Before you start your Do-it-Yourself GxP or Validated Public Cloud Project, get prepared!

Note: the public cloud is just a compute, storage, with a bunch of non-qualified tools and some GxP guidance. You need to be prepared to do all of the initial setup and ongoing maintenance work from both a formal process, technical, security and compliance perspective.

  • Insurance – When using a public cloud, it is important to understand they have zero liability for hosting your data. You will need to add 3rd party cyber insurance to your existing cyber insurance policy to get some coverage.

  • GxP Separation – It is good to set up an entirely new instance for GxP operations to keep everything GxP separate from the corporate systems. The corporate network and GxP networks can be connected for network traffic, but if they operate out of the same dashboard, Quality controls will encroach on corporate IT activities.

  • Quality Agreement – There’s been an increased number of FDA findings for a lack of a Quality Agreement with vendors. Since public cloud vendors are technically a processor, and fall into GAMP Category 1, 4 & 5 – a formal Quality Agreement is not a big ask of the provider.

  • Security – There’s been a number of exploits that have impacted public clouds which allows other virtual servers on the same physical host to have access to data in transit and in some cases alter data. Make sure the virtual host you are on is only for the use of your company. It doesn’t protect from all exploits, but it does reduce the risk. Ref. Azure, Intel (1), Intel (2) impacting all public clouds and more to come…

  • Data Control – Public clouds are notorious for moving their customer data around to suit their needs. Make sure you get into an agreement where your company controls the location of company data. Get a written contract and don’t accept web posted Terms & Conditions!

  • GxP Identity Management – Electronic identities need to be handled and managed  for interactions with regulated systems. The source of these identities needs to be qualified and change management needs to be fully documented.

Comparison Validated Cloud Public Cloud
Compute (servers, storage and network)
Yes
Yes
Qualified and auditable infrastructure
Yes
No
Control where data resides
Yes
 Only with a special agreement
Managed and supported operating Systems, database platforms and web services
Yes
No
Managed security
Yes

For closed networks Everything except the application for open systems

 Self-service tools are provided; customer is 100% responsible
Managed backups
Yes
 Non-qualified tools are provided
Life Science-experienced Quality oversight For operations and support
Yes

Included with service
No
Operational SOPs
Yes
 Customers need to develop, train and follow their own SOPs
Disaster recovery Optional service that is fully managed and documented Customers need to self-configure, test and document implementation and processes
Audit and governmental regulatory defense on your behalf
Yes
 No
Delivered qualification of customer systems, databases, network
Yes
No
Anti-virus, monitoring and response
Yes
 Non-qualified tools available and customers need to respond to alerts
Who owns risk? Sponsor is 100% accountable for all involved parties Validated Cloud responsible for our services Customers 100% Responsible
Quality agreement as a supplier
Yes
No