21 CFR Part 11

Introduction

FDA 21 CFR Part 11 establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. When using Tallyfy, a cloud-based SaaS workflow automation platform, in a regulated environment, compliance with Part 11 is a shared responsibility between Tallyfy and the customer. Tallyfy provides the technical controls and features to support Part 11 requirements, and the customer configures and uses those features in accordance with their internal procedures. Regulated companies remain ultimately responsible for their own Part 11 obligations—there is no formal FDA "certification" for Part 11 compliance, and each organization must validate its systems for intended use and implement required procedural controls and documentation to ensure compliance.

Shared Responsibility Model Overview

Tallyfy, as the SaaS provider, delivers a platform with the technical capabilities necessary for Part 11 compliance: audit trails, access security, electronic signature support via SSO, data export, retention mechanisms, and more. The customer, as the regulated entity, must:

  • Validate Tallyfy for their specific workflows and intended use.
  • Configure and enforce procedural controls (SOPs, change control, training).
  • Manage user access, review audit trails, and retain/export records per regulatory requirements.

This partnership ensures that Tallyfy provides a Part 11–ready toolset, while customers maintain their quality systems around its use.

System Validation and Change Control

21 CFR 11.10(a) requires computerized systems to be validated for accuracy, reliability, and consistent performance. Tallyfy's development follows rigorous SDLC processes, internal QA testing, and independent SOC 2 Type II audits to demonstrate control effectiveness. We publish release notes and communicate any updates so customers can assess impacts. However, customers are responsible for:

  • Performing Computer System Validation (CSV) of Tallyfy for their specific use cases.
  • Reviewing Tallyfy updates under their change control procedures and re-validating as needed.
  • Maintaining validation documentation (requirements, test scripts, reports) to demonstrate fitness for intended use.

Tallyfy is SOC 2 Type II compliant, providing assurance over security, availability, and processing integrity controls.

Electronic Records Integrity, Sequencing, and Audit Trails

Part 11 requires secure, computer-generated, timestamped audit trails (11.10(e)) and enforcement of permitted sequencing of events (11.10(f)). Tallyfy provides:

  • Comprehensive audit trails that automatically log create/modify/delete actions, capturing timestamp, user ID, old and new values, and reason for change. Audit entries cannot be modified or deleted by end users, and logs are retained as long as the underlying process exists.
  • Enforced workflow sequencing via conditional "if-this-then-that" rules and required form fields, ensuring tasks cannot progress until predecessor steps and approvals are complete
  • Reviewable audit data via built-in reports and API endpoints, enabling export or print of audit trail logs for inspection.
  • Retention of audit logs for at least one year or per customer retention policy; logs are never obscured or lost unless the source workflow is deleted.

Customers must:

  • Ensure all critical steps are performed in Tallyfy so that the audit trail fully captures regulated activities.
  • Periodically review audit logs per their SOPs, investigating any irregularities.
  • Export and retain audit data to satisfy inspections, and include audit trails in their compliance records.

Electronic Signatures

Under Part 11, electronic signatures must be unique to an individual, linked to records, include printed name, date/time, and meaning of signature (11.50, 11.70), and be executed under controlled access (11.100). Tallyfy supports this by:

  • Enforcing unique user accounts (no shared logins) and, if configured, requiring re-authentication at signature time.
  • Recording signature events—user identity, timestamp, and task meaning—directly on the record history and in exports.
  • Securely linking each signature to its record so it cannot be excised or reassigned.

Customers must:

  • Issue and manage user credentials so that each signer's account is unique and promptly disabled when no longer authorized.
  • Define signature meanings in formal procedures and require each user to consent that their e-signature is legally binding.
  • Submit required FDA certifications for electronic signature use, and retain signed agreements as part of their quality documentation.

Access Controls and Security

Part 11 mandates limiting system access to authorized individuals (11.10(d)) and protecting records (11.10(c)). Tallyfy provides:

  • Secure authentication (unique username/password or SSO) with configurable password policies and optional MFA.
  • Role-based permissions at the workflow level, enforcing least-privilege access.
  • Industry-standard cloud security, encryption in transit and at rest, and regular third-party audits.

Customers must:

  • Create accounts only for authorized personnel, assign appropriate roles, and deactivate accounts as needed.
  • Train users on credential security and prohibition of shared logins.
  • Conduct periodic access reviews and monitor for unusual login activity.

Record Export, Retention, and Retrieval

Part 11 requires the ability to produce accurate, complete copies of records in both human-readable and electronic form (11.10(b)), and protect records for the retention period (11.10(c)). Tallyfy enables:

  • Export to PDF of any process or blueprint in "read" mode, for physical or electronic distribution.
  • Export to CSV/JSON via API for vendor-agnostic data formats, supporting downstream archiving or integration.
  • Persistent data storage with regular backups; data remains intact and accessible unless the customer explicitly deletes it.
  • Time-synchronized timestamps (UTC) on all records and audit logs, with system clocks centrally managed.

Customers must:

  • Define retention periods per regulatory and business requirements and avoid premature deletion.
  • Export and archive records before contract termination or account closure.
  • Maintain access to archived data or an active Tallyfy account for the full retention period.

Procedural Controls and Training

Tallyfy supplies compliance-friendly features and documentation, but Part 11 compliance also requires procedural controls and personnel training. Tallyfy provides user manuals, help center articles, and support to configure workflows and security settings. Customers must:

  • Develop SOPs governing Tallyfy use in regulated processes, including deviation handling for system outages.
  • Train all users on both Tallyfy functionality and company-specific compliance procedures, with records of training completion.
  • Perform internal audits of Tallyfy use, verify adherence to SOPs, and manage corrective actions as needed.
  • Investigate and document any compliance incidents using Tallyfy's logs and report findings in their quality system.

Conclusion

Tallyfy provides the technical foundation for Part 11 compliance—secure infrastructure, audit trails, e-signatures, data export, and more—backed by SOC 2 Type II attestation. Customers retain ultimate responsibility for validating the platform for their intended use, configuring and using features correctly, implementing procedural controls, and maintaining comprehensive documentation and oversight. By fulfilling these shared responsibilities, Tallyfy and customers together achieve trustworthy, compliant electronic records and signatures.