HIPAA and CFR21 Part 11

If you operate in healthcare or work with FDA-regulated processes, your signing platform has to meet a specific bar. Pacta’s Business tier and above ship the flags + audit infrastructure to meet HIPAA and CFR21 Part 11 when configured correctly.

This article explains what each regulation requires, what Pacta does automatically, and what’s still your responsibility.

CFR21 Part 11 — FDA-regulated workflows

21 CFR Part 11 is the FDA’s electronic records / electronic signatures regulation. It applies to:

• Pharmaceutical clinical trials
• Medical device manufacturing
• Drug safety reporting
• Tobacco regulation submissions
• Any electronic record submitted to the FDA in lieu of paper

The regulation has two big requirements:

1. Electronic Records (§ 11.10)

“Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record.”

What Pacta does:

• Authenticity: every signature is bound to a verified email identity + IP + user agent + timestamp from an independent TSA
• Integrity: CAdES envelope detects any post-signing modification
• Confidentiality: documents stored encrypted at rest (AES-256), TLS in transit, access bound to authenticated org members
• Non-repudiation: the signed PDF carries an immutable embedded audit certificate; signer cannot claim “that wasn’t me” without refuting the IP/timestamp/email-chain evidence

What’s on you:

• Document validation (§ 11.10(a)) — you validate that your contract content + workflow meets your SOP requirements
• Limiting system access to authorized individuals — you control who has Pacta accounts in your org
• Authority checks — you decide which roles can send/sign
• Training (§ 11.10(i)) — your team must be trained on the SOPs

2. Electronic Signatures (§ 11.50, § 11.70, § 11.100, § 11.200)

“Electronic signatures shall employ at least two distinct identification components such as an identification code and password.”

What Pacta does on the Business tier with the CFR21 flag enabled:

• Two-factor signing — signers must provide both their identity (login or signing link) AND a secondary factor (email-delivered code, optionally TOTP) before applying a signature
• Signature manifestation (§ 11.50) — the printed/displayed PDF shows the signer’s full name, date+time of execution, and the meaning of the signature (e.g., “Approved by:”, “Reviewed by:”)
• Signature linking (§ 11.70) — the signature is cryptographically bound to the document such that it cannot be transferred to another record. CAdES envelope hash-binds signature to document bytes.
• Audit log (§ 11.10(e)) — every action (view, field change, signature, recipient activity) is timestamped, attributed, immutable, and embedded in the final PDF

Enabling CFR21 on Pacta

1. Be on the Business tier (or Enterprise)
2. Settings → Compliance → toggle CFR21 Part 11
3. Confirm 2FA is enabled for all signers in your org’s authentication policy
4. Document your SOPs referencing Pacta’s behavior (template provided on request via hello@pacta.ink)

The FDA does not pre-certify e-signature platforms; Part 11 compliance is the responsibility of the regulated entity (you). Pacta provides the technical controls + audit trail; your QA team adopts them into your validated systems.

HIPAA — Healthcare workflows

HIPAA (Health Insurance Portability and Accountability Act) applies when Pacta is used to send documents containing Protected Health Information (PHI) — patient consents, treatment authorizations, business associate agreements, etc.

HIPAA requires:

• A Business Associate Agreement (BAA) with any service provider handling PHI
• Administrative, physical, and technical safeguards under the HIPAA Security Rule
• Breach notification procedures
• Minimum-necessary access controls

What Pacta does

With the HIPAA flag enabled on Business / Enterprise:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Access controls — only org members with explicit document permissions can view; everything else is denied by default
• Audit logs — full record of who viewed what, when, from where; exportable for breach investigations
• Automated session timeouts for in-app users
• Document retention controls — set per-document or per-template expiration; Pacta hard-deletes after the configured period
• Encrypted backups with same controls as the primary store

What’s required from you

To use Pacta for PHI workflows, you need a signed Business Associate Agreement (BAA) from us. Request via hello@pacta.ink — we have a standard BAA template that covers Pacta’s responsibilities under the HIPAA Security Rule. Sign it once; cover all your PHI workflows.

You’re responsible for:

• Not putting PHI in document titles (titles are not encrypted at the database level — only document content is encrypted; we recommend generic titles like “Patient consent — case 2026-XXX”)
• Training your staff to recognize what constitutes PHI
• Following the minimum-necessary principle (don’t send PHI to recipients who don’t need it)
• Implementing the rest of your HIPAA program (Pacta covers our service; the broader program is yours)

Enabling HIPAA on Pacta

1. Be on the Business tier (or Enterprise)
2. Sign the BAA (we send it from hello@pacta.ink after request)
3. Settings → Compliance → toggle HIPAA mode
4. Confirm encryption + retention controls are configured to your workflow’s needs

The HIPAA flag enforces additional defaults: longer session timeouts disabled, audit log retention increased to 6 years (HIPAA required minimum), 2FA required for all org admins.

GDPR

For completeness — Pacta is GDPR-aligned by default on every tier:

• Lawful basis — we process data on the basis of legitimate interest (running the signing service) + contract (where the customer is in the EU)
• Right to erasure — customers can delete their account and all associated documents at any time (Subject to legal hold for signed contracts where the customer is a signatory)
• Data minimization — we only collect signer email + signature
  • audit metadata; no marketing trackers, no third-party analytics in the signing flow
• Right to access — full export available from Settings → Data Export
• Sub-processors — disclosed at pacta.ink/security
• Data residency — EU customers can request EU-only storage (Enterprise) via hello@pacta.ink

SOC 2

SOC 2 Type II is in progress. Target completion Q4 2026. Until then, security customers can review:

• Our Security Overview for the current control set
• Our public AGPL codebase at github.com/BizRethinkAI/internal-bizrethink-pacta-platform for code-level auditability
• Penetration test summary on request

If your procurement process requires SOC 2 today, contact us — we can sometimes accept compensating controls (vendor risk questionnaire + security review of the public codebase) while the formal audit is in progress.

Where to go next

• eIDAS Advanced Electronic Signatures — the EU regulatory equivalent
• Audit trails + verification — the operational layer underneath all these compliance flags
• For specific procurement questionnaires, email hello@pacta.ink — we have a standard security questionnaire we can pre-fill