Title 21 Code of Federal Regulations Part 11 (“CFR Part 11”) establishes the United States Food and Drug Administration (the “FDA”) regulations on electronic records and electronic signatures. If enabled by your organization’s admin, you can use Box Sign Part 11 e-signatures (“Part 11 e-signatures”) with Box Sign requests for your regulated documents.
This document is for informational purposes only and should not be relied upon as legal advice. If you have any legal questions regarding 21 CFR Part 11 or your organization’s intended use of Part 11 e-signatures, you should consult legal counsel licensed in your jurisdiction(s) before making use of Part 11 e-signatures. For requirements and additional information, visit eCFR :: 21 CFR Part 11.
Important: Support for 21 CFR Part 11 compliance in Box Sign requires GxP Validation. For more information, visit GxP Validation – Box Support, or contact your account manager.
Note: Support for 21 CFR Part 11 e-signatures are not compliant with the following signing workflows and options:
- Box Sign APIs
- Ready-Sign Links
- Sign Myself
- Box Sign Salesforce integration signature requests
Admin Enablement
As the admin, you can enable Part 11 e-signature requests for your organization by going to your Admin Console and then Enterprise Settings -> Box Sign.
In the Box Sign tab, select Edit Configuration under the “CFR Part 11 disabled for all managed users” option.
From here, you can select from four options for your users and groups:
- Disable for all managed users
- Enable for all managed users
- Enable for select users and groups
- Enable for everyone except select users and groups
Add the specific users and groups if you enable the setting for them. Once you have selected your option and users and groups, click Save.
Note: Once enabled for a user or group of users, all Part 11 e-signature requests sent by such user or group will use the 21 CFR Part 11 workflow until the user or group is disabled from Part 11 e-signatures. Requests sent before disablement still follow the Part 11 e-signatures workflow, so you will need to re-enable the user or group if they are to revise an outstanding Part 11 e-signature request.
Sending Process
As a sender, follow the process from Sending a document for signature. To verify if your signature request will utilize the Part 11 e-signature workflow, ensure you have the CFR Part 11 Request label next to your signature request file name. Additionally, when you modify a recipient’s role, you can review the 21 CFR Part 11 login requirements to notify your signers of the requirement in advance.
When preparing a Part 11 e-signature request, you have two options:
- For a single signer or a recipient group that was assigned the "signer" role, senders can add a required signature field or an initials field or both. Stamps, and any other fields are not included in the Part 11 e-signature process.
- Senders can add no fields at all to a single signer or recipient group. In that case, those recipients will need to drag and drop the fields they need to complete and will then be required to add at least one signature field or one initials field before the signer can complete the signature request.
The sender should ensure that either a signature field or initials field is assigned to a signer and selected as a required field by the signer. If a sender tries to send a signature request marking a signature field or initials field as “not required”, an error banner will be displayed and the sender will not be able to proceed with sending the signature request.
Require Password (Optional)
The sender can choose if they want to add an additional password of their choice to the signature request by toggling Require Password.
21 CFR Part 11 Signing Process
Once a recipient initiates a signature request, they will be required to log in to their Box account to authenticate their identity to continue with the CFR Part 11 e-signature request. If the signer does not have a Box account, Box will prompt the recipient to create a free account in order to authenticate to the Box service. After logging in, you follow the same process as in Signing a document, with two additional steps:
- If the request includes a signature or initials field assigned to a recipient, that recipient must select the reason for applying their signature or initials to the request.
- Once the signing reason has been applied to the signature or initials field(s), recipients must re-authenticate your log-in after each Part 11 e-signature
Note:
- The 21 CFR Part 11 signing process only applies to the application of signature and initials fields. It does not apply to the application of stamps or any other fields.
- The customer is responsible to ensure the identity of each recipient is verified to the organization’s satisfaction prior to providing such recipient with account login access credentials for Box. The customer must authenticate each user’s identity prior to sending a Part 11 e-signature request.
Reason for Signing
After the recipient selects their signature, the recipient will need to select from the following reasons to proceed:
- I read and approve this document
- I read and agree to this document
- I read and authored this document
The recipient’s selection is recorded in their signature block or initials field within the signed document and in the signing log for reference.
Re-authenticating each Part 11 e-signature
Note: The Part 11 e-signature workflow will log you out of any open Box account browser-based sessions and reinitiate your account session by logging you back in at the time of signing. Be sure to save your existing work before initiating a Part 11 e-signature workflow.
After adopting your signature or initials or both, providing your reason for signing, and navigating to the next page, you will then be prompted to re-authenticate your session by logging in with your credentials. Re-authentication completes the signing process for that Part 11 e-signature.
Recipients can continue adding their signature or initials to other locations within the request by clicking the next signature or initials field, selecting their reason, and re-authenticating their session. This process is repeated until all required signature or initials or both fields in the CFR Part 11 e-signature request are completed.
The sender may choose not to assign any fields to a signer. In this case, the recipient may drag and drop fields when completing the CFR Part 11 e-signature request. The signer will need to add at least one signature or initials field to complete the process. When the recipient adds a field, they will be prompted to adopt a signature or initials, provide a signing reason, and re-authenticate themselves.
Automatic resizing of the CFR Part 11 e-signature and initials fields
Signature and initials fields within CFR Part 11 signature requests will have preconfigured sizing dimensions and may be automatically resized to ensure that the final CFR Part 11 signature and initials frame, including details within the frame, are legible.
These predefined dimensions do not apply to signature or initials fields included within batch send signature requests.
Note: For legibility purposes, Box Sign may automatically resize signature and initials fields within CFR Part 11 signature requests initiated from reusable templates, regardless of how the fields are configured within the template. We recommend reviewing the signature request in the document preparation process to confirm the field properties are properly sized and meet the sender’s requirements prior to sending the request.
Signing Log
Once the Part 11 e-signature request is complete, the Signing Log is available for review and reference. The signing log displays each Part 11 e-signature or initials or both, authentication details, and the signing reason as pictured below. You can learn how to access the Signing Log associated with your document here.
For additional information about how Box can support compliance with 21 CFR Part 11, contact your account manager or customer success manager.