G-7 is the Supplier Assurance Pack: the assembled, evidence-backed record that Verixa's critical third-party dependencies are identified, risk-classified, qualified, monitored, and controlled. It is not a single document — it is a bundle (inventory + risk assessments + evidence matrices + agreements + provider evidence + oversight records) maintained under VRX-SOP-701/702.
In the v3 plan it is a critical-path item: drafted from W1, populated continuously from W7, and closed during August (W10–W13) — "closure, not first authoring." It exists because of Verixa's operating model: "Verixa verifies under its SDLC; the customer validates intended use." The design partner leverages the G-7 pack as part of their own IQ/OQ/PQ — so a strong pack is both a compliance control and a commercial asset.
Under GxP you remain accountable for work you outsource. You cannot transfer that responsibility to a vendor. Qualification is how you discharge it. The expectations Verixa's suppliers map to:
| Driver | What it requires |
|---|---|
| EU GMP Annex 11 §3.1–3.2 | Formal assessment of suppliers/service providers; written agreements defining responsibilities; assessment based on risk. |
| GAMP 5 (2nd ed) | Risk-based supplier assessment; leverage supplier activities/evidence proportionate to risk and supplier capability. |
| ICH Q10 | Management of outsourced activities and purchased materials — define, agree, and monitor responsibilities. |
| 21 CFR Part 11 / Annex 11 | The hosting + AI providers touch regulated electronic records, audit trail, access — their controls feed your Part-11 posture. |
| FDA CSA (Sep 2025) | Risk-based, least-burdensome assurance — depth of supplier scrutiny scales with how the dependency affects intended use. |
| EU AI Act 2024/1689 + EU GMP Annex 22 (draft) | For the AI model provider: clarity on provider/deployer roles, GPAI obligations, data-use, change/deprecation — an AI provider is never an ordinary low-risk supplier when its output can reach a regulated workflow. |
Commercially: the customer's vendor-assurance / security review will ask for this; having G-7 ready shortens the pilot's legal/QA cycle and unblocks the signed quality agreement (G-8).
The v3 plan's O3 names the priority suppliers (Anthropic / Azure). Classify every dependency; these are Critical because they host production, process regulated data, and/or produce AI output that can reach a regulated workflow — the skill rule: unknown criticality cannot be treated as minor.
| Supplier | Service / dependency | Why it's in scope | Criticality |
|---|---|---|---|
| Anthropic (Claude) | AI model provider behind MIRA + AI-assisted workflows | AI output can influence regulated quality decisions; data-use, model-version & deprecation risk; EU AI Act / Annex 22 in scope | CRITICAL |
| Microsoft Azure | Cloud hosting / infrastructure (region, tenant isolation, backup/DR) | Hosts production + regulated records; availability, encryption, backup/restore, DR all depend on it | CRITICAL |
| Subprocessors (of the above) | Anything the providers themselves rely on that touches data | Third-party chain; cross-border transfer & data-category risk | assess each |
| Auth · email/notify · monitoring/logging · backup · support · dev/validation vendors | Operational SaaS dependencies | Classify by whether they touch GxP process, regulated records, security, availability, or customer commitments | Critical / Major / Minor |
Unknown — evidence required until collected and reviewed. This guide tells you how to get to a defensible position; it does not declare any vendor "compliant."Run each critical supplier through the six stages. The depth is risk-based: a Critical supplier needs the full path (questionnaire + evidence review + security/privacy/AI review + agreement + Head-of-QA risk acceptance); a Minor supplier needs a basic record + owner justification.
Unknown — evidence required — never assumed. SOC 2 / ISO / pen-test adequacy is confirmed by the Security/Privacy owner, not here.| Evidence | What it proves | Routes to |
|---|---|---|
| Completed supplier questionnaire | Baseline qualification evidence | Supplier Quality |
| SOC 2 Type II report | Operating effectiveness of controls over a period | Security / Privacy |
| ISO 27001 certificate (+ SoA) | Certified ISMS scope | Security / Privacy |
| Penetration-test summary · vuln management | Security testing posture | Security / Privacy |
| DPA + subprocessor list | Privacy basis + third-party chain + cross-border transfer | Legal / Privacy |
| Model / system card + AI data-use terms | Is customer data used for training? retention? region? deprecation? | AI Governance |
| SLA / availability commitment | Uptime + service levels | Release / QA |
| BCP/DR plan + backup/restore evidence | Resilience + data recoverability | BCP-DR / Data Integrity |
| Change & incident notification terms | Will they tell you, and how fast? | Supplier Quality / Release |
| Validation support package / release notes | Potential to reduce your own testing | CSV/CSA (owns the leverage decision) |
A Critical supplier passes only when the Qualification Gate clears: identity & service defined · owner assigned · criticality classified · GxP/data/AI impact assessed · security/privacy routed · required evidence reviewed · QAA assessed · incident & change notification assessed · subprocessor evidence assessed · validation leverage handed to CSV/CSA · findings/CAPA addressed · periodic review defined · no unsupported claim · Head-of-QA handoff prepared. G-7 is "closed" when this holds for every Critical supplier and there are no open critical findings without remediation or explicit Head-of-QA risk acceptance — targeted for W10–W13 (Aug), populated continuously from W7.
| Item | Owner |
|---|---|
| Supplier inventory, criticality, risk & evidence assessment, qualification recommendation | Supplier Quality |
| Final supplier risk acceptance (Critical) | Head of QA |
| Whether supplier evidence can reduce validation testing | CSV/CSA Expert |
| SOC 2 / ISO / pen-test / encryption / tenant-isolation / DPA adequacy | Security / Privacy |
| AI model-provider governance adequacy (data-use, model change, monitoring) | AI Governance |
| QAA / DPA legal enforceability | Legal / Privacy Counsel |
| Backup/restore/retention impact on regulated records | Data Integrity |
| Vendor/model/subprocessor change impact | Release & Change Control |
| When | G-7 action |
|---|---|
| W1 (Jun 01) | Start O3 (qualify Anthropic/Azure); draft G-7 (and G-8) framework |
| W7 (Jul 13) | Begin populating G-7 continuously as evidence is generated (so August is closure, not first authoring) |
| W9 (Jul 31) | G-8 quality agreement SIGNED (depends on the QAA work in G-7) |
| W10–W13 (Aug) | G-7 closure · MIRA provider pack · security/P6/DR evidence in |
| W14 (Sep 01) | Per-workflow go-live: a workflow is "production-verified" only if its evidence is in G-7 and it's covered by signed G-8 |
Unknown — evidence required until the evidence is collected and the owners decide.