AWS Security Blog

Introducing GxP Compliance on AWS

We’re happy to announce that customers now are enabled to bring the next generation of medical, health, and wellness solutions to their GxP systems by using AWS for their processing and storage needs. Compliance with healthcare and life sciences requirements is a key priority for us, and we are pleased to announce the availability of new compliance enablers for customers with GxP requirements.

The first key enabler is a first-of-its-kind GxP whitepaper, Considerations for Using AWS Products in GxP Systems, which details a comprehensive approach for using AWS in GxP systems. This whitepaper content has been developed in conjunction with AWS pharmaceutical and medical device customers, as well as software partners, who are currently using AWS products in their validated GxP systems. In order to ensure the suitability of the content, AWS took the additional step of engaging Lachman Consultant Services Inc. (Lachman Consultants) to review and contribute to the approach outlined in this whitepaper. Lachman Consultants is one of the most highly respected consulting firms on FDA and international regulatory compliance issues affecting the pharmaceutical and medical device industry today. Lachman Consultants has extensive experience working with companies, specifically on matters pertaining to the establishment and development of GxP systems, including GxP guidelines in support of maintaining regulated data in a cloud environment. For additional information about Lachman Consultants, go to

The whitepaper is organized into several sections outlining the most common GxP-related topics:

  • Quality Systems – Management responsibility, personnel, audits, purchasing, and recordkeeping.
  • System Development Life Cycle – Development, validation, and operations.
  • Regulatory Affairs – Regulatory submissions, health authority inspections, and personal data privacy controls for research participants.

When combined with the other security and quality certifications AWS has obtained (such as ISO 9001, ISO 27001, ISO 27017, ISO 27018, NIST 800-53 under FedRAMP), this whitepaper gives our customers a tested path to build and move GxP systems onto the AWS platform.

The second key enabler, the AWS Quality Manual, available upon request, is for AWS customers who have a Non-Disclosure Agreement and are in the process of performing a supplier assessment of AWS’s quality and security management controls. The AWS Quality Manual provides customers of AWS with insight into how AWS implements, operates, and monitors good commercial IT practices during the development and delivery of AWS products. As part of AWS’s quality and security management system, the controls outlined in the AWS Quality Manual are accredited by our third-parties auditors under our ISO 9001, 27001, 27017, 27018, and SOC certifications.

Our efforts in and our dedication to the GxP space will accelerate our customers’ ability to use AWS products to research, develop, and deliver the next generation of medical, health, and wellness solutions. Since we launched a HIPAA business associate program (BAA) in July 2013, our healthcare customers have been finding innovative ways to process, store, and transmit protected health information (PHI) using AWS products. In fact, healthcare regulators themselves are using AWS. For example, our FedRAMP compliance program has enabled healthcare regulators such as the FDA, Centers for Medicare and Medicaid Services (CMS), and the National Institutes for Health (NIH) to use AWS products for initiatives such as openFDA, the CMS Edge program, and controlled access datasets from the Database of Genotypes and Phenotypes (dbGaP).

We’ve also launched a GxP FAQ to help customers understand the path to running GxP workloads on AWS.

Please contact us with questions about using AWS products in GxP systems, or if you’d like to learn more about compliance in the cloud, please visit our AWS Cloud Compliance page.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.