English
DeutschGerman (Switzerland)
Book a Meeting

GxP Friendly Audit for Ledidi Trials: SaaS Platform for regulated Clinical Trials

As part of an independent GxP Friendly Audit, the SaaS platform Ledidi Trials was comprehensively evaluated by DHC. The objective was the structured, transparent, and risk-based assessment of its regulatory suitability for use in GxP-regulated clinical trials.

Picture of Thomas Pauly, Practice Manager, DHC GmbH
Thomas Pauly, Practice Manager, DHC GmbH
Two people in lab attire looking at a tablet — symbolizing the evaluation of a GxP-compliant SaaS platform for clinical trials.

The article shows how audit results can be used as supplier evidence for risk-based supplier qualification, and that the audit does not replace internal validation (CSV/CSA), but typically significantly accelerates and streamlines it.

The regulatory assessment of SaaS platforms intended for use in GxP-relevant processes is of high importance. Cloud-based solutions in particular place the focus on topics such as data integrity, electronic signatures, IT security, and supplier qualification.

What is a GxP-Friendly Audit?

A GxP Friendly Audit is an independent, preparatory audit without formal inspection function.

It serves to:

  • Assess the regulatory maturity of a system or SaaS provider
  • Identify possible compliance risks and, optionally, provide recommendations for action
  • Support risk-based supplier qualification
  • Prepare for customer audits or regulatory inspections

Unlike traditional supplier audits, the focus here is on the supportive, structured analysis of GxP readiness.

Especially for SaaS providers in regulated environments, a Friendly Audit is a strategic instrument for GxP compliance.

About Ledidi Trials

Logo of Ledidi, provider of clinical data and research softwareLedidi is a technology company focused on digital solutions for data-driven clinical research. The goal is to enable sponsors, CROs, and study teams to plan, conduct, and evaluate studies more efficiently through modern software approaches.

With Ledidi Trials, the company offers a SaaS-based platform supporting clinical study processes. Key focus areas include:

  • Structured data processing
  • Collaborative work processes
  • Transparency between study participants
  • Digital support of regulatory requirements

The solution is designed for use in regulated clinical research environments and is continuously developed to meet current regulatory and industry requirements.

Audit Approach and Regulatory Framework

The audit was conducted as an independent, risk-based GxP Friendly Audit aligned with international regulatory requirements and guidelines, including:

  • FDA 21 CFR Part 11 (Electronic Records and Electronic Signatures)
  • ICH GCP E6(R3)
  • ISPE GAMP 5 (risk-based approach for computerized systems)

The focus was on a supplier-side assessment of:

  • Adequacy of the quality management system
  • Effectiveness of development and control mechanisms
  • Suitability of operational processes
  • Suitability for use in GxP-regulated clinical trials

Scope of the GxP Audit for the SaaS Platform

The audit covered the following central areas:

Quality Management System (QMS)

  • Structure and documentation
  • Roles and responsibility models
  • CAPA and change management

Software Development Lifecycle (SDLC)

  • Development processes
  • Agile methods and documentation
  • Traceability and accountability

Release and Change Management

  • Formalized release processes
  • Controlled version management
  • Impact and risk analyses

SaaS Operations and IT Security

  • Access controls
  • Role-based authorization
  • Electronic signatures
  • Data security measures

Data Integrity and Business Continuity

  • Backup strategies
  • Disaster recovery
  • Business continuity management
  • Audit trails
  • Ensuring ALCOA+ principles

Audit Results

The independent Friendly Audit confirmed that Ledidi Trials has implemented a comprehensive and structured quality system.

The final audit report contains no open deviations and confirms the platform’s fundamental readiness for use in GxP-regulated clinical trials.

“The Friendly Audit conducted by DHC and the resulting report provided us with inspection-ready evidence on electronic records and signatures, audit trails, and traceability, aligned with recognized regulatory expectations. This made sponsor discussions and vendor qualification reviews significantly easier and more efficient.”

Danckert Mellbye
Chief Operating Officer, Ledidi AS

Use of the Audit Results for Supplier Qualification

The audit results can be used by sponsors and CROs as part of risk-based supplier qualification according to ISPE GAMP 5.

Important:

The responsibility for system validation and intended use remains with the regulated organization at all times.

However, a GxP Friendly Audit significantly supports:

  • Reduction of qualification effort
  • Increased transparency for sponsors
  • Acceleration of contract and selection processes
  • Strengthening of the compliance position

Why are GxP-Friendly Audits strategically important for SaaS Providers?

Cloud and SaaS solutions in the life sciences environment are subject to specific regulatory requirements.

Challenges include:

  • Division of responsibilities between provider and regulated organization
  • Validation of cloud-based systems
  • Ensuring data integrity
  • Auditability of agile development processes
  • Regulatory expectations for electronic systems

An independent GxP audit provides:

  • Regulatory transparency
  • Customer trust
  • Structured compliance evidence
  • Competitive advantages in the regulated market

GxP-Friendly Audits for SaaS Providers in regulated Industries

Are you planning to deploy a SaaS solution in GxP-regulated processes? Or would you like to have your regulatory maturity structurally assessed as a software provider?

DHC Dr. Herterich & Consultants supports you with:

  • GxP Friendly Audits
  • Supplier qualification
  • CSV and CSA strategies
  • Regulatory assessments of cloud-based systems
  • Compliance optimization for digital platforms
More about DHC consulting services for Audit Readiness

GxP-Friendly Audits for SaaS providers in regulated industries

Are you preparing for a Supplier or SaaS Audit?
Book a free Initial Consultation
Author picture
FAQs

Frequently asked Questions about GxP-Friendly Audits for SaaS Providers (FAQ)

A GxP Friendly Audit is a risk-based, SaaS-ready supplier/platform audit that specifically examines the controls critical for GxP compliance and auditability (e.g., data integrity, access controls, change/release, incident/DR). It takes into account the cloud reality (multi-tenant, standard product, frequent releases, limited individual audit access).

Differences from a traditional audit:

  • Shared Responsibility in focus: Clear delineation of what the SaaS provider is responsible for and what the customer must ensure organizationally/procedurally.
  • Evidence pragmatic: Uses realistic SaaS evidence (e.g., SOC/ISO, trust center artifacts) rather than expecting “on-prem” artifacts that SaaS often cannot provide.
  • GxP impact instead of full coverage: Preferably examines GxP-critical areas rather than “everything theoretically possible.”
  • Decision-oriented: Delivers a go/no-go-ready assessment including conditions and action plan.

A GxP Friendly Audit typically “maps” SaaS controls to the regulatory expectations around computerized systems and data integrity. Common references include:

  • EU GMP including Annex 11: Expectations regarding operations, security, data integrity, audit trails, supplier management, changes.
  • GAMP 5: Guideline for risk-based approach, supplier assessment, appropriate verification/validation.
  • FDA 21 CFR Part 11 (if applicable): Requirements for electronic records and electronic signatures.
  • Data Integrity (ALCOA+) as guiding principle: Traceability, completeness, immutability, availability.

Important for decision-makers:
Not every SaaS usage is automatically “Part 11-critical.” Relevance strongly depends on whether the platform creates/manages GxP records and whether electronic signatures are used.

The most important audit focus areas are the controls that directly affect data integrity, compliance traceability, and operational security:

Audit Trail & Data Integrity

  • Is the audit trail complete (who/what/when/why), activatable/configurable, protectable, and evaluable?
  • Can records/audit trails be exported and used long-term for audits?

Identity & Access Management (IAM)

  • Role/authorization concept (RBAC), least privilege, admin controls
  • MFA/SSO, user lifecycle (joiner/mover/leaver), recertifications

Change & Release Management (SaaS Updateability)

  • How are changes tested, approved, and communicated?
  • Are there impact assessments, release notes, possibly feature toggles/configurable functions?

Backup/Restore & Business Continuity / Disaster Recovery

  • Defined RPO/RTO, restore tests, evidence of DR exercises
  • Availability & recoverability of GxP-critical data

Incident, Problem & Vulnerability Management

  • Reporting processes, SLAs, RCA, CAPA mechanisms
  • Patch/vulnerability handling, security monitoring

Additionally often decisive: Data location/subprocessor transparency, logging/monitoring, interfaces & integrations, configuration control.

Accepted evidence typically includes standardized, audited proof and process artifacts that demonstrate the effectiveness of controls, e.g.:

  • SOC 2 Type II (including scope/period and tested controls)
  • ISO 27001 certification (plus relevant annexes/scope, possibly Statement of Applicability)
  • Trust Center / Compliance Portal (policies, process descriptions, control overviews)
  • SDLC/change process evidence (release notes, change workflows, test summaries)
  • BCP/DR evidence (DR test reports, results, improvement measures)
  • Incident/security evidence (process, ticket/RCA examples in anonymized form)
  • Subprocessor lists & Data Processing Agreements (DPA), data flow/architecture overviews

A GxP Friendly Audit typically does not fully replace an internal customer validation, but it can significantly streamline and accelerate it.

What the audit typically delivers:

  • Verifies the provider controls (e.g., security, ops, SDLC) as a reliable basis for supplier qualification
  • Provides input for CSA/CSV scope: What can be adopted as “supplier evidence,” and what must the customer test themselves?
  • Creates a shared responsibility matrix that derives clear customer actions (SOPs, role model, periodic review, configuration control)
Magazine

More Articles from the Blog

SAP Innovation Meets GxP Compliance
How Are Cloud, SaaS, AI & Frequent Releases Changing Validation?
SAP QIM End of Support 2027: Why Companies should act now
SAP QIM support ends in 2027: Learn what risks arise and why an early migration to QM in S/4HANA is
GxP Friendly Audit for Ledidi Trials: SaaS Platform for regulated Clinical Trials
As part of an independent GxP Friendly Audit, the SaaS platform Ledidi Trials was comprehensively evaluated by DHC.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.