Product Guides are now only available at docs.box.com. Check out all the details on what's changed.

Box Status
Print

21 CFR Part 11 Compliance Support

Overview , Admin , Box Sign , Article , New , Product Utilization , P6

 

Title 21 Code of Federal Regulations Part 11 (“CFR Part 11”) establishes the United States Food and Drug Administration (the “FDA”) regulations on electronic records and electronic signatures. If enabled by your organization’s admin, you can use Box Sign Part 11 e-signatures (“Part 11 e-signatures”) with Box Sign requests for your regulated documents.

This document is for informational purposes only and should not be relied upon as legal advice. If you have any legal questions regarding 21 CFR Part 11 or your organization’s intended use of Part 11 e-signatures, you should consult legal counsel licensed in your jurisdiction(s) before making use of Part 11 e-signatures. For requirements and additional information, visit eCFR :: 21 CFR Part 11.

Important: Support for 21 CFR Part 11 compliance in Box Sign requires GxP Validation. For more information, visit GxP Validation, or contact your account manager.

Additionally, if you are a GxP customer using certain Single Sign-On (SSO) configurations for your Box environment, please ensure that you have configured your SSO controls to force authentication in order to create compliant 21 CFR Part 11 e-signatures.   

Note: Support for 21 CFR Part 11 e-signatures are not compliant with the following signing workflows and options:

  • Box Sign APIs
  • Ready-Sign Links
  • Sign Myself
  • Box Sign Salesforce integration signature requests 

 

Admin Enablement

As admin, you can configure 21 CFR Part 11 workflow settings for your organization by going to your Admin Console and then Enterprise Settings -> Box Sign.

In the Box Sign tab, select Edit Configuration under the first Sign enablement setting.

From here, you can select from four options for your users and groups:

  • Disable for all managed users
    • Users cannot send any signature requests
  • Enable for all managed users
    • Users can send both CFR Part 11 requests and standard signature requests
  • Enable for select users and groups
    • Select users and groups can send both CFR Part 11 requests and standard signature requests
  • Enable for everyone except select users and groups
    • Select specific users and groups cannot send any signature requests

Once you have configured your users and group preference, click Save.

As an Admin, you can restrict certain users and/or groups to only send 21 CFR Part 11 signature requests and help ensure compliance. To configure this setting, select Edit Configuration under Restrictions for 21 CFR Part 11 configuration within the Advanced CFR Part 11 Settings section. You can select from the following options for your users and groups:

  • Disable for all managed users
    • Users are not restricted to only sending CFR Part 11 requests and have the option of sending both standard and CFR Part 11 signature requests unless otherwise configured within reusable templates by the template creator
  • Enable for all managed users
    • All managed users are restricted to only sending CFR Part 11 requests
  • Enable for select users and groups
    • Select specific users and groups are restricted to only sending CFR Part 11 requests
  • Enable for everyone except select users and groups
    • Select specific users and groups are not restricted to only sending CFR Part 11 requests

 

Signing Reasons

Admins can customize signing reasons, but should ensure the customized reasons they include meet the 21 CFR Part 11 requirements. 

To Customize Reasons:

Within the Admin Console, select Enterprise Settings. In the Box Sign tab, within the CFR Part 11 settings, determine if you want signers to either:

  • Select from a list of default or pre-defined signing reasons; or
  • Select from a list of customized signing reasons as set out by the Admins

Additionally, Admins can determine whether they want to enable signers with the option of providing their own custom signing reason when adopting their signature or initials to a signature request. 

Admins can configure their own customized signing reasons for signers by selecting Customized Reasons and then clicking Add Reason.

Screenshot 2025-01-16 at 2.05.50 PM.png

The following restrictions apply when creating customized signing reasons:

  • Admins are required to add a minimum of 2 reasons
  • Admins can add up to 25 reasons
  • Each entry can only be 60 characters long
  • The default signing reasons cannot be changed

Sending Process

To begin the sending process:

  1. Select Request Signature or initiate a signature request via a reusable template
  2. In the recipient panel, under CFR Part 11 Settings, select CFR Part 11 Request or Standard Request. If the signature request was initiated using a template, these settings will not be available, as they are preset by the template creator at the time the template was created.
  3. Follow the sending process from Sending a document for signature to continue.

Within the document preparation experience, senders can verify that their signature request will follow the CFR Part 11 e-signature workflow by ensuring they have the CFR Part 11 Signature request icon next to their signature request file name. When a sender modifies a recipient’s role, they can review the 21 CFR Part 11 login requirements to notify their signers of the requirement in advance.

 CFR Part 11 Settings Request Type

When preparing a Part 11 e-signature request, you have two options:

  1. For a single signer or a recipient group that was assigned the "signer" role, senders can add a required signature field or an initials field or both. Stamps, and any other fields are not included in the Part 11 e-signature process.
  2. Senders can add no fields at all to a single signer or recipient group. In that case, those recipients will need to drag and drop the fields they need to complete and will then be required to add at least one signature field or one initials field before the signer can complete the signature request.

The sender should ensure that either a signature field or initials field is assigned to a signer and selected as a required field by the signer. If a sender tries to send a signature request marking a signature field or initials field as “not required”, an error banner will be displayed and the sender will not be able to proceed with sending the signature request.

Note: The option selected in the CFR Part 11 settings will be remembered for the user’s next signature request. For example, if the user selects “CFR Part 11 request” in the first request, the same option will be pre-selected by default in the second request to provide consistency and guidance.

 

Require Password (Optional)
The sender can choose if they want to add an additional password of their choice to the signature request by toggling Require Password.
 

Templates 

For templates, follow the process in Creating, using, and sharing templates under To create a template. Template creators can select between CFR Part 11 Request or Standard Request in the recipient panel during document preparation and lock the request type to ensure anyone who leverages the template must utilize the configured request type.

 

21 CFR Part 11 Signing Process

Once a recipient initiates a signature request, they will be required to log in to their Box account to authenticate their identity to continue with the CFR Part 11 e-signature request. If the signer does not have a Box account, Box will prompt the recipient to create a free account in order to authenticate to the Box service. After logging in, you follow the same process as in Signing a document, with two additional steps:

  • If the request includes a signature or initials field assigned to a recipient, that recipient must select the reason for applying their signature or initials to the request.
  • Once the signing reason has been applied to the signature or initials field(s), recipients must re-authenticate your log-in after each Part 11 e-signature

Note:

  • The 21 CFR Part 11 signing process only applies to the application of signature and initials fields. It does not apply to the application of stamps or any other fields.
  • The customer is responsible to ensure the identity of each recipient is verified to the organization’s satisfaction prior to providing such recipient with account login access credentials for Box. The customer must authenticate each user’s identity prior to sending a Part 11 e-signature request.

 

Reason for Signing

After the recipient selects their signature or initials, the recipient can select the following reasons in order to proceed:

  • Default signing reasons, which include:
    • I read and approve this document
    • I read and agree to this document
    • I read and authored this document
  • A custom signing reason configured by the Admin or Co-Admin
    • Important: this option is only available if the Admin or Co-Admin have enabled custom reasons for recipients

The recipient’s selection is recorded in their signature block or initials field within the signed document and in the signing log for reference.

Screenshot 2024-01-05 at 6.10.20 PM.png

Re-authenticating each Part 11 e-signature

Note: The Part 11 e-signature workflow will log you out of any open Box account browser-based sessions and reinitiate your account session by logging you back in at the time of signing. Be sure to save your existing work before initiating a Part 11 e-signature workflow.


After adopting your signature or initials or both, providing your reason for signing, and navigating to the next page, you will then be prompted to re-authenticate your session by logging in with your credentials. Re-authentication completes the signing process for that Part 11 e-signature.

Recipients can continue adding their signature or initials to other locations within the request by clicking the next signature or initials field, selecting their reason, and re-authenticating their session. This process is repeated until all required signature or initials or both fields in the CFR Part 11 e-signature request are completed.

Screenshot 2024-01-05 at 6.16.42 PM.png

The sender may choose not to assign any fields to a signer. In this case, the recipient may drag and drop fields when completing the CFR Part 11 e-signature request. The signer will need to add at least one signature or initials field to complete the process. When the recipient adds a field, they will be prompted to adopt a signature or initials, provide a signing reason, and re-authenticate themselves.

 

Automatic resizing of the CFR Part 11 e-signature and initials fields


Signature and initials fields within CFR Part 11 signature requests will have preconfigured sizing dimensions and may be automatically resized to ensure that the final CFR Part 11 signature and initials frame, including details within the frame, are legible.


These predefined dimensions do not apply to signature or initials fields included within batch send signature requests.

 

Note: For legibility purposes, Box Sign may automatically resize signature and initials fields within CFR Part 11 signature requests initiated from reusable templates, regardless of how the fields are configured within the template. We recommend reviewing the signature request in the document preparation process to confirm the field properties are properly sized and meet the sender’s requirements prior to sending the request.

 

Signing Log

Once the Part 11 e-signature request is complete, the Signing Log is available for review and reference. The signing log displays each Part 11 e-signature or initials or both, authentication details, and the signing reason as pictured below. You can learn how to access the Signing Log associated with your document here.

 

For additional information about how Box can support compliance with 21 CFR Part 11, contact your account manager or customer success manager. 

 

Related articles