Assyro AI
Back to Blog
Assyro AI logo background
Part 11
Annex 11
Cloud Compliance
Vendor Management
Electronic Signatures

Part 11 and Annex 11 in the Cloud: The Practical Checklist

Cloud compliance

Shared responsibility does not mean shared accountability. Without a clear split between vendor duties and your own, Part 11 and Annex 11 controls fall through the cracks. Regulators still hold you...

Assyro Team
5 min read

Part 11 and Annex 11 in the Cloud: The Practical Checklist

Shared responsibility does not mean shared accountability. Without a clear split

between vendor duties and your own, Part 11 and Annex 11 controls fall through

the cracks. Regulators still hold you responsible for validated use, data

integrity, and patient safety—even if your SaaS provider handles infrastructure.

This checklist clarifies ownership. You will align on roles, tighten electronic

signature controls, protect audit trails, and demand vendor evidence that matches

your risk profile. The outcome is a repeatable playbook for qualifying and

maintaining cloud systems without surprises during inspections.

Cloud compliance realities to embrace

  • FDA and EU inspectors expect the same rigor in the cloud as on-premises.
  • Vendor certifications (SOC 2, ISO 27001) support but do not replace your

validation.

  • Configurations and integrations you control can introduce new risks that the

vendor never tested.

  • Shared responsibility must be documented, approved, and reviewed regularly.

Step 1: Build a shared responsibility matrix

Document who manages each control area:

  • Validation planning, execution, and change management.
  • Access provisioning, deprovisioning, and periodic reviews.
  • Audit trail generation, review, and retention.
  • Backup, restore, and disaster recovery testing.
  • Incident response and breach notification protocols.
  • Data residency, retention, and archival.

List named contacts for your organization and the vendor, including escalation

paths. Store the matrix in the validation package and update whenever systems or

organizations change.

Step 2: Classify system risk and intended use

Define how you use the system: GxP data capture, decision support, batch release,

PV reporting, labeling, etc. Assign risk levels based on data criticality and

impact on product quality. This classification guides how deep your testing and

oversight must go. Low-risk systems might rely heavily on vendor evidence, while

high-risk systems demand significant supplemental testing and procedural controls.

Step 3: Validate smartly in the cloud

  • Leverage vendor documentation (IQ/OQ, penetration tests) but confirm it covers

your configuration.

  • Execute risk-based PQ testing focusing on your workflows, integrations, and

custom configurations.

  • Document configuration settings (roles, e-signature rules, audit trail

options). Treat configuration as part of the validated state.

  • Ensure traceability from requirements to test evidence to ongoing monitoring.

Step 4: Secure electronic signatures and identity proofing

  • Confirm the platform supports unique user IDs, password policies, and session

controls aligned with Part 11.

  • Document the identity proofing process at onboarding; maintain records that tie

individuals to credentials.

  • Test signature manifestation: printed name, timestamp, meaning of signature.
  • Review revocation procedures to ensure accounts are disabled immediately upon

role change or termination.

  • For multi-factor authentication, confirm methods are compliant and auditable.

Step 5: Protect and review audit trails

  • Verify that audit trails capture who performed each action, what changed, and

when. Ensure trails cannot be altered.

  • Establish review cadences based on risk (e.g., weekly for release systems,

monthly for support apps).

  • Export sample audit trails and demonstrate you can interpret them quickly for

inspectors.

  • Train reviewers on what to look for: unauthorized changes, failed logins,

unusual sequences.

  • Ensure audit trail data retention meets regulatory expectations and matches your

business continuity plan.

Step 6: Vet vendor assurances thoroughly

Collect vendor materials and evaluate critically:

  • SOC/ISO reports, penetration tests, vulnerability assessments.
  • Change control and release notes, including notification timelines.
  • Disaster recovery and availability SLAs with proof of testing.
  • Data encryption standards at rest and in transit.

Map vendor controls to your requirements. Where gaps exist (e.g., vendor tests do

not cover your custom integration), plan supplemental testing or procedural

mitigations. Document your assessment and approvals.

Step 7: Integrate compliance into operations

  • Align IT, QA, and business owners on a unified change control workflow. Every

system update should trigger impact assessment, regression testing, and user

training.

  • Automate access reviews by integrating HR events with account provisioning.
  • Monitor integration points (APIs, data exports) to ensure downstream systems do

not compromise data integrity.

  • Maintain configuration baselines; take screenshots or exports after major

releases.

Metrics that prove control

  • Closure time for shared responsibility gaps identified during reviews.
  • Percentage of systems with current responsibility matrices and validation

documentation.

  • Number of audit trail reviews performed versus scheduled.
  • E-signature account revocation timeliness after personnel changes.
  • Volume of deviations or incidents tied to cloud system usage.

Report these metrics to quality councils and IT governance forums. Visibility

keeps everyone aligned on ownership.

60-day action checklist

Weeks 1-2: Inventory all validated cloud systems, classify risk, and

identify unclear responsibilities.

Weeks 3-4: Meet with vendors to confirm responsibilities, gather evidence,

and document change notification pathways.

Weeks 5-6: Update validation packages with the shared responsibility matrix

and execute supplemental testing where gaps exist.

Weeks 7-8: Pilot an audit trail review, test e-signature revocation, and

launch a dashboard tracking compliance metrics.

Frequently asked questions

  • Do we validate SaaS? Yes. You validate intended use, configurations, and

integrations. Vendors validate infrastructure—both are required.

  • How much vendor evidence is enough? Enough to satisfy your risk

assessment. High-risk functions may require witnessing tests or requesting

deeper documentation under NDA.

  • What about small vendors without certifications? Perform on-site or virtual

assessments, review development practices, and decide if additional controls or

alternative solutions are needed.

  • How often should we revisit responsibilities? At least annually, after

major releases, and whenever ownership changes on either side.

Sustain the win

Review shared responsibility matrices at every vendor business review, refresh

validation evidence annually, and rotate system owners through mock audits. Keep

open dialogue with IT security and QA so cloud changes never catch you by

surprise. When responsibilities are clear and evidence is current, Part 11 and

Annex 11 compliance in the cloud becomes business as usual.