Dropbox and FDA 21 CFR Part 11: an overview

What is 21 CFR Part 11?

Title 21 of the Code of Federal Regulations (CFR) governs food and drugs within the United States for the Food and Drug Administration (FDA), the Drug Enforcement Administration, and the Office of National Drug Control Policy. Part 11 of Title 21 sets forth the criteria under which FDA considers electronic records and signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.  
 

The Electronic Records section of Part 11 sets forth the requirements for the controls of closed and open electronic record-keeping systems, as well as requirements for establishing a link between signatures and electronic records.
 

For more information about this regulation, including the list of requisite procedures and controls, visit the Electronic Codes of Regulations page. The FDA also issued guidance for Part 11 in August 2003.

How does Dropbox aid in my compliance efforts under 21 CFR Part 11 for electronic records?

Dropbox uses independent third-party auditors to test our systems and controls against some of the most widely-accepted security standards and regulations in the world, such as SOC 1 and SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 27018. These reviews occur at least annually and are conducted by globally-respected audit and security firms that are independent and thorough in their inspections.
 

While these audits don’t focus on 21 CFR Part 11, their purpose and objectives are similar to those of Part 11, and serve to help ensure security, confidentiality, integrity, availability, and privacy of your data. While ultimately it’s up to you to make sure that you’re complying with your regulatory obligations, you can use these reports to conduct your own risk analysis under 21 CFR Part 11.

Which Dropbox audits, reports, and certificates can help in my compliance efforts?

Dropbox provides customers with several types of audit reports and certifications that attest to the effectiveness of the controls Dropbox has implemented. 
 

The list of these reports and certifications can be found on our Compliance page. Those most relevant to 21 CFR Part 11 are addressed in our SOC 3 report and ISO 27001 certification, which are made available on the Dropbox Trust Center. Further details regarding these controls can be found in our SOC 2 report, and our FDA 21 CFR Whitepaper, which are also available on the Dropbox Trust Center.

How to access the Dropbox Trust Center

You’ll need to log in to access all the reports and documentation. To request access:

1. Go to trust.dropbox.com.
2. Click Get Access in the top right.
3. Enter your work email, then click Continue.
4. Enter your details and click Submit Request.

Once registered, you can access private and public reports and documents.

What about Dropbox Sign and electronic signatures? 

At this time, Dropbox and Dropbox Sign do not offer compliance support under 21 CFR Part 11 specific to electronic signatures.