Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Navigating FDA and ISO Compliance with Digital Signatures and Signing Intent

In FDA (U.S. Food and Drug Administration) and ISO 27002 compliant processes, digital signatures play a crucial role in ensuring the integrity, authenticity, and security of electronic records and signatures. The use of digital signatures is outlined in the FDA’s regulations, particularly in the context of electronic records and electronic signatures, as specified in Title 21 of the Code of Federal Regulations (CFR) Part 11 and ISO/IEC 27002:2013 respectively.


Digital signatures are not just for PDF documents though. Most FDA/ISO compliant processes require digital signature approvals for changes to software as well, also known as Pull Requests. Essentially files containing code are documents that need to undergo a strict review and approval process, just like any other controlled documents that are part of the change management.



Here are the key elements related to digital signatures, signing intent, and the role of the signee in an FDA/ISO compliant process:

  1. Digital Signatures:
    • Authentication: Digital signatures serve as a means of electronic authentication, confirming the identity of the person associated with the signature. Approving a pull request and signing the approval with a signature token ensures the approver uniquely identified.
    • Data Integrity: The unique approval signature in combination with the git commit hash of the pull request commit help ensure the integrity of the pull request approval as both signature and the commit hash cannot be changed or tampered with.
    • Non-repudiation: Digital signatures provide non-repudiation, meaning the signer cannot later deny their involvement in the signing process.
  1. Signing Intent:
    • Explicit Intent: The signing process should involve explicit intent from the individual to sign. This means the person signing understands and intends to authenticate the information. The pull request reviewer must pro-actively select a reason for the their signature approval.
  1. Role of the Signee:
    • Designated Roles: Compliance regulations emphasize the importance of defining and assigning specific roles to individuals involved in the electronic signature process. In Atlassian Bitbucket the pull request reviewers group membership(s) can serve as a role. When a reviewer signs a pull request can simply select the group they are signing for to assume their role.
    • Responsibilities: Each role or reviewer group should have defined responsibilities. Naturally Bitbucket comes with easy to use access controls ensuring that only authorized individuals can perform specific actions, including signing. Reviewers are only added to pull requests if they are a member of a nominated signature-reviewer group.

You are one step away from signed pull request approvals with Bitbucket (cloud) and Workzone

Workzone for Bitbucket allows to configure signature reviewer groups

When reviewers approve a pull request they are asked to sign their approval with a personal token and select a role/intent.

All signatures, git commit hash and role/intent are safely recorded in the pull request’s history.



Visit Workzone for Bitbucket today!

As always,

Happy coding.



1 comment


Log in or Sign up to comment
Matteo Gubellini _SoftComply_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 14, 2024


Good to see you can now apply e-signatures to pull requests.

So far our customers had to create an export of all of them at the end of the project and approve them in a separate document. The FDA was ok with it, but it was far from ideal and not fully compliant if you ask me.

Signatures should be concurrent to the approval action, not to mention what to do if someone approving a pull requests leaves the company before signing it (I've been there).

We will recommend this App if asked.


AUG Leaders

Atlassian Community Events