Back to Blog

What every creative team should know about FDA 21 CFR Part 11 compliance

7 min read
Katie Oberthaler

A full 78% of creative teams must meet some type of compliance requirement in the production of creative and marketing content. Demonstrating control over the process of reviewing and approving creative content is just as important as ensuring the claims and information within that content are accurate.

One example is Title 21, Part 11 of the Food and Drug Administration’s Code of Federal Regulations (FDA 21 CFR Part 11). This regulation sets the ground rules for the technology systems that manage information produced and used by companies subject to the Food and Drug Administration's (FDA) oversight. 

Specifically, this regulation outlines the requirements that companies must follow to ensure their electronic records and signatures are trustworthy, reliable, and equivalent substitutes for paper records and handwritten signatures.

Taking a step back, this goes far beyond simply putting the stamp of approval on a document at the end of a review process. The FDA’s guidelines require an organization to unpack what it means to ensure that the signatures can be trusted and to show that they have underlying processes and records in place that can be audited later on if needed–including for creative content. 

What we'll cover

What is the FDA’s 21 CFR Part 11?

Title 211 of the Code of Federal Regulations establishes the United States Food and Drug Administration (FDA) requirements on electronic records and electronic signatures. 

FDA’s 21 CFR Part 11 requirement obligates companies to prove that their digital records  and electronic signatures are trustworthy, reliable, and equivalent to paper records.

This includes proving that your team can:

  • Generate accurate and complete copies of records in both human readable and electronic form.
  • Demonstrate that any electronic signatures match the security and integrity of physical signatures.
  • Validate that systems for electronic signatures are accurate, reliable, and consistent
  • Properly protect records for accuracy and ensure records are readily retrievable throughout the records retention period.
  • Prove the use of secure, computer-generated, time-stamped audit trails that record the date and time actions that create, modify, or delete electronic records. 
  • Demonstrate that only authorized individuals can use the record system, electronically sign a record and alter records.

This regulation applies to all industries regulated by the FDA, including: 

  • Healthcare and healthcare marketing
  • Medical devices manufacturers
  • Food and beverage
  • Pharmaceuticals
  • Dietary supplements 
  • Cosmetics

How does FDA 21 CFR Part II affect creative teams? 

If your business is subject to FDA oversight, creative assets can be considered records under these compliance requirements. As such, creative teams must demonstrate that appropriate protocols are used to create, share, modify, approve, and store creative assets. 

In short, creative teams must prove that the integrity of creative files created for product branding and marketing also adhere to the FDA’s digital record keeping requirements. 

Creative assets that are affected by this regulations include materials like:

  • Product descriptions
  • Marketing materials
  • Product labeling and packaging
  • Medical inserts
  • Booklets
  • Medical device designs
  • Website copy

For creative teams, this adds another layer of process and oversight onto the already complex creative workflow. It’s not enough to just ensure that information within these assets adheres to regulatory requirements–the methods and technologies by which your team (and those throughout your business) create, modify, and work with those creative assets are also subject to these regulations. 

How Ziflow helps creative teams comply with FDA 21 CFR Part 11 

When it comes to creative work that includes multiple versions and file formats, keeping track of records properly while also producing great creative can quickly become burdensome for marketing and design teams. 

Implementing a compliant recordkeeping process as part of your team’s creative workflow is a must-have to prove that due diligence was followed throughout content creation and management. 

Ziflow simplifies the process of compliance review and enforcing compliance standards within the creative process. Here’s how:

Apply and enforce electronic signatures on approval decisions for creative assets

We recently launched an electronic signatures capability within Ziflow, which enables creative teams to stipulate that review and approval decisions on assets must require an electronic signature. Electronic signatures form the cornerstone of compliance for industries regulated by FDA’s 21 CFR part 11 requirement.

Within Ziflow, electronic signatures are certified to be the same as handwritten signatures. Plus, electronic signatures in Ziflow cannot be transferred or copied between documents, ensuring the validity of approval signatures.

Use document controls and audit trails to monitors changes and discern invalid or altered records

The FDA also requires that companies have a defined process for retaining signed records, as well as documented (and auditable) access permissions for those records. 

Once approvals have been made on the creative asset with electronic signatures, the signed record and its audit trail can be retrieved in Ziflow by authorized users. 

These signed records can be retrieved for external retention. Proofs can be exported to PDF including a log of comments, when decisions on a proof were made, and verification that those decisions were e-signed. 

Even better, this audit trail is automatically logged, enforced and retrieved–no manual tracking required for busy creative teams to hunt down who changed and accessed content, and when.

Use document controls and audit trails to monitors changes and discern invalid or altered records

Limit access to electronic records to authorized individuals and ensure the integrity user credentials

The FDA also stipulates that companies must have a compliant process for user management, and in particular, can enforce rules around who may sign documents.

Ziflow maintains internal controls, user processing controls, and security controls to ensure that only authorized users with relevant permissions are able to inspect, review, and copy electronic records.

A core capability within Ziflow is rights and role management. Only authorized users can access and engage with creative assets within the system. Furthermore, Ziflow provides administrator controls over the account, registration authentication and permissions, allowing them to manage which downstream capabilities are allowed by team members. 

Lastly, Ziflow can be configured so all electronic signers need to provide valid credentials (email address and password) before accessing a document for signature. Creative teams can rest assured that there are no security cracks in the way creatives and reviewers collaborate on creative assets and their records.

A creative review system demonstrates accuracy, reliability, and consistency

Creative teams must also show validation of systems to ensure accuracy, reliability and consistency.

Ziflow offers SOC 2 certification by an accredited auditing organization. SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy. 

Ziflow is also hosted by Amazon Web Services. Amazon employs a robust physical security program with multiple certifications, including SOC 1 and 2. 

Enforce FDA compliance of your creative assets

Busy creative teams occupied with shipping large volumes of content pieces out the door don’t always have the time to pause and evaluate if their processes remain compliant or if their marketing tools meet the specifications.

Complying with FDA’s CFR Part 11 requires creative teams to implement and perform rigorous diligence over their records and technology systems. Ziflow meets these standards with built-in compliance controls for your creative content and creative processes.

Related posts

(function (c, p, d, u, id, i) { id = ''; // Optional Custom ID for user in your system u = '' + c + '.js?p=' + encodeURI(p) + '&e=' + id; i = document.createElement('script'); i.type = 'application/javascript'; i.defer = true; i.src = u; d.getElementsByTagName('head')[0].appendChild(i); }("4187", document.location.href, document));
setTimeout(function(){ window.intercomSettings = { api_base: "", app_id: "i94medbe" }; }, 10); setTimeout(function(){ // We pre-filled your app ID in the widget URL: '' (function(){var w=window;var ic=w.Intercom;if(typeof ic==="function"){ic('reattach_activator');ic('update',w.intercomSettings);}else{var d=document;var i=function(){i.c(arguments);};i.q=[];i.c=function(args){i.q.push(args);};w.Intercom=i;var l=function(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);};if(document.readyState==='complete'){l();}else if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}}})(); }, 10);