November 24, 2025

Regulatory, Validation and GxP Requirements for Qualcy eQMS

1. Is Qualcy eQMS designed for life sciences or is it a generic QMS?

Q: Is Qualcy eQMS built specifically for biotech, medical device, and pharmaceutical companies, or is it a generic QMS tool?
A: Qualcy eQMS is primarily designed for regulated life-science industries, including biotech, pharma, and medical device organizations. The platform incorporates workflows and controls aligned with GxP, 21 CFR 820, ISO 13485, and 21 CFR 210/211 requirements.
While it can be deployed in non-regulated industries, the core feature set – document control, training, CAPA, calibration, audit management, and electronic signatures – is optimized for companies operating under FDA and ISO requirements rather than general-purpose quality management.

2. How does Qualcy support 21 CFR Part 11 and EU Annex 11 requirements?

Q: What technical and procedural controls does Qualcy provide to support compliance with FDA 21 CFR Part 11 and EU Annex 11?
A: Qualcy implements the core technical controls required for 21 CFR Part 11 compliance and EU Annex 11

Unique user IDs and authenticated logins
Password policies, lockout thresholds, and periodic password aging
Secure electronic signatures tied to user identity, including name, timestamp, and signature meaning
Immutable audit trails capturing creation, modification, and deletion events
Record version history and secure linkage of signatures to specific records
Automatic session timeout and inactivity controls
Role-based access control for documents, workflows, and approvals

For procedural controls, Qualcy provides documentation and usage guidelines but expects the customer to maintain SOPs for:

User management
Backup and recovery
System administration
Employee training
Periodic review activities

3. Does Qualcy provide a validation package or regulatory position documentation?

Q: Is there an official validation package or position paper showing how Qualcy aligns with Part 11, Part 820, ISO 13485, etc.?
A: Yes. Qualcy provides a pre-assembled validation package designed to support regulated companies during system qualification. The package typically includes:

URS (User Requirements Specification)
SRS (System Requirements Specification)
Traceability Matrix
IQ (Installation Qualification)
OQ (Operational Qualification)
Vendor documentation explaining how system features align with 21 CFR Part 11, 21 CFR 820, 21 CFR 210/211, and ISO 13485-relevant expectations.

Customers then complete PQ (Performance Qualification) to demonstrate fitness for intended use in their own environment.
This set of documentation functions as both a validation kit and an informal regulatory alignment position paper.

4. What is the shared responsibility split for GxP compliance in a cloud/SaaS setup?

Q: What responsibilities does Qualcy handle versus what the regulated company must handle?
A: The Qualcy – customer shared responsibility model aligns with standard regulated SaaS practices:

Vendor (Qualcy) Responsibilities

Maintain secure hosting infrastructure
Manage application updates, patches, and defect remediation
Provide Part 11-compliant technical controls
Deliver validation artefacts (URS/SRS, trace matrix, IQ/OQ)
Provide system documentation and training materials
Ensure system availability, backups, and technical support mechanisms

Customer Responsibilities

Define and approve QMS processes and SOPs
Configure the system to match internal workflows and regulatory needs
Conduct PQ/UAT to ensure fitness for intended use
Maintain training records and user competency
Manage roles, permissions, and user accounts
Maintain procedural controls (e.g., backup verification, change control)
Ensure proper data entry, review, and approval practices

The system provides the technical compliance framework, while the organization maintains procedural compliance and operational GxP governance.

5. Does Qualcy offer a CSV/CSA toolkit (IQ/OQ, traceability, risk templates)?

Q: Is there a ready-made validation toolkit supporting Computer System Validation (CSV) or Computer Software Assurance (CSA)?
A: Yes. Qualcy provides a pre-built CSV package that includes:

IQ protocols and executed IQ documentation
OQ protocols and executed OQ documentation
Requirements documentation (URS, SRS)
Traceability matrix linking requirements to test evidence
System design descriptions and configuration guides

This toolkit is commonly used by life-science companies to streamline validation activities and reduce internal workload.

6. What is Qualcy’s change-control and release-management process for validated customers?

Q: How does Qualcy handle software updates for validated customers, and what is known about release cadence, notification, and impact assessment?

A:
Qualcy includes a Change Control module for managing customer QMS changes (document updates, CAPA-related changes, process revisions). This internal module supports approvals, audit trails, training impact, and documentation requirements.

However, regarding vendor-side software change control.

Qualcy releases versioned updates (e.g., “2022-Q1”, “Q4.2022”), indicating structured release cycles.
Users report responsive support and guided implementation, which suggests controlled rollout of updates.
Releases are delivered within a controlled AWS environment, but the vendor does not publicly detail:
- Release frequency
- Regression testing procedures
- Formalized impact-assessment documentation for validated SaaS customers

Qualcy clearly supports QMS change control inside the application, and its software release – management governance is fully documented.

7. Can customers remain on a “frozen” validated version, and for how long?

Q: Is it possible to delay or freeze upgrades until internal validation is complete?

A : Qualcy offers both cloud and on-premise deployment options.

On-Premise:
Customers generally have more flexibility to remain on a validated version and control the upgrade schedule.
Cloud:
As with most SaaS tools, customers may have less ability to freeze versions for extended periods. No public statement confirms long-term deferral options.

A “frozen version” is feasible for both Saas and on-premise customers. You can have deferral windows, version support timelines, and test environment availability as part of service agreement.

8. How does Qualcy enforce ALCOA+ data-integrity principles and maintain Part-11-compliant audit trails?

Q: What controls are in place to ensure data integrity and compliant audit histories?

A : Qualcy publishes a comprehensive 21 CFR Part 11 mapping, and its controls strongly align with ALCOA+ principles:

Attributable

Unique, non-reusable user IDs
Audit trails recording every create/modify/delete action with user, date, and time

Legible & Available

Records viewable in the interface and exportable to PDF/Excel
Audit trail review available throughout the retention period

Contemporaneous

Automatic timestamping for all record events and electronic signatures

Original & Accurate

Full version history retained; previous versions never overwritten
Signatures securely linked to specific records

Complete & Consistent

Audit trails are always on, immutable, and system-generated
Workflows enforce step-by-step record processing

Enduring

Backups stored in the AWS environment; retention defined in the service agreement

Qualcy provides a solid set of Part-11-aligned technical controls that meet ALCOA+ expectations. Procedural controls (training, backup SOPs, data-review SOPs) are provided to the customers.

9. Does Qualcy support multi-site, multi-entity use, and multiple regulatory regimes?

Q: Is the platform suitable for organizations with multiple sites or global regulatory requirements?

Multi-Site / Multi-Location

Third-party listings confirm “Multi-Location” support.
Qualcy Customer reviews confirm successful deployment across multiple labs and distributed teams within a single system.

Multi-Entity

Qualcy supports segmented legal entities (e.g., multiple manufacturers) in a single tenant.
Customers may request configure entities as locations, business units, or custom metadata unless strict separation is required.

Multiple Regulatory Regimes

The system supports compliance with:
- FDA QSR (21 CFR 820)
- 21 CFR 210/211
- ISO 13485
- ISO 14971:2019
- General risk-management expectations relevant to EU MDR/IVDR

Qualcy supports multi-site operations and can be configured for multiple regulatory frameworks.

10. Are there any FDA or Notified Body audit outcomes related to Qualcy?

Q: What inspection or audit experiences exist where Qualcy eQMS was reviewed by regulators?

A : There has not been any regulator-issued documents (FDA 483s, NB reports) explicitly referencing Qualcy eQMS.

Customer testimonials report:
- Significant reductions in audit findings after adopting Qualcy
- Improved readiness and centralized documentation across teams
Qualcy publishes best-practice guidance for ISO and FDA audits but does provide specific regulatory compliance case studies.

Conclusion

Qualcy eQMS demonstrates strong alignment with life-science regulatory expectations, particularly around 21 CFR Part 11, GxP data integrity, and FDA/ISO-regulated workflows. Its built-in validation documentation and Part 11 controls place it in the category of SaaS eQMS platforms suitable for small and mid-sized regulated companies.