<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=489233&amp;fmt=gif">

Using SaaS solutions in GxP compliant industries


GxP-compliant Software as a Service (SaaS) term is becoming increasingly popular owing to its flexibility and ease of use. SaaS is a web-based service as it uses the internet to conveniently make software available for direct use to its clients. SaaS is also known by the name of “on-demand Software” as the clients can quickly register, and start using the software without going through lengthy installation processes. It provides many benefits to the biotech, healthcare, and pharmaceutical industries. Particularly, its ease and flexibility of use made SaaS a revolutionary method of delivering software to the end user.

To maximize the benefits of a SaaS platform and have a productive experience in a GxP-compliant environment, it is necessary to understand both its advantages and any challenges that could diminish its potential.  This article will help you to secure an optimal experience of SaaS by effectively managing the crucial aspects of GxP compliance as per 21 CFR Part 11, EU Annex 11, GDPR, PCI DSS, HIPAA, ISO, and other applicable regulations.


Infographic that shows the 9 ways a digital Quality Management System (QMS) can help you become GxP compliance | Scilife


Identifying the Right SaaS Provider for GxP Compliance

It is important to have a pre-decided metric to assess the SaaS provider’s suitability for GxP compliance. The careful evaluation process can minimize the post-implementation activities on your behalf. The important assessment metric should include:

GxP Compliant Cloud Infrastructure Support

Although there is no GxP guideline on the specifics of the cloud infrastructure, considering the nature of information being stored on the cloud, and your budget constraints, you can decide the key selection metric for the SaaS provider based on the cloud infrastructure they utilize. The metric can be defined in terms of your organization’s internal cloud policy.  For example, what type of cloud deployment option will be preferred in your organization? Whether it will be a private cloud deployment, public cloud deployment, hybrid deployment, or community deployment. It is always desirable to go with private cloud deployment to have the highest level of security control provided you have a supporting budget and in-house resources to manage the same.

GxP Compliant Software Development Lifecycle

The key metric should assess the SaaS provider's development process. The SaaS provider should adhere to good engineering practices, including a software development life cycle (SDLC) with appropriate controls for development and testing. Therefore, it may be worthwhile to know how the SaaS solution provider tackles the following aspects:

Physical and environmental security

Measures to safeguard the physical infrastructure and environment where the SaaS solution is hosted.

Logical security

Implementing safeguards and controls to protect the SaaS solution from unauthorized access and ensure data confidentiality.

System monitoring and maintenance

Regularly monitoring and maintaining the SaaS system to ensure optimal performance, identify potential issues, and apply necessary updates.

Data retention

Establishing policies and practices for the retention of data in compliance with regulatory requirements and business needs.

Data classification

Categorizing data based on its sensitivity and criticality to determine appropriate security measures and access controls.

Data access policy (ensuring data are not deleted or altered by the service provider without permission)

Implementing policies and controls to prevent unauthorized data deletion or alteration by the service provider.

Data protection and confidentiality

Implementing measures to protect the integrity and confidentiality of data stored and processed by the SaaS solution.

Software development

Adhering to proper software development practices, including coding standards, testing, and quality assurance, to ensure the reliability and security of the SaaS application.

Computer system validation

Conducting validation processes to ensure that the SaaS solution operates as intended and meets the required specifications.

Change management

Implementing processes and controls to manage changes to the SaaS solution, ensuring that modifications are properly evaluated, tested, and documented.

Incident management

Establishing procedures to promptly identify, report, and respond to security incidents or breaches that may occur in the SaaS environment.

Risk management

Assessing and mitigating risks associated with the SaaS solution, including identifying potential vulnerabilities and implementing controls to minimize threats.

Documentation management

Maintaining proper documentation of processes, procedures, and policies related to the SaaS solution to ensure clarity, consistency, and compliance.

Asset/inventory management

Keeping track of SaaS-related assets and inventory to ensure proper allocation, utilization, and control.

Training management

Providing training programs and resources to educate users and stakeholders on SaaS usage, security practices, and compliance requirements.

Data backup

Regularly backing up data stored in the SaaS solution to prevent data loss and facilitate recovery in case of emergencies or system failures.

Disaster recovery

Implementing strategies and plans to restore the SaaS solution and recover data in the event of a disaster or major disruption.

Business continuity

Developing and implementing measures to ensure uninterrupted SaaS services and minimal disruption to business operations in the face of adverse events.

Vendor management

Establishing processes and criteria to assess, select, and manage SaaS vendors, including monitoring their performance, compliance, and adherence to contractual obligations.


Infographic that shows the 6 phases of Software Development Life Cycle | Scilife


GxP Compliant Data Integrity and Record Management Support

For SaaS applications that handle GxP electronic records in accordance with 21 CFR Part 11 and EudraLex Volume 4 Chapter 4, the SaaS provider should be assessed for the necessary technical and procedural controls to ensure data integrity within the application. The SaaS provider should demonstrate how these control objectives are achieved through a combination of technical, procedural, and behavioral measures.

As data integrity responsibilities are shared between the SaaS provider and the regulated company, it is crucial to define the responsibilities of each party. These activities should be clearly specified in a roles and responsibilities table, covering all aspects of generating, processing, reviewing, reporting, archiving, and retrieving GxP data. This ensures data integrity is maintained at every step of the process.

The SaaS Provider should also be assessed for the required technical and procedural controls to uphold the data integrity requirements of the audit trail data. The primary purpose of an audit trail is to provide assurance regarding the integrity of electronic records. Therefore, an appropriately implemented audit trail should possess the following key characteristics:


The computer system generates audit trail entries when a user creates, modifies, or deletes an electronic record.


Audit trail data must be securely stored and not editable by users.


Each audit trail entry must have a timestamp based on a controlled clock that cannot be altered by users. The time should be based on either the central server time or local time, with clarity about the relevant time zone.


Record updates should not obscure previous values, and where regulations require, the reason for data changes and the person responsible for the change should be recorded.


The audit trail must be retained for the duration specified for storing the electronic record.


The audit trail must be accessible for review and copying purposes.


Access to Pre Production Environment for GxP Compliance

In cases where significant customer configuration of the SaaS application is required, the SaaS provider should grant users access to a pre-production environment for assessing changes, testing, and training. This allows them to assess the impact of upcoming changes, conduct regression testing, and provide training to users before these changes are implemented in the production environment. Key metrics and measures to consider include:

- Frequency of updates

- Time required to deploy updates

- Number of bugs discovered in new releases

- Duration of maintenance downtime


Service Level Agreements

In GxP-compliant industries, it is crucial to establish a Service Level Agreement (SLA) with your SaaS provider to guarantee the ongoing compliance, security, and protection of your system. The SLA functions as a legally binding document that enumerates the actions and commitments that the SaaS provider agrees to undertake in order to comply with the industry standards and quality requirements deemed important by the regulated company. The regulated company is responsible for verifying that the SaaS provider can meet the quality requirements, and both parties must reach a consensus on the responsibilities for fulfilling these requirements. To ensure optimal service quality, the SLA should address the following aspects to clarify the deliverables expected from the SaaS provider:

  • The SLA should provide details on whether the SaaS solution comes prevalidated from the vendor.

  • The SLA should provide details on environments, release processes, and metrics to ensure transparency and effective management of updates.

  • The SLA should specify the types of environments accessible to users and provide clear information about the release process including:

    • Agreed Upon release frequency.

    • Publication and extent of release notes.

    • Impact assessments that identify the key features/functions updated in the system.

    • Time allocated for the regulated company to evaluate, test, and train on upcoming features/functionality in a pre-production environment before releasing them to the production environment.
  • Prior notice of scheduled maintenance downtime should be provided by the SaaS provider.

  • The SaaS provider should give a notice of 45-60 days before a Major/Medium release in the Production environment, following the completion of validation in the validation environment. This allows regulated organizations to conduct testing and validation of the new version of the cloud solution before it is released to the "Production" environment.

  • Customer support should be available 24 hours a day, 7 days a week.

  • The supplier must ensure backup, restore, and disaster recovery mechanisms for data.

  • Data transfer and access should comply with GDPR and other relevant local regulatory requirements.

  • Data should be removed upon termination of the contract.

  • The supplier should adhere to confidentiality obligations, data protection measures, and subcontracting policies, and be open to audits.

If there are any shared dependencies, the SLA should explicitly specify the shared dependencies.


Validating Prevalidated SaaS Solutions

When utilizing validated Software as a Service (SaaS) solutions in the cloud, it is essential to adopt a risk-based approach. These solutions are commonly known as prevalidated SaaS. Organizations have the flexibility to implement a minimum validation approach for prevalidated SaaS based on their internal business processes and the regulatory requirements they must adhere to. The table below outlines the suggested validation steps that should be undertaken when utilizing prevalidated SaaS either in its original form (GAMP category 3) or with additional modifications to workflows and configurations (GAMP category 4).




Initiate change request for process transition from manual to SaaS with reason, impact, and risk assessment.

Applicable Applicable

Document and Perform:

  • Validation plan
  • Configuration specification
  • User Acceptance Test (UAT) plan
  • Create UAT scripts
  • Execute UAT scripts
  • Prepare UAT summary report
Not Applicable Applicable 

Create an approved version of Standard Operating Procedures, and Work Instructions as per your business process needs.

Applicable  Applicable 

User training

Applicable  Applicable 

Go live in a production environment

Applicable Applicable

Close Change Request

Applicable Applicable



By careful selection of SaaS solution providers, defining acceptable deliverables in service level agreements, and maintaining the system in a validated state with the help of GAMP guidelines, GxP industries can secure an optimal experience with the SaaS solutions. Collaboration with SaaS solution providers, defining performance metrics, and appropriate investment in the infrastructure are key to successfully using SaaS Solutions while maintaining compliance and data integrity. With the right approach and partnerships, GxP industries can embrace SaaS as a transformative tool that drives innovation and enhances their future success.


Overall, SaaS is very convenient and always promises cutting-edge technology. Understanding how best to use it is the most efficient way to optimize your experience.

Discover how Scilife's Smart QMS is offered effectively as a GxP Software Platform