[email protected]
Trust Bridge Compliance
Home / Frameworks / GxP Cloud Validation
Cloud in GxP

GxP Cloud Validation

You’ve moved, or you’re moving, GxP applications to the cloud. The question that decides every cloud validation is simple: who validates what? This is the model that answers it across IaaS, PaaS and SaaS, so you validate what you control and inherit what the provider proves.

Shared responsibility across IaaS, PaaS and SaaS Seven stack layers down the side and three cloud service models across the top. The top three layers (intended use, access and configuration) stay your responsibility in every model; lower layers move to the provider as you go from IaaS to SaaS. IaaS PaaS SaaS ALWAYS YOURS Intended use & process You You You Access & identity You You You Configuration You You You Application code You Shared Provider Runtime & OS You Provider Provider Virtualisation & network Provider Provider Provider Physical & hardware Provider Provider Provider You validate Shared Provider qualifies, you inherit the evidence
The top three bands never transfer: intended use, access and configuration stay yours on IaaS, PaaS and SaaS alike. Lower in the stack the provider carries more as you move from IaaS to SaaS. The skill is drawing that line for each system and writing it down.

How it works

The cloud service model sets the line between what you validate and what you inherit. Qualify the provider once and reuse that evidence across applications, then concentrate your own testing where you genuinely own the risk: intended use, configuration, access and the integrity of your data. It is the same risk-based thinking as DRIVE, pointed at the cloud: scale testing to risk, leverage qualified evidence, and manage provider-driven change deliberately so a silent update is never your first surprise in an inspection.

Inherit or validate

Once you know where the line sits, write down each side of it. Qualify the provider once and inherit the layers it proves; spend your own testing on the layers that carry the product and patient risk.

You always validateYou inherit, after qualifying the provider
Intended use and process fitPhysical data centres and hardware
Configuration and access controlVirtualisation, compute and network
Data integrity, ALCOA+ across the recordPlatform and base OS patching (PaaS, SaaS)
Provider oversight and change monitoringApplication code the vendor builds (SaaS)

What changes

On a comparable programme, more than 2,000 servers moved to a GxP-qualified cloud in six months, with provider qualification inherited across applications and Part 11 and Annex 11 controls held throughout. The speed came from not re-validating what the provider had already proven; the assurance came from writing down exactly where that line sat.

Key takeaways

See the GxP cloud service → Take the cloud course Book a discussion