes.

Operational Phase

5. Data

1. All electronic records in Zoho Sign are encrypted with AES-256 at rest and SSL/TLS encryption while in transit.
2. Zoho Sign offers a Send in order option, with which the electronic document will be sent to the signers sequentially.
3. It is the organization's responsibility to follow both data integrity and system security while handling sensitive electronic records (signed record and activity history) outside the application.
   

6. Accuracy Checks

1. Zoho Sign treats all the data entered into the system as important data and encrypts it in motion and in rest.
2. Zoho Sign doesn't allow for the altering contents in the electronic record once submitted (treating electronic record as critical data). It performs a predefined set of validations that organizations can configure to meet their needs.
3. Zoho Sign generates a record of the unalterable signature events, which are captured in both the activity report and the certificate of completion.
   

7. Data Storage

1. All data is protected using AES-256 encryption while at rest and SSL encryption while in transit.
2. Zoho Sign follows Public Key Infrastructure (PKI) standards, and also offers trusted document timestamping, with which the authenticity, integrity, and confidentiality of the document is maintained.
3. Zoho Sign's activity report will log all actions (both date and time of the document action) at both the document level and user level; this cannot be disabled or modified.

1. Electronic records are encrypted along with their data and stored in multiple databases. 
2. All the records will be retained as long as the Zoho Sign account is active, unless the user deletes them.
3. Organizations using Zoho Sign are responsible for:
4. Ensuring the downloaded or printed records are maintained securely.
5. Having a backup of all the electronic records before deletion from the application.
   

8. Printouts

1. Zoho Sign allows users to view or print the signed electronic record and its activity report. The downloaded documents can be viewed on a PDF viewer or on any paper printout. 
2. With visible signatures, the signature metadata will be visible on the downloaded version and the printed version.
3. Organization using Zoho Sign is responsible for ensuring the physical security of the printed records.

9. Audit Trails

1. Zoho Sign's activity report logs all the actions, both at the user level and document level. This contains details on who performed the action, what action is performed, and on which electronic record or other settings it is performed. 
2. This audit trail cannot be modified or deleted, thus providing a proof of integrity and preventing tampering.
3. This activity report is auto-enabled and cannot be disabled by the user. This activity report can be viewed online within Zoho Sign's UI or exported in CSV format.
4. The activity report and the associated signed document can be downloaded along with the certificate of completion.
5. The certificate of completion captures every signature event, including the signer's name, email address, and signing reason.
6. The timestamp present in the activity report and certificate of completion follows the time zone set by the user in their Zoho accounts.
7. The organization using Zoho Sign is responsible for regularly reviewing the activity history captured.
   

10. Change and Configuration Management

1. Zoho Sign establishes a controlled process to make changes to the system, including impact assessment and change request documentation.
2. Zoho Sign documents all changes related to system design. Zoho Sign publishes all feature releases enhancements via release notes.

11. Periodic evaluation

12. Security

1. Zoho has implemented physical and logical security controls, limiting system access and documenting the access of authorized individuals.
2. Data is secured by both the platform functionality and the custom configuration by utilizing the access management.
3. Zoho Sign authorizes the user with their account credentials and with multi-factor authentication before allowing the user to access or modify their records in their organization.
4. To log in to Zoho Sign, users must authenticate themselves by entering their credentials (email and password).

1. Zoho has the following password configuration policies, which should be followed by the admin while creating the password:
1. Choose the minimum and maximum character length.
2. Set the minimum numeric digits and special characters.
3. Decide the maximum password age.
4. Refuse the reuse of previous passwords.
2. Depending on the criticality of the document, the sender can require signers to use one of the supported authentication methods offered by Zoho Sign: 
1. Email/SMS OTP
2. Offline OTP
3. Recipient authentication via EU eID
4. Recipient authentication via knowledge-based authentication

1. Zoho Sign's activity report will log all actions (both date and time of the document action) at both the document level and user level; this cannot be disabled or modified.
2. Additionally, account activity of the user, including attempted logins and successful logins, can be monitored.
   

1. Zoho Sign uses a role-based model to control authorization and system access.
2. Users with administrative privileges can add and assign users to the system.
3. Only administrators will have access to certain functions in the system.
4. Zoho Sign's activity report will log all actions (both date and time of the document action) at both the document level and user level; this cannot be disabled or modified.
5. Organizations using Zoho Sign are responsible for:
6. Setting up a password policy and two-factor authentication policy for their organization.
7. Educating their users about refraining from sharing their credentials with others.
8. Defining a procedure for system configuration changes and authorized access to the Zoho Sign system.
   

13. Incident Management

1. Zoho has a dedicated incident management team with an established procedure for handling incidents, including recording, tracking, and closing the incidents with appropriate corrective actions.
2. We also have a breach notification process to let involved parties become aware of any breaches through various medium.
   

14. Electronic Signature

1. have the same impact as hand-written signatures within the boundaries of the company,
   
2. be permanently linked to their respective record,
   
3. include the time and date that they were applied. 
   
4. Electronic records signed with digital signatures are legally binding and hold the same value as a hand-written signature for most business agreements and transactions. 
5. Documents signed using Zoho Sign are legally compliant under the eIDAS Regulation.
6. However, organizations must discuss with their legal team regarding the legality of the signed document in their region.
7. All electronic records will have a visible signature, which collects the signer's name, date of signing, and reason for execution. 
8. The signature metadata will be present in the signed record. In case of tampering, the altered signature will not be linked to the electronic record.
   

15. Business Continuity

1. Zoho's data centers are present in multiple geographical locations and are monitored 24/7.
2. Processes are in place to ensure Zoho operates based on the business continuity and disaster recovery (BC/DR) plan in the event of a disaster.
3. Every component within a data center is designed with redundancy in mind; the DR site provides active replication from the main site and will be brought to action in case of failure to the main site. 
4. At least once a year, the DR site is brought into action as part of the business continuity plan (BCP) compliance, and the testing is done ensuring system availability.
   

16. Archiving

1. The electronic records, along with their data, are encrypted and stored in multiple databases; and a copy of the same information will be available at any time to the user from Zoho Sign's interface.
2. Until users perform a delete operation, all the records are retained as long as the Zoho Sign account is active.