--- title: Using Cloud-Based QMS Tools: Compliance Considerations Under MDR description: Cloud-based eQMS platforms are attractive for startups, but they bring specific MDR compliance considerations. Here is what to check before committing. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: cloud QMS tools MDR compliance canonical_url: https://zechmeister-solutions.com/en/blog/cloud-based-qms-tools-mdr source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Using Cloud-Based QMS Tools: Compliance Considerations Under MDR *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Cloud-based eQMS platforms are legitimate tools for meeting MDR Article 10(9), and many small MedTech teams run compliant quality systems on them. But the cloud model shifts specific responsibilities onto the manufacturer that a paper-era QMS never faced. Under EN ISO 13485:2016+A11:2021 clause 4.1.6, any computer software used as part of the QMS must be validated for its intended use before initial use and after changes, and the manufacturer stays responsible for that validation regardless of where the server sits. Clause 4.2.4 document control, audit trails, data residency, vendor qualification, and a clean exit plan are the other considerations a founder has to check before signing the contract.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - Cloud-based eQMS tools can meet MDR Article 10(9) and EN ISO 13485:2016+A11:2021, but only if the manufacturer validates the tool, controls it, and keeps responsibility for the QMS regardless of vendor. - Clause 4.1.6 of EN ISO 13485:2016+A11:2021 requires documented validation of the application of computer software used in the QMS, before initial use and after changes, proportionate to the risk associated with its use. - Clause 4.2.4 requires document control outcomes (approval, versioning, availability at points of use, obsolescence) that the chosen tool must actually enforce, not just claim on a feature page. - Data residency and GDPR obligations are separate from MDR compliance but intersect with it, especially for audit trails containing personal data of staff and customers. - Vendor qualification under clause 7.4 and an exit plan that lets you walk away with your records are two checks most startups skip and later regret. --- ## Why cloud eQMS is the default question for early-stage MedTech Ten years ago, a startup building a medical device had to decide whether to run the QMS on paper or in a homegrown set of Word files on a shared drive. Today the question has shifted. The default starting point for most funded early-stage MedTech teams is: which cloud-based eQMS platform do we pick? There are more than a dozen serious vendors targeted at small MedTech. The marketing is slick. The sales cycles are short. The onboarding promises are aggressive. A founder who knows they need a QMS and does not yet know how a QMS works can have a cloud eQMS account provisioned within a week. That is both the opportunity and the trap. The opportunity is real: a good cloud eQMS can enforce versioning, signatures, audit trails, and training records in a way that a disciplined shared drive rarely sustains once the team grows past five people. The trap is that the purchase of the tool feels like the creation of the QMS, and it is not. The tool is a container. The QMS is the actual set of processes the company runs, described in the procedures that live inside the container. A cloud eQMS bought on Monday does not give you a QMS on Tuesday. It gives you a place where the QMS can live once you build it. This post is the list of things a founder has to check before signing the contract and again before the first Notified Body audit. Not a vendor comparison. Not a feature checklist. The MDR and EN ISO 13485:2016+A11:2021 obligations the cloud model specifically touches, and how to make sure the tool you pick actually helps you meet them. ## What cloud-based eQMS platforms actually offer The functional footprint of a modern cloud eQMS is relatively stable across vendors. Most platforms offer document control with electronic approval workflows, controlled document lists, automated versioning and obsolescence, training assignment and attestation, CAPA tracking, non-conformity tracking, change control, supplier management, audit management, management review support, and some form of risk management module. Some add technical documentation structuring aligned with MDR Annex II, design control modules aligned with EN ISO 13485 clause 7.3, and post-market surveillance tracking. The value of the tooling is that it enforces the mechanical parts of clause 4.2.4 and its neighbours by design — approval before issue, current revision identification, obsolete version prevention, availability at points of use. A disciplined shared drive can do these things. A cloud eQMS does them whether or not the team remembers to be disciplined, which is why it scales better. What these tools do not do: write your procedures for you in a way that matches reality, decide which clauses apply to your device, validate themselves, qualify the vendor on your behalf, or take responsibility for your QMS. All four of those remain your job. The rest of this post is about each one. ## Clause 4.1.6 — the validation requirement most founders miss This is the clause that quietly catches small teams off guard, and it is the single most important clause to understand before you pick a cloud eQMS. EN ISO 13485:2016+A11:2021 clause 4.1.6 requires the organisation to document procedures for the validation of the application of computer software used in the quality management system. The validation must happen before initial use and, as appropriate, after changes to the software or its application. The validation effort must be proportionate to the risk associated with the use of the software, including the effect on the ability of the product to conform to specifications. Records of the validation must be maintained. Read that carefully. The obligation is on the manufacturer, not on the vendor. The manufacturer must validate the application of the software for its intended use in their specific QMS. A vendor can provide validation documentation, a validation pack, or an "MDR-ready" badge on their website — none of that discharges your clause 4.1.6 obligation. What a good vendor provides is input to your validation. The validation itself is yours. What validation looks like in practice for a cloud eQMS: you write a short validation plan that defines the intended use of the tool in your QMS, the QMS processes that depend on it, the risks associated with its malfunction (data loss, wrong version in use, missed approval, missing audit trail), and the test cases that demonstrate the tool correctly supports each intended function. You execute the test cases, record the results, document any issues and their resolution, and sign off on the validation before the tool goes into productive use. After significant vendor updates — new major releases, migrated infrastructure, changed workflow engines — you re-validate the affected functions. The validation effort should be proportionate. For a Class I software device startup using a single eQMS to manage document control and training records, a focused validation covering the document lifecycle, the training assignment flow, the audit trail, and the user access controls is usually sufficient. For a Class IIb manufacturer using the eQMS across design controls, CAPA, PMS, and supplier management, the validation scope is wider and the test cases are more numerous. Proportionate is the same word from MDR Article 10(9) — it means match the effort to the risk. Two practical failure modes. First, the vendor says "we are validated" and the founder accepts that as the answer. That is not validation under clause 4.1.6. Second, the founder treats validation as a one-time pre-audit exercise and never revalidates after vendor updates. Modern SaaS vendors push updates constantly. The validation needs a mechanism to catch changes that materially affect QMS functions. ## Audit trail expectations Clause 4.2.4 does not use the phrase "audit trail," but the requirements it lists — approval before issue, change identification, current revision status, obsolete prevention — are impossible to meet in a cloud eQMS without a credible audit trail. An auditor will ask to see who created a document, who reviewed it, who approved it, when each event happened, and what changed between versions. The system has to answer every question with evidence. What to check before committing. The audit trail must capture user identity (not just "admin"), timestamp, action, and the object acted upon. It must be tamper-evident — meaning the audit trail itself cannot be edited by normal users, and ideally cannot be edited at all. It must be queryable for a specific document or a specific user over a specific time range. It must survive export — you need to be able to hand an auditor a report that proves the history of a document, and you need to be able to produce that report when the external auditor asks, not a week later after a support ticket to the vendor. The audit trail is also where the link between the tool and clause 4.1.6 validation shows up most visibly. Part of validating the eQMS for its intended use is testing that the audit trail actually records what it claims to record, that it cannot be bypassed, and that the export produces evidence that holds up under scrutiny. ## Data residency and GDPR Data residency is where MDR compliance and GDPR compliance intersect on a cloud eQMS, and where a surprising number of small teams trip. The MDR itself does not mandate where QMS data must be stored. Article 10(9) is silent on server location. But your QMS inevitably contains personal data — employee training records, author and approver names on documents, supplier contact information, possibly customer complaint details — and personal data is governed by the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR). If your eQMS vendor stores data outside the EU or transfers data to non-EU infrastructure, you need a valid transfer mechanism, a data processing agreement, and a documented basis under GDPR. For an EU-based MedTech startup building devices for the EU market, the safest default is an eQMS vendor with EU data residency and a clear data processing agreement already in place. This is not a regulatory advantage under MDR — it does not make your QMS more compliant — but it removes a failure mode at the GDPR layer that can become a legal problem independent of your device certification. Secondary consideration: notified body access. During a Notified Body audit, the auditor will need to see records stored in the eQMS. If your eQMS is cloud-based, you need to be able to give the auditor live, read-only access to the relevant records during the audit without exposing data you should not expose. The access model of the tool matters. Check whether the tool supports auditor roles, time-boxed guest access, or export packages that can be handed to the auditor offline. ## Vendor qualification under clause 7.4 A cloud eQMS vendor is a supplier. Under EN ISO 13485:2016+A11:2021 clause 7.4, the organisation must evaluate and select suppliers on the basis of their ability to supply a product or service in accordance with requirements, establish criteria for selection, evaluation, and re-evaluation, and maintain records of the results. The clause applies to your eQMS vendor in the same way it applies to a contract manufacturer. Practical qualification for an eQMS vendor includes evidence of the vendor's own quality system (ISO 9001, ISO 13485, ISO 27001 for information security are common), evidence of infrastructure security and uptime commitments, evidence of change management on the vendor side so you know when updates will hit you, and evidence that the vendor can provide the validation inputs you need for clause 4.1.6. A thin questionnaire the vendor answers once and files somewhere is not qualification. A real evaluation, re-evaluated on a defined cadence, with results in your supplier records, is. You also need a written agreement with the vendor that covers at minimum: data ownership (you own your data, unambiguously), data access during and after the contract, the vendor's obligations on security incidents, the vendor's obligations on change notification, and the terms under which you can exit. Many startup-friendly eQMS vendors have standard agreements that cover most of this. Read the agreement before signing, not after the audit. ## Migration and exit considerations Every cloud eQMS relationship ends eventually. The vendor is acquired, the pricing changes, the feature direction drifts, the team outgrows the tool, or a new generation of tooling arrives. A QMS that cannot be migrated out of its current tool is a QMS that is locked in, and lock-in is a regulatory risk because it constrains your ability to change tools if the tool itself fails clause 4.1.6 validation after a bad update. Before committing, confirm three things. First, can you export every document, every record, every audit trail, and every training record in a format you can actually reuse somewhere else? "Export to PDF" is the minimum; structured export (XML, JSON, CSV with the full metadata) is the real answer. Second, does the export preserve the approval signatures, version history, and timestamps that make the records audit-defensible after export? Third, if the vendor disappears tomorrow, what is your continuity plan — do you have a recent export, stored somewhere you control, that you could use as the basis for a migration or a parallel manual QMS? The exit plan should be written down as part of the vendor qualification file. It does not need to be elaborate. One page that names the export mechanism, the frequency of backup exports you will perform, the storage location for those exports, and the migration path in case of vendor failure. This is also the kind of document an experienced auditor likes to see, because it shows the organisation is thinking about the tool as a supplier, not as a permanent fixture. ## Common mistakes - Treating the vendor's "MDR-ready" or "ISO 13485 validated" marketing as a substitute for your own clause 4.1.6 validation. The obligation is yours, not the vendor's. - Validating the tool once before the first audit and never revalidating after vendor updates that change how the QMS functions behave. - Granting broad admin access to multiple team members so that the audit trail cannot distinguish who actually performed an action. - Storing the only copy of the QMS data inside the vendor's cloud with no independent backup, so a billing dispute or a vendor incident can cut off access to the QMS mid-audit. - Buying the eQMS before the procedures exist and then treating the tool's default templates as the QMS. The Berlin template pattern from our document control post reappears here, just in a nicer interface. - Ignoring the GDPR layer until legal review raises it two weeks before launch. Data residency and transfer mechanisms need to be resolved at vendor selection. - Skipping the exit clause in the vendor agreement because the sales cycle is short and the founders want to move fast. ## The Subtract to Ship angle A cloud eQMS fits the [Subtract to Ship framework](/blog/subtract-to-ship-framework-mdr) when the tool enforces the mechanical parts of EN ISO 13485:2016+A11:2021 that a small team cannot reliably enforce through discipline alone, and when every module the team turns on is tied to a specific clause the company actually has to meet. It fails the framework when the tool adds modules, workflows, and layers the company does not need because the vendor's product roadmap is aimed at larger customers. The subtraction in cloud eQMS is module-level. Turn on document control (clause 4.2.4), training records, CAPA, and audit trail on day one — these are the mechanical wins that justify the monthly cost. Defer the modules that correspond to processes your company does not yet run. Every turned-on module is a module the team has to validate under clause 4.1.6, train on, and maintain. Modules you do not need are not free. Applied right, the cloud eQMS becomes the enforcer of the mechanical layer of the QMS and frees the team to put discipline where it matters most: writing procedures that describe real work, running the processes honestly, and producing records that reflect what actually happened. Applied wrong, the cloud eQMS becomes a second Berlin binder — prettier, searchable, and just as disconnected from the real company. ## Reality Check — Where do you stand? 1. Do you have a documented clause 4.1.6 validation of your cloud eQMS for its intended use in your specific QMS, signed off before the tool went into productive use? 2. When the vendor pushes a major update that changes how a QMS function behaves, do you have a process that catches it, assesses the impact, and triggers targeted revalidation? 3. Can you export the full audit trail for a specific document, with user identity and timestamps, and hand it to an auditor without a support ticket to the vendor? 4. Do you know exactly where your QMS data is stored, under which jurisdiction, and whether you have a valid data processing agreement with the vendor? 5. Is your eQMS vendor qualified as a supplier under clause 7.4, with a written evaluation and a scheduled re-evaluation, and the result stored in your supplier records? 6. If the vendor disappeared tomorrow, could you reconstruct the current state of your QMS from your own backups in a reasonable time frame? 7. Are the modules you have turned on all tied to specific clauses of EN ISO 13485:2016+A11:2021 or specific MDR obligations, or are some of them on because they were bundled in the plan? ## Frequently Asked Questions **Is a cloud-based eQMS compliant with MDR for a medical device startup?** It can be, if the manufacturer validates it under EN ISO 13485:2016+A11:2021 clause 4.1.6, qualifies the vendor under clause 7.4, and uses it to run a QMS that meets MDR Article 10(9). The tool itself does not make the QMS compliant. The manufacturer's processes, validation, and controls do. **Does clause 4.1.6 apply to a SaaS eQMS the vendor hosts for me?** Yes. Clause 4.1.6 applies to the application of computer software used in the QMS, regardless of where the software runs. A cloud-hosted SaaS eQMS is computer software used in your QMS, and your clause 4.1.6 obligation to validate its application for your intended use is identical to the obligation for on-premise software. **Can I rely on the vendor's "validated" or "MDR-ready" claim?** No. Vendor validation documents are useful inputs to your validation, but they are not a substitute. Your validation must cover the application of the tool in your specific QMS, with your processes, your configurations, and your intended use. The Notified Body audits you, not the vendor. **Does my QMS data need to be stored in the EU?** The MDR does not require EU data residency for QMS data. GDPR obligations may effectively require it, or require a valid transfer mechanism, because QMS data usually contains personal data of staff, suppliers, and sometimes customers. For an EU-based startup serving the EU market, an EU-resident eQMS is the simplest path. **How often do I need to revalidate the eQMS after updates?** Clause 4.1.6 requires revalidation as appropriate after changes, proportionate to risk. In practice, this means a documented process that assesses every vendor update for impact on validated functions and triggers targeted retests when the impact is material. Minor UI changes usually do not require full revalidation. Changes to workflow engines, audit trail behaviour, access control, or document lifecycle handling usually do. **What happens if the eQMS vendor is acquired or shuts down during my certification cycle?** This is the scenario your exit plan exists for. If you have recent independent exports of your QMS data and a written migration path, a vendor change is disruptive but survivable. If you do not, a vendor failure can block access to your records at exactly the moment an auditor asks for them. Treat vendor continuity as a risk your QMS must control, not as the vendor's problem. ## Related reading - [What Is a Quality Management System for Medical Devices?](/blog/what-is-quality-management-system-medical-devices) — the hub post for the QMS cluster and the clause-to-MDR-article orientation this post inherits. - [How to Build a Lean QMS for Your MedTech Startup](/blog/build-lean-qms-mdr-startup) — the seven-step reality-matched approach a cloud eQMS is supposed to support, not replace. - [The Minimum Viable QMS for Early-Stage MedTech](/blog/minimum-viable-qms) — the smallest legitimate QMS footprint and how tool choices interact with it. - [Document Control Under MDR: A Practical ISO 13485-Based System for Small Teams](/blog/document-control-startup) — the clause 4.2.4 requirements a cloud eQMS must actually enforce. - [Internal Audits Under MDR](/blog/internal-audits-mdr) — how internal audits test whether the eQMS is being used as validated, not as purchased. - [Training Records Under MDR](/blog/training-records-mdr) — the specific QMS records that are easiest to manage in a cloud eQMS and hardest in a shared drive. - [Selecting and Qualifying QMS Software Vendors](/blog/qms-software-vendor-selection) — the companion post on clause 7.4 vendor qualification for software suppliers. - [The Subtract to Ship Framework for MDR](/blog/subtract-to-ship-framework-mdr) — the methodology behind the module-level subtraction described in this post. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10, paragraph 9 (quality management system requirement, proportionate to risk class and type of device). Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 4.1.6 (validation of the application of computer software used in the quality management system), clause 4.2.4 (control of documents), clause 7.4 (purchasing). 3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal L 119, 4.5.2016. --- *This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. If you are choosing a cloud eQMS and want a second pair of eyes on the clause 4.1.6 validation and the vendor agreement before you commit, Zechmeister Strategic Solutions works with founders on exactly that kind of decision.* --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*