When outsourcing electronic services (e.g., data management services, cloud computing services), sponsors and other regulated entities are ultimately responsible for ensuring that all regulatory requirements are met. As such, sponsors and other regulated entities need to ensure:
the authenticity, reliability and security of any data used to support a marketing application for a medicinal product.
that regulated records and data are available to FDA during an investigation or an inspection.
that outsourced electronic services are validated when appropriate – documentation of SOPs and results for validation testing should be obtained from the outsourced electronic service vendor.
Sponsors and other regulated entities should form service agreements with any outsourced electronic service vendor, but before entering into such an agreement, the sponsor or other regulated entity should evaluate and select an electronic service vendor based on their ability to meet part 11 requirements and data security safeguards.
Sponsors and other regulated entities should be able to provide the following information to the FDA upon request at each of their regulated facilities that utilize outsourced electronic services:
Specified requirements of the outsourced electronic service
A service agreement defining what is expected from the electronic service vendor
Procedures for the electronic service vendor to notify the sponsor or other regulated entity of changes and incidents with the service.