Can SharePoint Online be Compliant?


SharePoint is an off-the-shelf configurable software solution that has been offered by Microsoft since 2001. It is popular in many industries (including Biotech, Pharmaceutical, and Medical Device) for document management, local Intranet, and many other applications. However, if SharePoint is being used for any GxP purpose, you better believe it is subject to 21CFR11 and/or Annex 11.

In 2012, Microsoft published it’s own whitepaper entitled “SharePoint Configuration Guidance for 21 CFR Part 11 Compliance,” available here. The whitepaper covers technical configuration details for “on-premise” SharePoint deployments and implies that with such configurations there is low risk for non-compliance.

But the world of software is moving to the cloud for ease of deployment and maintenance, lower cost, and increased redundancy and security, among other factors. Can SharePoint Online (in the cloud) be compliant with 21CFR11/Annex 11 as well?

I asked around and found that some people say cloud solutions absolutely cannot be compliant. I also found people that say cloud solutions can be compliant. The answer seems to correlate with what they’re selling. Of course, compliance is never binary, black or white, but shades of grey, levels of risk. In my opinion, the biggest compliance challenges for cloud solutions, including SharePoint Online, are:

  1. No Supplier Audit – Your QA department is not going to be able to go to Microsoft for a vendor audit.
  2. No Personalized SLA – Microsoft is not going to provide any personalized service or service-level agreement (SLA).
  3. No Hardware IQ – As is the nature of the cloud, you’re not going to know what specific hardware your application is running on.
  4. Changes Outside QA Control – Changes are going to be rolled out without warning, and certainly without any opportunity for prior QA review/approval.

To address these concerns:

  1. Microsoft undergoes independent third party audits. Details here.
  2. Microsoft offers a standard SLA. The latest is here: OnlineSvcsConsolidatedSLA(WW)(English)(April2016)(cr).
  3. Microsoft has proposed a “qualify a platform once” approach, detailed here.
  4. Microsoft has its own internal change management system, as documented in their audit reports, but evaluation of changes will have to be performed retrospectively by the organization for impact to their specific needs, and mitigation plans will have to be in place to resolve any impact.

Cloud computing is still new, and that alone brings inherent risk. As with any validation/qualification effort, each case is unique, and compliance risks must be identified and mitigated on a case-by-case basis. I will note that, as of this writing, a search of the FDA Warning Letter database for the string “SharePoint” returned only one result. A medical device company was explicitly cited for not validating their SharePoint implementation used in a Quality System. The letter is viewable here. There are no warning letters that explicitly cite the use of a “non-validated” cloud environment. Yet?

Like this MWV (Mike Williamson Validation) blog post? Be sure to like, share, and subscribe!

9 thoughts on “Can SharePoint Online be Compliant?”

  1. Really enjoyed reading your thoughts on this. I have been trying to think through this a bit myself. I see a lot of knee jerk “SharePoint isn’t validated” comments thrown around, but mostly from people that seem not to understand what either of those terms really mean. Have you seen anything since this that would lead you to believe the compliance story around deploying solutions on cloud/SaaS platforms is improving?

  2. Thanks for the comment! I have not seen a GxP rollout of a cloud or SaaS solution yet, but I’m going to be pushing SharePoint Online in a GxP environment shortly, so stay tuned

    1. Hi Mike, I’m about to rollout a GxP solution (clinical data) based on Sharepoint Online. Any news following your above post ?
      Anybody around had a client audit challenging the use of SP Online as an CFR Part 11 compliant solution ?

  3. I’m on the same journey this year as you Mike; I’m pushing forward on leveraging SPO as a qualified system to exchange clinical data with our external parties.

    1. Hi KJohn, would it be possible to exchange a few thoughts offline ? (see my answer or rather question to Mike’s post.)

  4. Hi Mike, What’s the latest with sharepoint compliance? I am a supporter of a 501(c)(3) non-profit research and educational organisation and I wonder if they are at risk? I would like to advise them on this as I am a great advocate for their work. Thanks you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.