Validation of Dropbox for File Sharing, Storage, and Retrieval


Involved In Discussions

I just started working for a "typical" start up (low cost + high return) and the company is using Dropbox for file sharing, storage, and retrieval. However, according to ISO 13485:2016 clause 4.1.6 we're required to validate the system.

Does anyone have experience validating this software? Or, is the software too cumbersome to validate? Our main concern is validating updates and possibly not knowing when updates are pushed.

Any assistance will be most helpful.

Regards, Tonia

Statistical Steven

Staff member
Super Moderator

Sounds like Dropbox will store your QMS documents and procedures for retrieval. Not sure you can validate it. It was probably not developed for that purpose. There is no audit trail. Documents can be downloaded, edited and uploaded. You would need control systems to avoid this. If you can configure it this way, you can validate the control system. In general, does not sound like a good idea to use Dropbox for QMS documents.


Involved In Discussions
Re: Validation of Dropbox

Thanks, Steve.

However, Dropbox does include a version history for each document. This history includes a time stamp, date, and who viewed/edits the document.

I believe this would meet the audit trail requirement, correct?

Statistical Steven

Staff member
Super Moderator
Re: Validation of Dropbox

Because it's an outside system, how are usernames controlled? If I leave the company, can I still log in? How can you ensure that? It's about control. I am not familiar with Dropbox and it's version control...but if it timestamps each version and keeps all of them sequentially you should be ok.
First of all it would be good to know for what kind of documents you use Dropbox for.

QMS Documents as Statistical Stevens supposes? Just some Presentations you are working on?
Do you want to use Dropbox to store records that show evidence that you fulfil external requirements i.e. ISO 13485:2016? Or just everything you Start up does?

Dropbox will be quite hard, probably impossible to validate out of my perspective. But everyone is free to prove me wrong ;).

As you pointed out Dropbox does not care about your risk when they perform changes to it. But based on ISO 13485:2016 4.1.6 and also 7.5.6 you are required to take actions based on the risk that a change can affect your system.
I don't know whether Dropbox provides a list of updates they apply, but even when they do it will be hard to jugde them. And they probably apply them all the time.
Cloud Systems aren't impossible to validate. You could use testautomation (needs to be validated / verified as well) for that purpose.

I'm rather worried about possible missing requirements:

- Approval function. You are required to approve documents / records.

- What happens to the version control if you delete a document? Just looked into my Dropbox and it seems like its gone forever.

- And as Steven pointed out people can just change controlled documents. There should be some sort of controlled environment / workflow for that.
If you use it for SOPs or records and everyone in your company can just come along and edit them it is not really controlled.

But still it all depends what you are using Dropbox for.


Involved In Discussions
It is possible to restrict permissions to view-only with the paid version of Dropbox, so you can mitigate the risk of someone changing or deleting a controlled document. There is also a mechanism to recover deleted files (requires you to be looking at the web version). However, it has no workflow capability of which I am aware, so the approvals process would have to be handled outside in some fashion.


Involved In Discussions
The company is using Dropbox for management of the QMS. For subscription payers, the company can control who has access to the documents/records, so if an individual leaves their access is removed.

The system does allow for read only assignments and does have the ability to prevent people from deleting a document/file, adding a new folder, etc. in controlled areas.

While the system does not include e-signature capabilities, my company is trying to get around that with electronic signatures in adobe, however, we do recognize that those aren't 21 CFR 11 compliant.

Audit trails are another issue - the only trail is a time stamp and who edited the document/record. There's not trail of what information was changed, etc.

The company does have their own workflow in place for using Dropbox and they seem to like it. We're currently researching eQMS systems, but my VP of Software wanted to know the ease of validating Dropbox.


Starting to get Involved
My company is trying to use Adobe Acrobat Pro 2017 as their digital signature solution also. Do we know specifically which part 11 requirements Acrobat does not meet by any chance?

Ed Panek

VP QA RA Small Med Dev Company FDA and ISO13485:16
Online QMS systems are fairly new and Part 11 is adapting. Part of an online storage file systems business model would include the items part 11 requires. Its just part of their business model. I used to work at the VA (US Government) and their storage was validated to high hell yet it was constantly compromised; meanwhile Gmail was less often hacked. Why? Google has a business interest in their server security.
Nowadays, even Microsoft OneDrive has version control as does Google Drive. Cloud-based systems are more popular than ever; many eQMS platforms are built on cloud servers. If companies are willing to splurge on these fancy eQMS platforms which are also built on cloud, no reason why they cannot also use DropBox or Google Drive to store documents. Just ensure access to these documents are controlled.

Top Bottom