Title 21 Code of Federal Regulations Part 11 (“CFR Part 11”) establishes the United States Food and Drug Administration (the “FDA”) regulations on electronic records and electronic signatures. If enabled by your organization’s admin, you can use Box Sign Part 11 e-signatures (“Part 11 e-signatures”) with Box Sign requests for your regulated documents.
This document is for informational purposes only and should not be relied upon as legal advice. If you have any legal questions regarding 21 CFR Part 11 or your organization’s intended use of Part 11 e-signatures, you should consult legal counsel licensed in your jurisdiction(s) before making use of Part 11 e-signatures. For requirements and additional information, visit eCFR :: 21 CFR Part 11.
Important: Support for 21 CFR Part 11 compliance in Box Sign requires GxP Validation. For more information, visit GxP Validation – Box Support, or contact your account manager.
Note: Support for 21 CFR Part 11 e-signatures are not compliant with the following signing workflows and options:
- Box Sign APIs
- Ready-Sign Links
- Sign Myself
- Box Sign Salesforce integration signature requests
Admin Enablement
As the admin, you can enable Part 11 e-signature requests for your organization by going to your Admin Console and then Enterprise Settings -> Box Sign.
In the Box Sign tab, select Edit Configuration under the “CFR Part 11 disabled for all managed users” option.
From here, you can select from four options for your users and groups:
- Disable for all managed users
- Enable for all managed users
- Enable for select users and groups
- Enable for everyone except select users and groups
Add the specific users and groups if you enable the setting for them. Once you have selected your option and users and groups, click Save.
Note: Once enabled for a user or group of users, all Part 11 e-signature requests sent by such user or group will use the 21 CFR Part 11 workflow until the user or group is disabled from Part 11 e-signatures. Requests sent before disablement still follow the Part 11 e-signatures workflow, so you will need to re-enable the user or group if they are to revise an outstanding Part 11 e-signature request.
Sending Process
As a sender, follow the process from Sending a document for signature. To verify if your signature request will utilize the Part 11 e-signature workflow, ensure you have the CFR Part 11 Request label next to your signature request file name. Additionally, when you modify a recipient’s role, you can review the 21 CFR Part 11 login requirements to notify your signers of the requirement in advance.
When preparing a Part 11 e-signature request, you have two options:
- For a single signer or a Recipient Group with the "Signer" role, add a required signature field. Initials, stamps, and any other fields are not included in the Part 11 e-signature process.
- Or, you can add no fields at all to a single signer or recipient group. In that case, those signers will need to drag and drop the fields they need and will then be required to add at least one signature field before the signer can complete the signature request.
If a sender assigns a signature field to a signer, the sender must make the signature a required field. If a sender tries to send a signature request with a signature that is not a required field, the sender will see an informative error banner explaining how to make it a required field before the sender can proceed.
21 CFR Part 11 Signing Process
As a signer, you will first need to login into your Box account or create an account to continue with the Part 11 e-signature request. If the signer does not have a Box account, Box will prompt the user to create a free account in order to authenticate to the Box service. After logging in, you follow the same process as in Signing a document, with two additional steps:
- Select your Reason for Signing
- Re-authenticate your log-in after each Part 11 e-signature
Note:
- The 21 CFR Part 11 signing process only applies to the application of signature fields. It does not apply to the application of initials, stamps, or any other fields.
- The customer is responsible to ensure the identity of each recipient is verified to the organization’s satisfaction prior to providing such recipient with account login access credentials for Box. The customer must authenticate each user’s identity prior to sending a Part 11 e-signature request.
Reason for Signing
After signing a document, you will need to select from the following reasons to proceed:
- I read and approve this document
- I read and agree to this document
- I read and authored this document
Your selection is recorded in the document on your signature block and in the Signing Log for reference.
Re-authenticating each Part 11 e-signature
Note: The Part 11 e-signature workflow will log you out of any open Box account browser-based sessions and reinitiate your account session by logging you back in at the time of signing. Be sure to save your existing work before initiating a Part 11 e-signature workflow.
After adopting your signature, providing your reason for signing, and navigating to the next page, you will then be prompted to re-authenticate your session by logging in with your credentials. Re-authentication completes the signing process for that Part 11 e-signature.
To add your signature to other locations, click the next signature field, select your reason, and re-authenticate your session. This process is repeated until all required signature fields in the Part 11 e-signature request are populated.
The sender may choose not to assign any fields to a signer. In this case, the signer may drag and drop fields when preparing the Part 11 e-signature request. The signer will need to add at least one signature field to complete the process. When the signer adds a field, the same flow of adopting a signature, then providing a signature reason and re-authenticating takes place.
Signing Log
Once the Part 11 e-signature request is complete, the Signing Log is available for review and reference. The Signing Log displays each Part 11 e-signature and authentication the signer completed, in addition to the reason for signing as pictured below. You can learn how to access the Signing Log associated with your document here.
For additional information about how Box can support compliance with 21 CFR Part 11, contact your account manager or customer success manager.