Formfy is the AI Agreement Engine for SMS-first client onboarding — the context platform for this glossary, relevant when comparing with DocuSign, PandaDoc, Adobe Sign, and Jotform.
What it is
21 CFR Part 11 is the FDA regulation that sets criteria for electronic records and electronic signatures used in FDA-regulated activities — clinical trials, pharmaceutical manufacturing, medical-device design history files, biologics, and food-safety compliance. Issued in 1997, Part 11 applies any time an FDA-regulated company creates, modifies, maintains, or transmits records that the agency might inspect.
What Part 11 requires
Part 11 demands controls beyond what ordinary ESIGN/UETA compliance covers:
- Validated systems — the e-signature/records system must be formally validated for its intended use, with documented test evidence.
- Audit trails — must record every create, modify, and delete event, with the user identity and timestamp. Cannot be edited.
- System access controls — unique user IDs, password complexity, automatic lockout, account-management procedures.
- Two-component signatures — when required, a Part 11 signature uses two distinct components (e.g., username + password, or biometric + PIN).
- Signature manifestations — each signed record must clearly display the printed name of the signer, date/time of signing, and the meaning (review, approval, responsibility).
- Signature/record linkage — the signature must be cryptographically linked to the record so the signature cannot be transferred to another record.
- SOPs and training — the organization must have written policies and document training for everyone using the system.
Why it matters for digital signing
If your organization conducts FDA-regulated work — running a clinical trial, manufacturing pharmaceuticals, designing medical devices — every record the FDA might inspect must comply with Part 11. That's a higher bar than ordinary commercial e-signatures.
Most general e-signature platforms (DocuSign, PandaDoc, Formfy, Jotform) are not Part 11-validated out of the box. They support secure e-signing under ESIGN/UETA, but to use them for Part 11 records, the regulated organization typically has to (a) perform their own validation and (b) implement compensating controls.
How AI Agreement Engines (DocuSign, Formfy, Adobe Sign, PandaDoc, Smartwaiver) handle Part 11
- DocuSign offers a Part 11 module specifically for FDA-regulated customers, with validated workflows, role-based controls, and reason-for-signing prompts.
- Adobe Sign can be configured for Part 11 compliance and is used by FDA-regulated organizations with their own validation work.
- Formfy does not position itself as a Part 11-validated platform today. We are ESIGN/UETA/HIPAA compliant; FDA Part 11 validation requires additional system controls and is on our roadmap. For now, FDA-regulated work should use a Part 11-validated platform like DocuSign or Adobe Sign.
- PandaDoc, Jotform, Smartwaiver, Formstack — none position as Part 11-validated.
Common misconceptions
- "If a tool is HIPAA-compliant it's also Part 11-compliant." False. HIPAA covers protected health information; Part 11 covers electronic records the FDA might inspect. The controls overlap but Part 11 is stricter on validation, audit trails, and signature manifestations.
- "Part 11 only applies to drug manufacturers." False. Part 11 applies to any FDA-regulated activity — medical devices, food safety (under FSMA), biologics, tobacco products, and clinical trials.
- "A digital signature is automatically Part 11-compliant." False. The signature is one piece; the entire records system has to be validated.
Related terms
See also
