GxP does not have the concept or BAAs or contracts that outline risk. There is no concept of inheritance or chaining liability.
The reason stems from a topic we discussed in our GxP primer: GxP isn’t a government regulation with defined vocabulary or mandated procedures, like HIPAA or GDPR. Instead, GxP is an industry-accepted understanding of NIST standards adopted by the FDA in CFR Title 21 Chapter 11.
Nowhere are BAAs or other contracts outlined. There is no risk passed down via GxP.
Instead, when a cloud service provider, like Datica, claims GxP compliance, they are claiming that they have been audited against the interpretations of FDA guidelines. Whatever relationships that business has with its partners — like Datica with AWS or Microsoft Azure — is immaterial. For example, a customer of Datica is only concerned if Datica itself is GxP compliant; contrast this to HIPAA, where a customer of Datica is also concerned what BAA inheritance Datica has with its partners.