Dropbox and FDA 21 CFR Part 11—an overview
What is 21 CFR Part 11?
Title 21 of the Code of Federal Regulations (CFR) governs food and drugs within the United States for the Food and Drug Administration (FDA), the Drug Enforcement Administration, and the Office of National Drug Control Policy. Part 11 of Title 21 sets forth the criteria under which FDA considers electronic records and signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
The Electronic Records section of Part 11 sets forth the requirements for the controls of closed and open electronic record-keeping systems, as well as requirements for establishing a link between signatures and electronic records.
For more information about this regulation, including the list of requisite procedures and controls, visit the Electronic Codes of Regulations page. The FDA also issued guidance for Part 11 in August 2003, which can be found here.
How does Dropbox aid in my compliance efforts under 21 CFR Part 11 for electronic records?
Dropbox uses independent third-party auditors to test our systems and controls against some of the most widely-accepted security standards and regulations in the world, such as SOC 1 and SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 27018. These reviews occur at least annually and are conducted by globally-respected audit and security firms that are independent and thorough in their inspections.
While these audits don’t focus on 21 CFR Part 11, their purpose and objectives are similar to those of Part 11, and serve to help ensure security, confidentiality, integrity, availability, and privacy of your data. While ultimately it’s up to you to make sure that you’re complying with your regulatory obligations, you can use these reports to conduct your own risk analysis under 21 CFR Part 11.
See our Whitepaper for more information on how Dropbox can help aid in your compliance efforts with 21 CFR Part 11.
Which Dropbox audits, reports, and certificates can help in my compliance efforts?
Dropbox provides customers with several types of audit reports and certifications that attest to the effectiveness of the controls Dropbox has implemented. The list of these reports and certifications can be found here. Those most relevant to 21 CFR Part 11 are addressed in our SOC 3 report and ISO 27001 certification.
Further details regarding these controls can be found in our SOC 2 audit report, which is available upon request through our sales team or (for existing Dropbox Standard, Advanced, and Enterprise customers) support.
See our Whitepaper for more information on how Dropbox can help aid in your compliance efforts with 21 CFR Part 11.
What about Dropbox Sign and electronic signatures?
At this time, Dropbox and Dropbox Sign do not offer compliance support under 21 CFR Part 11 specific to electronic signatures.
