GxP Cloud Computing

Every cloud arrangement allocates responsibility for the technology stack between the cloud service provider (CSP) and the customer. The customer is always the regulated party — neither AWS nor Azure nor GCP nor any SaaS vendor is the holder of the GxP obligation — but the controls the customer can exercise depend on the service model.

The 2022 second edition of GAMP 5 brings the methodology forward to the cloud era. Major updates: explicit treatment of cloud and outsourced computerised systems (RDI Cloud appendix), refreshed risk-based categorisation (Categories 3-5 retained, with new emphasis on configurable SaaS), updated guidance on Agile and DevOps for GxP, more explicit data-integrity expectations across the lifecycle, and integration with ICH Q9(R1) for risk-based decisions.

Software categorisation in the cloud era: configurable SaaS (Cat 4) is the dominant pattern; bespoke / configured on-prem (Cat 5) is shrinking. The validation effort follows the category but with a strong overlay of supplier-assessment depth — Cat 4 SaaS where the supplier is mature requires far less from the customer than Cat 4 SaaS where the supplier is unproven.

When the technology stack is in someone else's hands, supplier assessment is the principal mechanism for demonstrating regulatory compliance. The customer must form a defensible view that the CSP operates the controls it claims to operate. Acceptable evidence is multi-layered:

• SOC 2 Type II reports — covers security, availability, processing integrity, confidentiality and privacy of the cloud platform.
• ISO/IEC 27001 certification — information security management system.
• ISO/IEC 27017, 27018 — cloud-specific and cloud-PII-specific controls.
• FedRAMP / HITRUST CSF / TISAX where applicable.
• CSP-specific GxP / 21 CFR Part 11 attestations and white papers.
• Right-to-audit clauses in the contract, with subcontracted-audit (industry shared-audit program) where direct audit is impractical.
• Service Level Agreements covering availability, RTO/RPO, data retention, exit transition.

Cloud GxP validation focuses on what is in the customer's control: configuration, customisation, integrations, user roles, data, business process. The infrastructure validation (platform IQ, OS qualification, virtualisation) is delegated to the CSP under the supplier-assessment evidence. Application validation (OQ/PQ-equivalent) sits with the customer and the SaaS vendor jointly, depending on the configuration depth.

Continuous-delivery validation — when the SaaS vendor pushes updates monthly or weekly — requires the customer to maintain a continuous-validation posture: change-impact assessment per release, regression testing on the configuration set, documented release notes review, and a defined re-validation trigger threshold.

Data-integrity expectations (ALCOA+: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available) apply regardless of hosting model. The cloud-specific challenges are: audit-trail integrity across distributed systems, time synchronisation across availability zones, record retention through CSP exit, and the legal validity of the electronic signature mechanism.

GxP regulators rarely impose hard data-residency requirements but neighbouring regimes do — GDPR for personal data, China PIPL, Russia data-localisation, sector-specific national laws. The cloud arrangement must let the customer demonstrate where regulated records live and where they are processed. Multi-region SaaS without per-tenant residency control creates compliance risk.

GxP records have statutory retention periods that long outlast typical SaaS contracts (10-30 years depending on the record class and jurisdiction). The cloud agreement must address exit: format and accessibility of exported data, audit-trail preservation through export, retention obligations on the vendor post-termination, and continuity of regulatory accessibility if the vendor fails commercially.

Cloud-based AI/ML services (managed inference, vector databases, LLM APIs) used in GxP workloads inherit the shared-responsibility framework but add model-governance considerations: model version control, training-data provenance, deterministic-output requirements, drift monitoring. FDA's PCCP framework, ICH Q14, ICH Q9(R1) and the EU AI Act all converge on the same expectation: the model and its lifecycle must be controlled to the same standard as any other GxP computerised system.

• Assuming SaaS vendor's '21 CFR Part 11 compliant' marketing claim substitutes for the customer's own validation.
• Supplier assessment based on a brochure rather than SOC 2 Type II report review.
• Continuous delivery without continuous-validation posture — releases pile up unevaluated.
• Audit-trail mechanism that permits admin deletion.
• Data residency assumed rather than configured.
• Exit clause missing or requiring data delivery in a proprietary format.
• AI/ML services used in GxP workflows without model-governance controls.