Understanding the Digital Signature Lawfulness for Life Sciences in Canada

How to eSign a document: digital signature lawfulness for Life Sciences in Canada

good morning or good afternoon ladies and gentlemen depending where you are joining us from and welcome to today's presentation my name is Zach Talis from The Business review and I will be your moderator for uh this presentation today it's my pleasure to have with us today ARX who will be discussing clearing the fog digital signatures in life sciences uh our guest speaker for today is rod schlurf rod is the FDA markets manager at ARX um I'd just like to remind uh the audience that you can submit questions using the questions tool at the top right hand corner of your screen and you can do this throughout the whole presentation as and when you think of any questions or if you have any thoughts that you would like to get across to rod and we'll allocate around 10 to 15 minutes to um address any questions or thoughts so um without further Ado um I would just like to hand over to uh Rod so Rod if you just like to click on your screen you should now have control okay thanks Zach and uh thanks to the attendees uh to today's webinar as Zach mentioned uh we're going to talk about digital signatures and some of the confusion and fud that's in the marketplace um over the next hour um little disclosure here um as Zach mentioned I do work for a digital signature vendor ARX however the intention is not to talk about my company's product instead I'm talking about the use of digital signatures um throughout the industry uh but first a little background on ARX and The credibility that we have to talk about digital signatures so we are the world's largest supplier of standard digital signatures and it will Define digital signatures and the standard shortly um in fact our market share is such that uh we have more organization using our cosign product than and all alternative Solutions combined um as an organization we focused on bringing solutions to both government as well as highly regulated uh security-minded Industries including Life Sciences which is the top Market that we serve um as you would guess as a leader in the marketplace uh we have a lot of very large pharmaceutical medical device clinical research organizations as well as Government entities including US Health and Human Services using our product in fact it's estimated that we have approximately 90% of all digital signature deployments in the Life Sciences industry okay enough about ARX what are we going to discuss today uh first we'll we'll talk a little bit about uh what a digital signature is and why it's important to this audience today and we'll talk about its relevance in certain applications within the life sciences industry the the heart of the discussion today however is talking about some of the components some of the attributes of a potential digital signature vendor and technology that you might be considering uh for your own operations um as Zach mentioned There's an opportunity for questions and answers and submit your questions on the on the questions tab on the right hand hand side well thanks and let's go ahead and get started so uh you know clearing the fog there is a lot of fog there is a lot of misunderstanding in the marketplace about what digital signatures are and uh where digital signatures are being used uh and the term digital signatures is very well defined but there's a lot of confusion um in people claiming things are digital signatures when really they're just electronic signatures and we'll talk about that today so before we get started I just want to kind of pull the audience to understand um current usage of uh signature technology perfect thank you very much for that Rod so yes uh ladies and gentlemen as Rod said we'd like to Kickstart things uh with a poll question so your screen should turn blue with the following question uh what signature tools are you currently using today in your business uh now there are five options there paper and Pen electronic signatures digital signatures uh you don't know or multiple Solutions so we'll give you around uh 45 seconds to cast your vote and in in the meantime time Rod um I'd just like to ask for a comment um as to why you ask this particular question well Zach one thing I'm trying to do is just Benchmark the audience and see their understanding and Technology usage today I'm also interested in as we do these webinars every six to 12 months to see the the changes in the percentages as people start using electronic and digital signatures more often excellent excellent thank you very much that so um I'm just going to go ahead and close the uh the the poll there and I'm going to go ahead and share those results so uh just over 80% of our audience today actually uh put a vote in and um again uh Rod are those um results um surprising or any different um from last time I I guess uh not too much there Zach it's not a surprise that uh an audience attending this webinar today wants to learn more about digital signatures likely because they're uh they're using them today or they're not sure if they're using them today um so this um this is actually good and we have a lot of informative information for the um the people just learning about digital signatures excellent excellent great so I'm just going to go ahead and hide the results from the audience and yourself and if You' just like to continue on um and um yeah okay terrific thanks so um first of all let's let's define digital signatures um a typical process of how digital signatures are applied and what this means what's the benefit of using digital signatures uh for those of the audience that are not aware a digital signature is a term that we use to describe a standard form of electronic signature um in the layman's terms we we call this a digital signature um these are well-defined standards they've been around for quite some time um in the US where I reside uh the National Institutes for standards and technology is the main standards bodies that publishes and maintains the digital signature standard but other countries other jurisdictions other industry bodies also adopt the same digital signature standard um we're not going to see a demo of a document being digitally signed today so I just kind of want to walk through a typical process of a document being signed and then what happens after it's signed so someone wants to sign a document it's an Office document it's a PDF it's an HTML form whatever it's available from their PC or maybe it's a document they have access to through a web browser um in the market that uh we compete in in the Life Sciences industry there's considerations about 21 CFR part 11 but also just industry best practices and this dictates that every time someone wants to sign a document they're forced to authenticate typically with a username and password as well as enter a reason code now once these two items are um entered with within a fraction of a second the document is signed and what that means is that the contents of that document are calculated as a mathematical equivalency we call that a document hash which is then sent to a secure signing environment typically a blackbox server available on the network and This Server contains a couple of critical items one is a unique digital signature key used to sign this document contents the second item is a digital certificate which is a digital identity card for the signer which is embedded with the signature in the document and then the signer is also given the option to include any graphical images such as a handwritten signature when they manifest their signature within that document so um these three items are embedded back into the document and the result is a uh digitally signed electronic record now one other comment here is that uh most digital signature Technologies today for Enterprise use by employees the technology is integrated with the user directory structure of that organization this is the network access controls that we all do when we log in the morning to our PC we're actually logging into to our Network through ldap or active directory and with this integration we're talking about uh medium or in most cases High Assurance digital identities because the user directory structure is tied back to the business processes you have and onboarding a new employee um and controlling them and network access throughout the organization as opposed to digital signature systems that don't have this integration we're talking about very low or no uh confidence in the digital identities um so we've just signed a document and and what does it look like when someone receives this signed document and wants to take a look at the information well for every signature that's embedded in any of these file formats there's Vis visible information this typically includes information like the name email address job title reason code it also includes the time date stamp when the signature was applied if this user's chosen to um display their graphical signature you'll also see their um their signature embedded and then the applications that are being signed that support digital signatures will tell you whether you should trust not trust or have questionable trust over any particular signature contained within that electronic record now digital signatures are Active Components embedded within these files so if I click on any one of the signatures I start to reveal additional metadata and this is the three eyes of digital signatures the first ey being more information about the identity of the signer in this case I've also included the email address the signer I can drill down and take a look at this digital certificate this ID card see who issued it why I'm trusting this identity how long the identity is valid for and other information again more information about the intent including the reason code and the time date stamp when the signature was applied and then the Integrity so information about any changes uh that might have taken place to the document after any particular signature was applied so as you can see we're not just replacing uh pen on paper we're actually adding additional security into any signature dependent business process um what this means is that anyone receiving the digitally signed electronic record can immediately Trust and verify the signatures contained within so it's not just the signer himself or any employee within the organization that the signer came from but any outside party that you're securely exchanging documentation with or doing electronic submissions to can immediately uh verify these signed documents and this is all done independent of the vendor or the technology used it's done independent of the signer and the signer's organization that created the signature so you're really creating sustainable electronic records that can be verified over time um how is this trust established um this is a core concept of digital signatures basically any party that's receiving digitally signed electronic records simply needs to do a one-time trust ceremony of the organization from which that signer came from and this is uh the best practice in the common practice there's a couple of different trust models being used in the industry by and large the largest trust model most common trust model is what's known as controlled trust and this is this one-time trust ceremony so if I expect to be uh a cro I expect to be receiving lots of signed documents from a sponsor I go ahead and download and distribute the public identity of that sponsor to all of my employees and then from that point forward any document I receive from that sponsor will be automatically trusted and verified there are other models um a few years ago people talked about web trust and uh these are are different trust models put forward largely by Microsoft and Adobe um they're less common they're not Universal the Microsoft trust model generally isn't supported by Adobe and vice versa um and they haven't uh taken off much either um another thing would be a membership based um trust Network um and this concept came up about a decade ago from a organization called safe biopharma where they put forward the concept that if you became a member of of their nonprofit organization then you could automatically trust and verify sign documents from any other member um this is very much a conceptual solution it's not widely used in fact the usage has been diminished over the past few years um it's also a common practice in some countries in Europe um to some degree Within government applications um before we talk about the uh the common components of digital signatures I want to talk about where digital signatures are being being used today in life science organizations um certainly within an Enterprise so for Enterprise use throughout an organization if you want a consisting signing environment within a group within a division Department business unit throughout an entire Enterprise um this is very much uh in The Sweet Spot of digital signatures on the other hand of the spectrum is cloud applications so these could be collaborative Cloud applications where individuals from multiple organizations all participate in a cloud application and need to sign documents and other people need to trust those sign documents so this could be a SAS vendor or this could be a private Cloud propped up by uh a life sciences company for their business partners to sign documents the third area that's important is to understand that the software vendors are aware and support digital signatures and vendors such as ARX we have a whole group dedicated to making sure the Microsoft adobe's oracles and others continue to provide proper support for digital signatures So within the Enterprise I talked about um digital signatures are being used extensively throughout these Enterprises both in regulated and non-regulated operations um and although the FDA does require the use of digital signatures and open systems many of these companies use digital signatures for closed system uh closed systems and for good reason and the applications that you might see digital signatures including things like the core quality management system within an Enterprise so signing of all the Sops work instructions training records any documents used to support an FDA audit uh up through mundane stuff like signing of HR forms Financial reports um and spreadsheets within the finance department um for SAS and Cloud applications this is a very growing area so many of the large SAS vendors as were as well as private Enterprises propping up a a cloud application use digital signatures today one of the more common applications is within e clinical portals so this could be a sponsor a cro or a SAS vendor propping up a web application with digital signatures embedded so that all the different investigators and coordinators irbs Etc anyone working on a study that needs to sign off on documents can sign within the cloud and then the software vendors specifically so many of these vendors today and a growing number every day support digital signatures so really any eforms vendor workflow vendor document management content management vendor today uh is aware of digital signatures and either already has support or is looking at supporting digital signatures so the eforms vendors the microsofts Adobes and others of the world currently support digital signatures custom web app so if you develop your own custom web app um there's apis and software development kits available for you to be able to easily integrate digital sign signatures um with your application uh workflow vendors and document management vendors um and uh this is a small list of vendors that currently have a standard connection to digital signature Technologies um for you to use uh now we're ready for our second question um and Zach excellent excellent yeah so uh ladies and gentlemen uh we are now heading into the second Poll for today's session so just like the first time your screen should now turn blue with the following question and answers do Microsoft and Adobe provide digital signatures yes no or you don't know so we will give you uh another like 45 seconds to cast your your vote and in the meantime uh Rod I'd just like to ask you a comment about as to why you asked this question sure so uh this is part of the fog and I could have added many other vendors um besides just Microsoft and Adobe uh but many people confuse um supporting digital signatures with providing digital signatures or using the term digital signature when they mean electronic signature and this is part of the confusion in the marketplace and I'm curious um how the audience is going to respond to this question excellent excellent thank you very much for that so uh yeah we'll give you guys another another a couple of seconds to cast your votes and I'd just like to remind the audience to uh to continue to submit questions and you can do this via the the questions to at the top right hand corner of your screen so uh I'm just going to go ahead and close the poll and like last time I will share those results for you so uh uh rod on your screen you should be able to see those results um are they surprising at all it is surprising uh and I think a lot of people probably answered yes um because they understand that Microsoft and Adobe and some of these other vendors do support digital signatures so they can easily connect the digital signature technology Andor there may be members of the audience who believe that uh adobe's acquisition of uh electronic signature vendor um Echo sign means that they provide digital signatures which they don't um and we'll talk about this a little further and we're talking about some of the considerations in selecting digital signature vendors perfect perfect thank you very much for that there Rod so I'm just going to go ahead and hide those results from you and uh yeah if you'd like to just continue on and um we we'll um speak soon okay so the heart of the discussion today is is common components and our perspective on uh what you should be thinking about when you select a proper digital signature solution for your operations and there's five main components that I'm going to talk about um I call them the five of proper digital signatures they deal with compliance and compliance issues which I think we all understand the next two choice and control uh from our perspective is you should have the freedom to choose complimentary Technologies and control the way you're using digital signatures not have the vendor dictate obviously cost is a consideration so there's an excellent Roi for digital signatures but you may be uh reducing that Roi if you're um you're embracing an expensive solution solution then finally centralized uh and this really goes back to digital signatures being used 10 years ago that were not centralized and dramatically impacted the cost of uh deployments so let's first start with compliance there's multiple areas here to make up compliance considerations uh the first is uh if you're looking for a digital signature you should make sure that that vendor is truly delivering a digital signature and adheres to the standards and it's very easy to to ask the vendor if they comply with the NIS digital signature standards uh as well as other bodies that that publish these these standards um and there's other independent standards bodies out there including ISO if you look at the iso uh 32,000 pdfa standard they include the digital signature standard as does Oasis and their uh web services definition for integrating Technologies with digital signatures so there's a wide variety of Standards bodies all the finding the same standard that you you should ask the vendor listen are you a digital signature vendor or are you electronic signature vendor the second one and probably most important to most compliance people in this audience is compliance with FDA standards um and we're not talking about part 11 as a whole we're going to drill down specifically and talk about uh paragraph 11.30 which is controls for open systems and in the language used by the FDA they talk about the uh uh use of appropriate digital signature standards for any open system so what's an open system um I would define an open system is any system where documents are being signed within one organization and those documents are then securely exchanged or submitted to some outside organization or any uh any system or documents are being signed um by outside parties and being brought back inside and need to be trust and verified so it's these these documents that flow Beyond any one organization okay people also talk about digital signatures when they talk about electronic submissions here in the US with the fda's electronic submissions Gateway in particular um and the FDA on their website even talks a little bit about digital signatures but from my perspective they're improperly using the term digital signatures and they should be using the term digital certificates being used for authentic ation so when the FDA talks about uh digital signatures submitting a document across the Gateway they're really talking about authenticating the submitter um that's submitting whatever across the Gateway um in fact they even suggest you can create your own unique identity give it to them and they'll go ahead and trust it so uh this is this is really not uh the proper use of digital signatures um with with digital signatures many people refer to them as the third wave of compliance with part 11 which I think is a is a good way to look at it and when you go back to the initial release of uh the guidance back in April of 97 is uh companies were just remediating existing computer systems with what they perceived to be the requirements of the FDA and around the same time documentum and open text with live link and other vendors eventually joining the market said no um here's a way to comply with part 11 by deploying this this quality management system this document management system with a huge repository of all your controled documents and will'll allow you to either scan the signed documents and put them in this repository or eventually some of those vendors also said hey we'll provide you with a proprietary electronic signature so you can sign documents inside of the repository um and then around year 2000 really J&J and fizer began advocating the use of digital signatures which means that you can sever any dependency on the repository in order to trust and verify signed documents and this gives organizations great flexibility and Agility so that if I use documentum for 10 years um and was using digital signatures and I want to migrate to SharePoint or whatever the new hot thing is tomorrow then I can easily migrate my controlled documents because the signatures are embedded in the documents and not part of the proprietary database of the system that I was previously using um for global companies we also need to consider uh local jurisdictions and Country specific requirements and in Europe the Europeans when they defined their directive on electronic signatures were very specific down to technology details unlike here in the US with e sign it's very subjective and very generalized well in Europe uh in government applications in particular um you have to use digital signatures as defined by both quality and uh qualified and advanced electronic signatures now it does not necessarily mean that pharmaceutical companies have to abide by these specific requirements is they're typically guidelines used for government to government applications or someone submitting documents directly to the government but still it's something to consider so any organization doing business in Europe needs to understand the importance of digital signatures in this Marketplace and then obviously you want to comply with what the software vendors support and the software vendors today they simply support this digital signature standard and they don't provide standard support for proprietary electronic uh signature Technologies so if a vendor is proprietary they're going to have their own unique plugin yet if they're leveraging digital signatures then the uh software applications will automatically be able to work with their Technologies so that's it for compliance uh the second category I want to talk about is choice so freedom to choose from our perspective a digital signature system should not be an eform solution a workflow solution or a document management or content management solution that does not mean that digital signatures should not be the signature engine embedded in this machine which includes other parts including forms and document management workflow Technologies but the core digital signature technology should be just that a machine that provid standard digital signatures um and this integrated machine doesn't have to be complex so it's not like you're buying an engine and then designing a car around it the machine can be extremely simple such as just just having digital signature technology and the desktop authoring tools Word Excel PDF InfoPath PowerPoint Etc this is a full machine this way many people are using digital signatures today um but uh many companies as they start to broaden use of digital signatures by their employees by their business partners start to integrate uh digital signatures into a a more complex or feature Rich uh machine which might include enterprise-wide applications like SharePoint workflow Technologies specific eforms Technologies and of course uh when you're talking about today's uh workers and working with business partners working with collaborators maybe in healthcare settings it's important to recognize that users aren't always sitting in front of a PC running a Microsoft OS people are using all kinds of different Computing Technologies today including Mac smartphones and tablets um so the uh the third area that I want to highlight is control and again philosophically at ARX we believe that organizations need to govern their business in the way they see fit and not have to change what they're doing just because some outside vendor doesn't support the way they run their business so again it's your choice you know how to govern your business business you know how you how you want to control your business Force the digital signature uh vendor and the vendor's technology to fit into way you want to do things so what does that mean um a good example would be the way you identity proof your own employees and your business partners you already have policies and procedures in place when a new employee comes on board they need to sign various forms some of these forms like here in the US the I9 form needs to be signed in a face-to-face encounter with someone of that organization and uh at the completion of this uh new higher on boarding process the person is placed within the user directory structure of that organization most commonly Microsoft active directory so the it security policies start to kick in and say uh fill out this form We'll add you to our Network directory structure and Define what business applications including digital signature services that you have rights to use and we also want you to use whatever technology we determine is appropriate for you to prove who you are anytime you want to access any of these applications including authenticating to digitally sign a document so again your own your own policies procedures complimentary Technologies working with the digital signature technology you bring in house now cost Effectiveness um the good news is is is that the price of digital signature uh Solutions has come down dramatically in the past decade and there's more vendors in the marketplace there's competition also helping to drive down these costs bad news is is that there's still a wide variance in the total cost of ownership so if you're not doing your homework um there's lots of hidden costs Beyond just buying a software license that you need to consider and I just bulleted out um um here a few of the um well before I get to that um I'm going to reference a uh an article and this is from about five or six years ago that um that analyzed three different approaches to digital signature uh Technologies and you'll see how widely the pricing varies so the first was information on uh server-based centralized digital signature Solutions which would include Technologies like we provide at ARX or cosign product um the second approach would be a third-party managed pki digital signature service to a cloud service and uh the third alternative was kind of build your own which was popular back about 10 to 15 years ago and the analysis pulling information from vendors uh service providers Microsoft veras sign and others is that the um the total cost of ownership uh from one solution to the next is that a managed thirdparty service could be as much as four or five times as expensive as these standard products and building your own could be as much as 20 times more expensive than some of these new products in the marketplace so again do your homework um and and price compare and uh Beyond just the life the license cost there's 10 other things I want to highlight for you to consider one is uh Beyond just the cost of the system and installation and setup what does it cost to validate the system what does it cost to qualify the vendor these are questions you need to ask what is the uh solution that the vendor offers to be compliant with part 11 for signing various file formats including Microsoft Office and if you're using older versions of Microsoft Office like Office 2003 and there still is people doing that how is that supporting digital signatures um if you're assigning PDFs and and you're using Adobe do all of your users have Adobe Acrobat which supports digital signatures or does the vender allow you to sign PDFs without having uh widespread use of adobe licenses um what's the cost to integrate with various other business systems being used throughout the interet Enterprise SharePoint or openex live link or Oracle systems or EMC documentum so what's the cost and effort to do this integration or are there there standard um off-the-shelf Integrations that you can leverage obviously reducing your validation cost as well um Can the technology be used to sign from any Computing platform not just PCS but also Macs and other mobile Computing devices are the licenses transferable um this is starting to change a little bit but geez as recently as three to five years ago some of these vendors would charge you uh for redundant licenses for for each of your signers or if a signer uh used their technology um for a few months then left the company could you reassign this license to another employee is there any restriction on the usage associated with these licenses so am I allowed to sign as much as I want or can I sign 10 times or a 100 times or 500 times and then I'm cut off I need to expand my license good question um how is how are the digital identities generated and how are they managed how do I remove someone's identity if they leave the company how do I refresh information about the user if if perhaps their email address changes or their maiden name changes um how are the users managed so am I Distributing out technology and software and user specific information out to the individual computers that people are signing from that sounds like a system administrative nightmare where is there the ability to do centralized system administration with some of the newer Technologies again is the system centralized or is it distributed and with the centralized solution or even with a distributed solution um how is this impacted as I grow the number of users from 25 to 50 to 500 to 5,000 and more then finally how long does it take for the system to be deployed and operational is it an hour or two do I need to have someone on site can it be done over the phone can it be self-installed are we talking about uh a long project that takes days weeks or even months to deploy okay um now in summary excuse me we have one more category to consider and that's the centralized architecture which I talked about before and this is just a common architectural drawing for digital signature Technologies today typically the the technology is delivered either in a server that's installed owned and operated by the end user organization or accessible in a shared cloud environment and on This Server there are the three main components for each user including their signature key their digital identity and the graphical signatures and then in order to use this technology is oftentimes there's a software agent locally on the different machines allowing them to interact with the server it's a very simple machine using the digital signature engine for Enterprise usage most of the proper digital signature Solutions today also integrate with a network uh directory structures like active directory or ldap um but these systems can be expanded greatly where users can maybe handle all their signing needs through a browser without any local software on the machines so again you want don't want to have to distribute software wear out to your PCS and Macs and other devices throughout your Enterprise um you should be able to use the technology through a VPN server so if you're using remote Services you should be able to easily allow anyone dialing in through this remote service to digitally sign uh documents throughout the Enterprise and then for any of these other applications throughout the Enterprise SharePoint other web applications Quality Management Systems you should be able to apply digital signatures from within these applications so now in summary before we start the Q&A um digital signatures are not simply replacing pen and paper um there's additional security added to digitally signed documents including identity uh certificates for each signer and the ability to prove that changes haven't taken place or if changes did take place to the document contents show what those changes are um it's very simple to establish a trust network with your business partners uh through these one-time trust ceremonies I talked about before this is a core technology and common practice for digital signature deployments um digital signatures are being used extensively throughout life science Enterprises and Cloud applications throughout both uh a back office uh GA type operations through the core uh research and development manufacturing clinical um and regulated operations of any life sciences organization um and again when considering uh and choosing a digital signature solution you consider the uh the five C's compliance issues not just FDA compliance but ensuring that the vendor provide standard digital signatures which are allowable not just in the US in Europe but other countries throughout the world Choice uh focusing on buying the best signature engine you can and making sure that this engine can easily connect to other eforms workflow Solutions and document Management Systems of you're choosing control uh not having to change the way you're running your business today or governing your operations and business processes uh but having the vendor technology uh easily plop in and and um support your policies and procedures again cost Effectiveness the cost of these Solutions varies greatly do your homework understand what the the uh the listed prices of software licenses and other components but also hidden costs that you may not have thought about before and then centralized um you know this this approach of uh Distributing out software and digital identities to individual users um is really a dead concept today uh the technology needs to be centralized um the presentation today is available and I'm also also available for specific questions if you'd like to ask me directly the easiest way to get in touch with me and my team is at FDA atx.com excellent thank you very much for that there Rod so yes ladies and gentlemen we are now moving into uh the the Q&A session so if you haven't already please submit your questions uh we have around uh 15 minutes to try and answer as many as possible if your question has not been answered um in the allocated time then please take note of the contact details on your screen and uh by all means I'm sure Rod will be uh happy to answer uh your thoughts so I'll just jump straight in there Rod um the F qu first question uh what is the typical effort involved in validating digital signature systems okay terrific good question in the subject we just talked about so it does vary Vendor by vendor um the the approach that I'm familiar with is actually the approach we use at ARX with our cosign product um today the ideal solution is is to have digital signatures delivered um through like a blackbox server or as we call it at ARX and Appliance it's a dedicated system that cannot be or tampered or have any any uh other software loaded on it and it operates as as any Appliance does like a computer or like a router and so with this approach uh validation is actually greatly uh reduced the effort um and really spending most of your time qualifying the vendor who designed manufactured and delivered this uh blackbox Appliance approach as opposed to interrogating the software loaded on the uh the appliance itself um as far as efforts are concerned um typically most of our clients do their own validation work we as a vendor do provide uh some complimentary uh documentation to support the the quality plan um and there's companies out there that have experience in validating both our coine product and other Technologies as well excellent thank you very much there uh someone has asked uh uh a question I believe they must have submitted it through uh during the presentation uh but they asked um uh will you talk about how uh the electronic signatures are stored right um again so we're talking about a sub category a subgroup of the total electronic signature Market which is digital signatures and uh in the in the old days going back you know not there's still people doing this today is digital signatures which include the signing key and the digital certificate the identity card I talked about before uh in the old days they were loaded onto smart cards or a secure hardware and then physically hand it over to to users to sign so when someone signed they actually swiped the smart card or or plugged in their their Hardware s to their machine um you can only imagine the complexity of of using this type of architecture uh on a wide scale and and really a lot of the uh early deployments using this the strategy failed or took a very long time to uh to be successfully deployed today all of the different keys and certificates all the stuff for someone to use is stored in this centralized server this blackbox Appliance and as long as you have access through the internet or through the network and communicate with the server um you can apply your your digital signature um without having it ever exposed locally on your machine perfect thank you very much for that um another question has has come in is um what is the primary difference between eature and digital signature in the IT world right so digital signature is a term we use for standard electronic signatures the standard is known as pki as I mentioned before the standard is published and maintained by uh by nist and other standards bodies outside the US um there's multiple vendors so any of these vendors aderes to these standards and the wonderful thing is that uh then any of these desktop authoring tools or Business Systems from Microsoft Adobe Oracle open text whoever um will plug and play with any of these vendors digital signature systems the outside of digital signatures the rest of the electronic signature World um is largely what's known as proprietary signature Solutions meaning a vendor came up with a scheme that they embed in their software allows you to sign documents typically as a detached element so you have a det you have have a database with a document and then some electronic signature information and as long as you can access that application and have a license and that system still around you can verify and and be part of 11 compliant what you don't have is the ability to just open up a document independent of that system that was used and perform the verification perfect thank you very much for that uh the next question is is a slightly um long one so I'll just jump straight in if a company already has pki certificates um Can FDA uh I believe this is an abbreviation and ectd submission documents be digitally uh and submitted uh be signed digitally sorry and submitted through Gateway without any issue or do we need to uh do anything extra to have a valid submission yeah so um and I brought this up before and I was talking about FDA compliance on the one slide is uh there's this is part of the fog the compliance and the FDA is guilty so are some other regulatory authorities by the way I'm familiar with the Italian regulatory authorities who have the same confusion out there um the FDA at the electronic submission Gateway is not talking about signatures on documents um when they talk about digital signatures they're talking about the the signing or authenticating of the actual submission across the Gateway um in fact they even say even if you have digitally signed or electronically signed or paper um supporting documents is part of the submission um best practice for them is to flatten them into a PDF file as an attachment to the submission so digital signatures through the Gateway is all about creating a digital identity for you to hand over to the FDA they put into a list of trusted identities and then when you do this submission um they they can verify that it's actually you doing the submission and not someone else that they haven't uh talked to before so uh you know ectd um all the supporting documents um can be digitally signed and and part of the submission but uh the language being used on the submission Gateway website um is not talking about the the signatures on the do doents brilliant thank you um i' just like to uh remind the audience uh to keep submitting your questions we do have around 10 minutes to try and answer as many questions or thoughts as possible um and I'll let be able to let you guys know after today's session um how you can access the materials used so uh another question uh for webbased medical information systems how easy would it be to integrate digital signatures uh for fulfillment also since the response might be to open public uh might be open public uh would uh the trusting be a problem okay let me just read this question again to make sure I'm understanding the question how was it be to integrate digital signatures for fulfillment um I I'm not 100% clear on the answer this might be one that the person asking the question I have to submit the bottom line is that uh when um when you're hosting a electronic signature including a digital signature service for individuals outside of your organization to sign documents one of the procedural things you need to determine up front is how are we verifying the identity of the signer before we allow them to sign for digital signature deployments within an Enterprise it's very easy to identify your own employees and to trust your own employees to give them credentials but if it's someone out there you're not meeting face Toof face they're an individual in cyberspace what's the process we need to go through to identify these individuals um today kind of The Benchmark is what are we doing in paper so if I need some outside party today to sign a document the typical process is send them an email with a PDF attachment um or maybe FedEx them a bunch of paper regardless the the document ends up in paper someone ink signs it and fedexes it back so the level of identity proof we went through was the ability to communicate with that individual through email or through a FedEx known address with a name on that that FedEx or or whatever the corer service is so we should do at least this if not more in the electronic world so I always remind our clients um if we're going to allow outside parties to sign let's do email verification that we can communicate with them let's have them enter some other information about themselves to establish their uniqueness um so that we have a a level of confidence that this is indeed the individ individual claiming that they are and then we can allow them to sign documents perfect perfect thank you very much um another question what is the relationship between ARX cosign and okay uh I I guess this came up because of uh uh the press release last week but yeah um so docy is the the world's largest supplier of electronic signatures um through a SAS model um and ducy is a fast growing company that that originally was serving the uh the consumer Marketplace in particular the real estate Marketplace um and they have a a cloud service that you can pay a fee and have people sign documents um as they are looking for new markets and growing their business they started to expand out into um Enterprises there are some life science companies that that sign contracts and agreements particularly when there's a counter signer outside of the your own organization that needs to sign an NDA or some other some other agreement um but again they're looking to grow Beyond this into uh other markets such as life sciences Market or into the European market and they they made a strategic decision and this was announced last week that they've actually replaced their entire electronic signature uh system technology embedded in their service with our co-sign product so the bottom line is docy sign now moving forward I believe sometime towards the end of the year will be offering digital signatures um with anyone assigned their documents so the relationship is uh ARX is a digital signature vendor um is a business partner that has our technology embedded in their cloud service great thank you very much for that uh and another question uh in the EU uh do digital certificates need to be obtained from government qualified certificate authorities uh yeah sure so the people that aren't familiar with the European requirements may be confused by this but uh um in some jurisdiction throughout Europe um particularly for government employees government applications um the legislation within those countries requires that that people need to go to some government blessed certificate Authority as they're called and obtain their digital identity for them to use um countries like Spain and Italy Germany Etc I would say are the more strict in this and uh and um in general this does not impact decisions in Private Industry so you know although anyone digitally signing documents in the Italian government goes through this approach Private Business typically does not um German very strict Marketplace in general even government employees really aren't using digital signatures today um Private Industry however there's lots of medical device companies biofarma companies based in Germany using digital signatures but they uh have all assumed that this uh these requirements don't apply to them and don't go through the government sponsored uh certificate authorities perfect thank you um this next question is uh quite a long one and it's it's got multiple questions in one so um in terms of 21 CF rp1 uh is the embedded information in the signature page or tab of the document considered sufficient for an audit trial on its own or is the uh other external information required and how does this information behave when the document is subjected to further processing for example as part of a compliance submission um is the Integrity broken in any way so there are multiple questions in one there sure so um the first thing I'll state is that there's no such thing as an FDA seal of part 11 compliance that you can stick on your product um there never will be uh compliance with with part 11 is about the technology uh technology usage but it's also about the policy procedure operation of of this technology so you wrap all those things together and you come up with a part 11 compliant solution the electronic and digital signature uh components of part 11 are just just that they they deal with uh part 11's electronic signature requirements to some degree they also deal with electronic record requirements as well so at the file level property where these digital signatures are embedded within the the electronic records there is uh in certain file formats in particular PDF the ability to have the audit Trail and revision history associated with that document an example would be uh the PDF file format um is set up such that every digital signature embedded inside of that file versions the document so if I have a form that needs five signatures and perhaps the fillable form that changes between signatures um if I receive that that single PDF file with all five signatures in it I have the ability to go back and interrogate what the contents look like when any one of those signatures was applied in fact I can compare uh changes in between versions so some of that revision history some of that audit Trail is is part of the file but uh you know the full check-in checkout full revision history associated with documents is typically a function of the document management system or content management system um whether it be a commercially available platform like SharePoint documentum or live link or it could be just a file share system with controls built in so that um you can't save a file with changes on top of another file excellent thank you very much for that so um we've got time for just one more question um how are clients reacting when the certificate is expired and appears as a not valid expression in Word documents okay so uh this sounds like a specific technology or a deployment issue which uh if the person wants to reach out to me and talk about it can um the uh uh the Way digital signatures are verified when you open up a file is it's not it doesn't care if the certificate embedded inside of that file has expired the only thing it cares about is that at the time the signature was applied that that identity that that digital certificate was valid so if I was issued a certificate uh uh yesterday I signed a document today and uh my certificate was set to EXP fire after two days so it's no longer valid tomorrow 50 years from now someone opens up that digitally assed document the document whether it be a word or Excel or PowerPoint or PDF all it's going to do is look to see hey when this document was signed today was that user's identity uh valid doesn't care what happened after the document was signed brilliant perfect well yeah and thank you very much for that there Rod unfortunately we have run out of time so um I'd just like to thank Rod uh for what was a great presentation and thank you to ARX for sponsoring uh today's session a special uh further Thanks goes out to Leah fisherman for her help today so uh the webinar resources will be made available at our website which is .bus review hyen webinars with an S at the end.com shortly uh you can also follow us on Twitter atbr webinars for daily updates and join our LinkedIn group Business Review webinars where we will uh also share the resources um across there if your questions were uh not answered in the time allocated or you would like to get into touch with Rod after today's session then please take note of the contact details on your screen currently and uh I'm sure Rod will be more than happy to answer any questions or thoughts that you may have so uh once again I'd just like to uh thank you rod for your presentation and um I hope you all have a lovely day