GxP Compliance¶

Configure GxPSign for FDA 21 CFR Part 11 and other regulatory compliance.

Built to the stricter EU Annex 11 (2025 draft revision)

GxPSign adheres to the tightened e-signature requirements in the EU GMP Annex 11 draft revision, not just the legacy 2011 text:

Fresh re-authentication for every signature event — § 13.3 (the existing logged-in session is not accepted).
Passkey / biometric authentication — § 11.3, with the AAGUID, credential ID, and userVerified flag recorded per signature.
MFA on remote critical systems — § 11.6, satisfied intrinsically by WebAuthn (possession + inherence).
Smart card or PIN alone rejected — § 13.3.
Cloned-credential detection — strictly-monotonic sign-counter check on every assertion.
Signing-event audit trail — § 12.2, with the authenticator method, device model, and verification flags as queryable columns (not buried in JSON metadata).

See the Regulatory Mapping table below for the per-clause crosswalk against 21 CFR Part 11.

What is GxP?¶

GxP refers to "Good Practice" regulations in life sciences:

GMP - Good Manufacturing Practice
GLP - Good Laboratory Practice
GCP - Good Clinical Practice

GxPSign is designed to meet GAMP5 Category 4 requirements for computer systems used in regulated environments.

Enabling GxP Mode¶

GxP compliance features are available to all organizations — there is no plan upgrade required. Any organization can enable GxP mode and complete the formal qualification process.

Prerequisites¶

Before enabling GxP compliance:

Configure a signing certificate
Train users on compliance requirements
(Optional) Purchase SignatureManager seats for users who will create GxP-critical signature requests

Enable GxP Compliance¶

Go to Settings > Organization
Find GxP Settings
Check Enable GxP Compliance
Select your Qualification Status
Click Save

Screenshot Coming Soon

Screenshot of GxP settings will be added here.

GxP Features¶

When GxP mode is enabled, the following features activate:

Signature Meaning Required¶

Every signature must include a meaning:

Meaning	FDA Requirement
I have reviewed and approved	Approval signature
I attest to the accuracy	Data verification
I have performed the work	Work completion
I have witnessed the activity	Witnessing
I have verified the information	Verification
I authorize the release	Authorization

Enhanced Audit Trails¶

All actions are logged with:

User identity
Timestamp (server time)
IP address
User agent
Action description
Before/after values for changes

Re-Authentication¶

Configurable password re-entry for:

Multiple signatures in a session
Sensitive operations
Extended sessions

Document Integrity¶

SHA-256 hash calculated on upload
Hash verified before signing
Digital signatures with timestamps
Long-term validation (LTV) data

Qualification Status¶

Qualification Levels¶

Status	Description
Not Qualified	System not yet validated
IQ Completed	Installation Qualification done
OQ Completed	Operational Qualification done
PQ Completed	Performance Qualification done
Fully Qualified	All qualifications complete

Setting Qualification Status¶

Go to Settings > GxP Settings
Select the appropriate Qualification Status
Click Save

Documentation Required

Maintain qualification documentation separately. GxPSign tracks status but doesn't generate qualification documents.

Re-Authentication Settings¶

Purpose¶

Re-authentication ensures the person signing is who they claim to be, even in shared computer environments.

Configuration¶

Go to Settings > GxP Settings
Enable Re-authentication Required
Set Timeout Minutes (default: 15)
Click Save

How It Works¶

User signs their first document normally
Authentication is cached for the timeout period
For additional signatures within timeout: no re-auth needed
After timeout expires: password re-entry required

Recommended Settings¶

Environment	Timeout
Shared workstations	5-10 minutes
Personal computers	15-30 minutes
High-security	0 (always re-authenticate)

21 CFR Part 11 Compliance¶

Electronic Signatures¶

GxPSign provides:

Requirement	Implementation
Unique to one individual	Email-based identity
Not reused or reassigned	User accounts are unique
Contain identifying information	Signature includes name, date, meaning
Only used by genuine owner	Password-protected accounts

Electronic Records¶

GxPSign ensures:

Requirement	Implementation
Accurate and complete copies	PDF documents with all signatures
Protected throughout retention	Encryption at rest and in transit
Limited system access	Role-based access control
Audit trails	Comprehensive event logging
Sequence of entries	Immutable, timestamped records

Controls¶

Requirement	Implementation
Operational checks	Validation of signature authority
Authority checks	Role-based permissions
Device checks	Re-authentication requirements
Personnel qualifications	Training status tracking

Document Types¶

GxP Critical Documents¶

Documents that directly impact product quality or patient safety:

Batch records
Deviation reports
CAPA documents
Validation protocols
Release certificates

Settings:

Signature meaning required
Full audit trail
Re-authentication (if enabled)
Long-term archival

GxP Non-Critical Documents¶

Documents with less regulatory impact:

Meeting minutes
Training records
General procedures

Settings:

Signature meaning required
Audit trail maintained
Standard retention

Audit Trail¶

Accessing Audit Logs¶

Go to Settings > Audit Log
Filter by date, user, or action type
Export as needed

Logged Events¶

Event	Details Captured
Sign-in/Sign-out	User, time, IP, success/failure
Document upload	User, time, file hash, metadata
Document view	User, time, document ID
Signature applied	User, time, meaning, field ID
Request created	User, time, document, signers
Settings changed	User, time, old value, new value

Audit Log Protection¶

Logs are append-only (cannot be modified)
Logs are retained according to policy
Access to logs is controlled by role

Training Management¶

Training Status¶

Track user training status:

Go to Settings > Users
Click on a user
Update Training Status

Training Statuses¶

Status	Meaning	Action Needed
Pending	Not started	Schedule training
In Progress	Currently training	Monitor completion
Completed	Training verified	None
Expired	Renewal needed	Schedule refresher

Training and Signing¶

Best Practice

Consider preventing users with "Pending" or "Expired" training from signing GxP-critical documents.

Validation Support¶

System Validation¶

GxPSign provides supporting documentation for validation:

Functional specifications
User requirements
Test protocols
Traceability matrix

Contact support for validation packages.

Ongoing Validation¶

Maintain validation through:

Regular system reviews
Change control procedures
Periodic testing
User training updates

Best Practices¶

Enable early - Set up GxP mode before production use
Train users - Ensure all users understand compliance requirements
Document everything - Maintain qualification and validation records
Regular audits - Review audit logs periodically
Keep training current - Track and update training status
Test re-authentication - Verify timeout settings work as expected
Review access - Regularly audit user permissions

Signing Re-authentication Policy¶

GxPSign provides three re-authentication paths at signing time. Selection is automatic based on the user's enrolled credentials and your tenant policy.

Methods¶

Method	What the signer sees	Annex 11 alignment
WebAuthn (passkey)	One biometric tap on their device (Touch ID / Face ID / Windows Hello / Android / security key).	§ 11.3 (biometric), § 11.6 (intrinsic MFA via possession + inherence)
Local password	Re-enters their account password.	§ 11.3 (password)
SSO step-up	Popup re-runs OIDC sign-in with `prompt=login` against the IdP.	§ 11.3 (equivalent to login security), § 13.3

Smart card alone, PIN alone, and "rely on the existing session" are never accepted (§ 13.3).

Tenant Setting: `webauthn_required`¶

In your Organisation Settings → Security:

`webauthn_required`	Effect
`False` (default)	Signers may use passkey (preferred), password, or SSO step-up — whichever they have available.
`True`	Passkey is the only accepted method. Signers without an enrolled passkey are sent to set one up before they can sign. Password and SSO step-up fallbacks are disabled for your tenant.

The sending tenant's policy applies. If a signer from Org A signs a request created by Org B, Org B's webauthn_required setting governs the event — not Org A's.

Per-Signature Re-authentication¶

Effective for all GxP-enabled tenants: every signature event requires a fresh re-authentication. There is no time-window during which subsequent signatures skip the prompt. With WebAuthn, this is a sub-second biometric tap, so the operational cost is minimal while compliance with EU Annex 11 § 13.3 is unambiguous.

Audit Trail Fields¶

For every signing event, the following are recorded in SignatureAuditLog:

Field	What it captures
`authenticator_method`	`password`, `webauthn`, or `sso_step_up`
`webauthn_credential_id`	The exact passkey used (raw FIDO2 credential ID)
`webauthn_aaguid`	Authenticator model (e.g. Apple Touch ID, YubiKey 5) — answers "what device?"
`webauthn_user_verified`	The WebAuthn `userVerified` flag (always `true` under our policy — `userVerification=required`)
`webauthn_sign_count`	Authenticator-reported counter; verified strictly-monotonic to detect cloned credentials

These columns are queryable directly (not buried in JSON metadata), so inspectors can ask "show me all signatures applied with a non-platform authenticator last quarter" and the answer is one SQL query.

Cloned-credential Detection¶

WebAuthn authenticators advertise a sign counter that must increase on each use. GxPSign refuses any assertion whose counter does not strictly advance and emits a failed_reauth security audit event. This is the FIDO2-spec recommended clone-detection check.

Regulatory Mapping¶

Capability	EU Annex 11 (Draft)	21 CFR Part 11
Fresh per-signature re-auth	§ 13.3	§ 11.200(a)(1)
Biometric / passkey accepted	§ 11.3	§ 11.200(a)(2) (biometric exception)
MFA on remote critical systems	§ 11.6	—
Signing-event audit trail	§ 12.2	§ 11.10(e)
Smart-card / PIN alone insufficient	§ 13.3	—