Pilot Execution v3StepsG-7 Supplier Assurance — detailed

G-7 — Supplier Assurance Pack & Supplier Qualification

🔄 Patent-filing date realignment · 18 Jun 2026
Patent FD target shifted from 15 Jun 2026 to 26 Jun 2026. All FD+N statutory and decision dates shift accordingly: §39 clock starts 26 Jun · complete specifications due 26 Jun 2027 (§9(1)) · PCT decision 26 Dec 2026 · US/EU national-phase entry 26 Dec 2028 · Request for Examination 26 Jan 2029. Marketing public-disclosure window also shifts: founder 1-to-1 outbound to known DP targets continues pre-FD under NDA; public marketing (newsletter · pillar pages · founder LinkedIn cadence · PR note · webinar invites) unlocks Mon 29 Jun 2026 (W5) post-FD. Engineering W1-W14 pilot timeline holds: demo lock Fri 26 Jun · Verified Go-Live Decision Tue 01 Sep.
What G-7 is, why suppliers must be qualified, exactly what actions to take and how, what goes in the pack, who does what, and when it is "closed." Governed by VRX-SOP-701 (qualification) + VRX-SOP-702 (ongoing oversight). Advisory — final supplier risk acceptance is the Head of QA's decision; Verixa never says "supplier approved" or "vendor compliant" without evidence and the correct owner's sign-off.

1 · What G-7 actually is — the deliverable

G-7 is the Supplier Assurance Pack: the assembled, evidence-backed record that Verixa's critical third-party dependencies are identified, risk-classified, qualified, monitored, and controlled. It is not a single document — it is a bundle (inventory + risk assessments + evidence matrices + agreements + provider evidence + oversight records) maintained under VRX-SOP-701/702.

In the v3 plan it is a critical-path item: drafted from W1, populated continuously from W7, and closed during August (W10–W13) — "closure, not first authoring." It exists because of Verixa's operating model: "Verixa verifies under its SDLC; the customer validates intended use." The design partner leverages the G-7 pack as part of their own IQ/OQ/PQ — so a strong pack is both a compliance control and a commercial asset.

One-line: G-7 proves "we know who our suppliers are, what they touch, what could go wrong, and what we've done about it" — to a level a customer's QA and a regulator's inspector will accept.

2 · Why suppliers must be qualified — the "why"

Under GxP you remain accountable for work you outsource. You cannot transfer that responsibility to a vendor. Qualification is how you discharge it. The expectations Verixa's suppliers map to:

DriverWhat it requires
EU GMP Annex 11 §3.1–3.2Formal assessment of suppliers/service providers; written agreements defining responsibilities; assessment based on risk.
GAMP 5 (2nd ed)Risk-based supplier assessment; leverage supplier activities/evidence proportionate to risk and supplier capability.
ICH Q10Management of outsourced activities and purchased materials — define, agree, and monitor responsibilities.
21 CFR Part 11 / Annex 11The hosting + AI providers touch regulated electronic records, audit trail, access — their controls feed your Part-11 posture.
FDA CSA (Sep 2025)Risk-based, least-burdensome assurance — depth of supplier scrutiny scales with how the dependency affects intended use.
EU AI Act 2024/1689 + EU GMP Annex 22 (draft)For the AI model provider: clarity on provider/deployer roles, GPAI obligations, data-use, change/deprecation — an AI provider is never an ordinary low-risk supplier when its output can reach a regulated workflow.

Commercially: the customer's vendor-assurance / security review will ask for this; having G-7 ready shortens the pilot's legal/QA cycle and unblocks the signed quality agreement (G-8).

3 · What to qualify — scope & criticality

The v3 plan's O3 names the priority suppliers (Anthropic / Azure). Classify every dependency; these are Critical because they host production, process regulated data, and/or produce AI output that can reach a regulated workflow — the skill rule: unknown criticality cannot be treated as minor.

SupplierService / dependencyWhy it's in scopeCriticality
Anthropic (Claude)AI model provider behind MIRA + AI-assisted workflowsAI output can influence regulated quality decisions; data-use, model-version & deprecation risk; EU AI Act / Annex 22 in scopeCRITICAL
Microsoft AzureCloud hosting / infrastructure (region, tenant isolation, backup/DR)Hosts production + regulated records; availability, encryption, backup/restore, DR all depend on itCRITICAL
Subprocessors (of the above)Anything the providers themselves rely on that touches dataThird-party chain; cross-border transfer & data-category riskassess each
Auth · email/notify · monitoring/logging · backup · support · dev/validation vendorsOperational SaaS dependenciesClassify by whether they touch GxP process, regulated records, security, availability, or customer commitmentsCritical / Major / Minor
Honest status: the actual Anthropic/Azure evidence (SOC 2, ISO, DPA, model card, notice periods) is Unknown — evidence required until collected and reviewed. This guide tells you how to get to a defensible position; it does not declare any vendor "compliant."

4 · The actions — how to qualify, step by step — VRX-SOP-701 §8

Run each critical supplier through the six stages. The depth is risk-based: a Critical supplier needs the full path (questionnaire + evidence review + security/privacy/AI review + agreement + Head-of-QA risk acceptance); a Minor supplier needs a basic record + owner justification.

Stage 1 · SOP-701 §8.1
Identify
Build/refresh the supplier inventory. For each supplier capture: name, service, internal owner, the product/module it supports, data type processed, hosting region, integration/API, and a first-cut of GxP / data / AI impact. Output: a row in the inventory with a Supplier ID.
Stage 2 · SOP-701 §8.2
Risk-Assess
Classify criticality (Critical/Major/Minor) and rate each risk area: GxP, data integrity, security, privacy, AI, availability, business continuity, validation leverage, customer-commitment, subprocessor, and change/incident-notification risk. Record rationale + required controls + residual risk. Unknown ≠ low.
Stage 3 · SOP-701 §8.3
Evaluate Evidence
Request and review the evidence (see §5). Build the evidence matrix: for each item mark Provided? / Adequate-for-supplier-quality? / Gap / which expert it routes to. Anything missing is written Unknown — evidence required — never assumed. SOC 2 / ISO / pen-test adequacy is confirmed by the Security/Privacy owner, not here.
Stage 4 · SOP-701 §8.4
Agreement & Qualify
Put the right agreements in place — a Quality (& Security) Agreement (QAA) and a DPA — covering: responsibility split, change-notification, incident-notification, data-integrity responsibility, validation support, audit rights, subprocessor control, retention, BCP/DR, security/privacy, AI-specific obligations, and termination/data-return/deletion. Then run the Qualification Gate (§7) and prepare the Head of QA risk-acceptance for Critical suppliers. (This is the bridge to G-8.)
Stage 5 · SOP-701 §8.5
Onboard Controls
Operationalise the obligations: wire in change-notification and incident-notification handling, define the periodic-review cadence, and register the supplier in the risk register. Controls must be live, not just contractual.
Stage 6 · SOP-701 §8.6 → SOP-702
Maintain
Ongoing oversight under VRX-SOP-702: Maintain agreements → Monitor performance/SLA → Handle notifications → Review & audit → Reassess → Report. Re-qualify on material change (model version, region, subprocessor, SLA) and at the periodic-review date.

5 · The evidence to collect — per critical supplier

EvidenceWhat it provesRoutes to
Completed supplier questionnaireBaseline qualification evidenceSupplier Quality
SOC 2 Type II reportOperating effectiveness of controls over a periodSecurity / Privacy
ISO 27001 certificate (+ SoA)Certified ISMS scopeSecurity / Privacy
Penetration-test summary · vuln managementSecurity testing postureSecurity / Privacy
DPA + subprocessor listPrivacy basis + third-party chain + cross-border transferLegal / Privacy
Model / system card + AI data-use termsIs customer data used for training? retention? region? deprecation?AI Governance
SLA / availability commitmentUptime + service levelsRelease / QA
BCP/DR plan + backup/restore evidenceResilience + data recoverabilityBCP-DR / Data Integrity
Change & incident notification termsWill they tell you, and how fast?Supplier Quality / Release
Validation support package / release notesPotential to reduce your own testingCSV/CSA (owns the leverage decision)

6 · What goes inside the G-7 pack

7 · Acceptance — when is a supplier "qualified" / G-7 "closed"

A Critical supplier passes only when the Qualification Gate clears: identity & service defined · owner assigned · criticality classified · GxP/data/AI impact assessed · security/privacy routed · required evidence reviewed · QAA assessed · incident & change notification assessed · subprocessor evidence assessed · validation leverage handed to CSV/CSA · findings/CAPA addressed · periodic review defined · no unsupported claim · Head-of-QA handoff prepared. G-7 is "closed" when this holds for every Critical supplier and there are no open critical findings without remediation or explicit Head-of-QA risk acceptance — targeted for W10–W13 (Aug), populated continuously from W7.

Hard stops (cannot mark acceptable): unknown criticality · critical supplier without qualification evidence · AI-provider evidence missing for AI in a regulated workflow · subprocessor list missing where customer data is processed · incident/change-notification terms missing for a critical supplier · backup/restore or BCP/DR evidence missing for infrastructure · QAA missing where a responsibility split is required · open critical finding without remediation or Head-of-QA acceptance.

8 · Who does what — ownership & handoffs

ItemOwner
Supplier inventory, criticality, risk & evidence assessment, qualification recommendationSupplier Quality
Final supplier risk acceptance (Critical)Head of QA
Whether supplier evidence can reduce validation testingCSV/CSA Expert
SOC 2 / ISO / pen-test / encryption / tenant-isolation / DPA adequacySecurity / Privacy
AI model-provider governance adequacy (data-use, model change, monitoring)AI Governance
QAA / DPA legal enforceabilityLegal / Privacy Counsel
Backup/restore/retention impact on regulated recordsData Integrity
Vendor/model/subprocessor change impactRelease & Change Control

9 · How it sits in the v3 timeline

WhenG-7 action
W1 (Jun 01)Start O3 (qualify Anthropic/Azure); draft G-7 (and G-8) framework
W7 (Jul 13)Begin populating G-7 continuously as evidence is generated (so August is closure, not first authoring)
W9 (Jul 31)G-8 quality agreement SIGNED (depends on the QAA work in G-7)
W10–W13 (Aug)G-7 closure · MIRA provider pack · security/P6/DR evidence in
W14 (Sep 01)Per-workflow go-live: a workflow is "production-verified" only if its evidence is in G-7 and it's covered by signed G-8
Boundary check. This guide is the supplier-quality framework and method. It does not approve any vendor, decide validation leverage, conclude on security/privacy/AI adequacy, or approve legal terms — those are the Head of QA, CSV/CSA, Security/Privacy, AI Governance, and Legal owners respectively. Actual Anthropic/Azure status remains Unknown — evidence required until the evidence is collected and the owners decide.