QMSR Supplier Quality Agreement for Cloud, AI, Cybersecurity, and Testing Vendors: Clause-by-Clause Construction Guide
How to draft ISO 13485 / QMSR-compliant supplier quality agreements for critical outsourced vendors — cloud hosting providers, AI model/data vendors, penetration testing firms, ASCA/non-ASCA test labs, and sterilization vendors — with clause-by-clause guidance, vulnerability notification clauses, audit rights, CAPA cooperation, change notification, and evidence records.
What This Article Covers / Does Not Cover
This article covers one document: the supplier quality agreement (SQA) that a medical device manufacturer must execute with critical outsourced vendors under FDA QMSR (21 CFR Part 820, effective 2 February 2026, incorporating ISO 13485:2016 by reference) and ISO 13485 Clause 7.4. It provides clause-by-clause construction guidance for five vendor categories that are increasingly critical in 2026: cloud hosting providers, AI model/data vendors, penetration testing firms, ASCA/non-ASCA test laboratories, and sterilization vendors.
It includes a vendor-type-to-clause matrix, sample clause language (clearly labeled as illustrative), a change notification decision tree, common auditor objections with responses, and a pre-audit evidence checklist.
This article does not cover general supplier evaluation, selection, or ranking methodology. For supplier audit checklists, see Supplier Audit Checklist. For third-party vendor cybersecurity risk management, see Medical Device Third-Party Vendor Cybersecurity Risk Management. For QMSR transition details, see QSR to QMSR Transition. For general QMS gap analysis, see QMSR Gap Analysis ISO 13485 Checklist.
Regulatory Basis
QMSR (effective 2 February 2026) incorporates ISO 13485:2016 by reference into 21 CFR Part 820. The purchasing control requirements in ISO 13485 Clause 7.4 now have the force of US federal law. Key provisions:
| ISO 13485 Clause | Requirement | SQA Relevance |
|---|---|---|
| 4.1.5 | Control of outsourced processes — retain responsibility | Defines scope of outsourced activities in SQA |
| 7.4.1 | Purchasing process — evaluate, select, monitor suppliers | Basis for vendor qualification and ongoing monitoring |
| 7.4.2 | Purchasing information — describe product, requirements | SQA must describe requirements for approval, procedures, processes, equipment |
| 7.4.3 | Verification of purchased product | Defines acceptance criteria and verification activities |
| 7.5.9 | Traceability | SQA must ensure traceability of components/services |
| 8.2.3 | Feedback / complaint handling | SQA must include complaint cooperation clauses |
| 8.5.2 | Corrective action | SQA must include CAPA cooperation clauses |
| 8.5.3 | Preventive action | SQA should include proactive risk communication |
Additionally, FDA Section 524B (cyber devices) and the updated FDA cybersecurity guidance (February 2026) require manufacturers to extend cybersecurity oversight to third-party software, cloud, and service components. MITRE's April 2026 publication on cybersecurity risk analysis for medical devices explicitly addresses shared security responsibilities for cloud and AI/ML vendors.
Vendor Classification and SQA Requirement Matrix
Not every vendor needs a full quality agreement. Use this classification to determine SQA depth:
| Vendor Type | Risk Level | QMS Certificate Required | Quality Agreement Required | Audit Frequency | ISO 13485 Clause Basis |
|---|---|---|---|---|---|
| Cloud hosting (IaaS/PaaS/SaaS for device data, AI inference) | Critical (A) | ISO 27001, SOC 2 Type II | Full SQA | Annual (remote or on-site) | 7.4.1, 7.4.2, 4.1.5 |
| AI model/data vendor (training data, annotation, model hosting) | Critical (A) | ISO 27001 desirable | Full SQA | Annual | 7.4.1, 7.4.2 |
| Penetration testing firm | Critical (A) | N/A (competency-based) | Scoped SQA | Per engagement | 7.4.1, 7.4.2 |
| ASCA-accredited test lab | Critical (A) | ISO/IEC 17025 + ASCA | Scoped SQA | Per engagement + accreditation monitoring | 7.4.1, 7.4.2, 7.4.3 |
| Non-ASCA test lab | High (B) | ISO/IEC 17025 | Scoped SQA | Per engagement | 7.4.1, 7.4.2, 7.4.3 |
| Contract sterilization vendor | Critical (A) | ISO 13485, ISO 11135/11137/17665 | Full SQA | Annual on-site | 7.4.1, 7.4.2, 7.4.3, 4.1.5 |
| Raw material supplier | High (B) | ISO 9001 or ISO 13485 | Abbreviated SQA or PO terms | Biennial | 7.4.2 |
| General office supplies, non-critical services | Low (D) | N/A | Purchase order terms | N/A | 7.4.2 (minimal) |
Clause-by-Clause Construction Guide
The following sections provide the specific clauses to include in an SQA for each critical vendor type. Language is illustrative — adapt to your organization's templates.
Clause 1: Scope and Outsourced Activities
Purpose: Define exactly what the vendor does that affects device quality, safety, or cybersecurity. Per ISO 13485 Clause 4.1.5, the manufacturer retains full regulatory responsibility for outsourced processes.
| Vendor Type | What to Specify |
|---|---|
| Cloud hosting | Hosting environment for [device data / AI inference / QMS software]; uptime SLA; data residency; encryption at rest and in transit; backup and disaster recovery; network segmentation |
| AI model/data vendor | Training data curation, labeling/annotation services, model training and validation, model hosting/API access, data provenance tracking |
| Penetration testing | Scope of testing (device firmware, companion app, cloud APIs, network protocols); testing methodology; deliverables (report format, vulnerability classification); safety constraints during testing |
| Test lab (ASCA/non-ASCA) | Standards to be tested against; test plan approval process; sample handling; report format (ASCA Summary Test Report if applicable); timeline |
| Sterilization vendor | Sterilization method; cycle parameters; biological indicator specifications; load configuration; release criteria; residue testing |
Illustrative language:
"This Quality Agreement applies to the following outsourced activities performed by [Vendor Name] on behalf of [Manufacturer Name]: [specific activities]. [Manufacturer Name] retains full regulatory responsibility for these outsourced activities as required by ISO 13485:2016 Clause 4.1.5 and 21 CFR Part 820 (QMSR)."
Clause 2: Regulatory Compliance and Certifications
Purpose: Document the vendor's applicable certifications and regulatory status.
| Vendor Type | Required Certifications | Verification Method |
|---|---|---|
| Cloud hosting | ISO 27001, SOC 2 Type II, HIPAA BAA (if PHI involved) | Certificate copies; annual renewal monitoring |
| AI model/data vendor | ISO 27001 desirable; GDPR compliance (if EU data) | Attestation; DPA (Data Processing Agreement) |
| Penetration testing | Industry certifications (CREST, OSCP, CEH for testers); no ISO requirement | Resume/CV of assigned testers; methodology statement |
| ASCA lab | ISO/IEC 17025:2017 with ASCA-specific scope addendum; FDA ASCA accreditation letter | Verify on FDA ASCA accreditation list before each submission; monitor for status changes |
| Non-ASCA lab | ISO/IEC 17025:2017 | Certificate copy; accreditation body verification |
| Sterilization vendor | ISO 13485:2016; applicable sterilization standard certification | Certificate copies; annual renewal monitoring |
Illustrative language:
"[Vendor Name] shall maintain the following certifications and accreditations: [list]. [Vendor Name] shall notify [Manufacturer Name] within [5 business days] of any change in certification status, scope, or accreditation, including suspension, withdrawal, or voluntary relinquishment."
Clause 3: Change Notification
Purpose: Ensure the vendor notifies the manufacturer before implementing changes that could affect product quality, safety, cybersecurity, or regulatory status.
Decision tree for change notification:
VENDOR PROPOSED CHANGE
│
├─► Does the change affect product quality, safety, or cybersecurity?
│ ├─ YES → Requires written notification [X days] before implementation
│ │ ├─ Does the change affect device specifications or intended use?
│ │ │ ├─ YES → Requires manufacturer written approval before implementation
│ │ │ └─ NO → Notification only; manufacturer has [X days] to object
│ │ └─ Does the change affect the vendor's certification/accreditation?
│ │ ├─ YES → Immediate notification; manufacturer re-evaluates vendor
│ │ └─ NO → Proceed with standard change notification
│ └─ NO → No notification required; document in vendor's internal change log
Vendor-specific change triggers:
| Vendor Type | Changes Requiring Notification | Notification Timeline |
|---|---|---|
| Cloud hosting | Data center relocation; infrastructure platform upgrade; security control changes; sub-processor changes; encryption protocol changes; SLA changes; data residency changes | 30 days prior |
| AI model/data vendor | Training data source changes; labeling methodology changes; model architecture changes; API changes; sub-contracting of data processing | 30 days prior |
| Penetration testing | Personnel changes (lead tester); methodology changes; tool changes | Per engagement |
| ASCA/non-ASCA lab | Accreditation status changes; scope changes; equipment relocation; key personnel changes; test method modifications | Immediate for accreditation; 30 days for others |
| Sterilization vendor | Process parameter changes; equipment changes; biological indicator supplier changes; facility relocation; cycle modifications | 30 days prior; immediate for any parameter OOS |
Illustrative language:
"[Vendor Name] shall not implement any change that could affect the quality, safety, efficacy, or regulatory compliance of the outsourced services without prior written notification to [Manufacturer Name]. Changes requiring notification include but are not limited to: [list from table above]. [Manufacturer Name] shall have [15 business days] from receipt of notification to provide written approval, objection, or request for additional information."
Clause 4: Vulnerability and Security Incident Notification
Purpose: For cloud, AI, and cybersecurity vendors, define how and when security vulnerabilities and incidents are reported.
| Notification Type | Timeline | Content Required | Escalation |
|---|---|---|---|
| Critical vulnerability (CVSS 9.0+) affecting the device | 24 hours of discovery | CVE ID (if available); affected components; exploitability assessment; interim mitigations; estimated remediation timeline | Immediate — manufacturer PSIRT activated |
| High vulnerability (CVSS 7.0-8.9) | 72 hours | Same as above | Manufacturer risk assessment within 5 business days |
| Security incident involving device data or systems | 24 hours of detection | Incident description; data affected; containment measures; root cause (when known) | Manufacturer incident response team activated |
| Sub-processor security event | 5 business days | Description; impact assessment; remediation | Manufacturer re-evaluates vendor risk |
Illustrative language:
"[Vendor Name] shall notify [Manufacturer Name] within [24 hours] of becoming aware of any security vulnerability rated CVSS 7.0 or above that affects the services provided under this Agreement, or any security incident involving [Manufacturer Name]'s data or systems. Notification shall include: vulnerability description and CVSS score, affected components, known exploitability, interim compensating controls, and estimated remediation timeline. [Manufacturer Name] reserves the right to invoke its Product Security Incident Response Team (PSIRT) process and to coordinate public disclosure timing in accordance with its coordinated vulnerability disclosure policy."
For more on vulnerability triage, see SBOM-to-VEX Vulnerability Triage Workflow.
Clause 5: Audit Rights
Purpose: Reserve the manufacturer's right to audit the vendor's facilities, processes, and records.
| Vendor Type | Audit Type | Frequency | Scope |
|---|---|---|---|
| Cloud hosting | Remote audit (SOC 2 report review + questionnaire) | Annual | Security controls, data handling, access management, encryption, incident response |
| AI model/data vendor | Remote or on-site | Annual | Data handling, labeling quality, model version control, access management |
| Penetration testing | Report review + methodology assessment | Per engagement | Tester qualifications, methodology compliance, report quality |
| ASCA/non-ASCA lab | On-site (for critical tests) or remote | As needed | Calibration records, test procedures, personnel qualifications, sample handling |
| Sterilization vendor | On-site | Annual | Cycle parameters, validation records, biological indicators, environmental monitoring |
Illustrative language:
"[Manufacturer Name] reserves the right to audit [Vendor Name]'s facilities, processes, records, and sub-contractors relevant to the outsourced activities described in this Agreement. Audits may be conducted with [30 days] prior written notice for scheduled audits, or without prior notice in the event of a quality or safety concern. [Vendor Name] shall provide reasonable access to relevant personnel, documentation, and systems during audits. Audit findings shall be addressed through [Vendor Name]'s corrective action process, with responses provided to [Manufacturer Name] within [15 business days] of audit report issuance."
Clause 6: CAPA Cooperation
Purpose: Define how the vendor participates in the manufacturer's corrective and preventive action process.
| CAPA Trigger | Vendor Responsibility | Timeline |
|---|---|---|
| Nonconformance in vendor-supplied service/product | Participate in root cause analysis; implement corrective actions; provide effectiveness evidence | RCA within 15 business days; CA within 30 business days |
| Complaint traceable to vendor component/service | Provide relevant records (batch records, test data, access logs, change logs); participate in investigation | Response within 10 business days |
| Audit finding at vendor | Implement corrective actions per agreed timeline; provide objective evidence of closure | Per audit report |
| Recalls or field safety corrective actions involving vendor component | Provide traceability data; support investigation; cooperate with regulatory submissions | Immediate |
Illustrative language:
"In the event that a nonconformance, complaint, or adverse event is attributable to or involves the services provided by [Vendor Name], [Vendor Name] shall cooperate fully with [Manufacturer Name]'s investigation and CAPA process. This includes providing relevant records, participating in root cause analysis, implementing agreed corrective actions, and providing objective evidence of effectiveness. [Vendor Name] shall respond to SCARs (Supplier Corrective Action Requests) within [15 business days]."
Clause 7: Records and Documentation
Purpose: Define what records the vendor must maintain and make available.
| Vendor Type | Records to Maintain | Retention Period |
|---|---|---|
| Cloud hosting | Uptime logs, access logs, security incident logs, change logs, backup verification records, SOC 2 reports | Minimum 10 years (aligned with MDR Art. 10(15)) |
| AI model/data vendor | Training data provenance records, labeling quality metrics, model version history, data processing logs | Minimum 10 years |
| Penetration testing | Test plans, test reports, vulnerability findings, remediation verification | Minimum 10 years |
| Test lab | Test plans, raw data, test reports, calibration records, equipment logs, personnel qualification records | Minimum 10 years or per regulatory requirement |
| Sterilization vendor | Cycle records, biological indicator results, environmental monitoring, equipment calibration, validation records | Minimum 10 years or per regulatory requirement |
Clause 8: Sub-Contracting and Sub-Processing
Purpose: Control the vendor's use of sub-contractors who may affect product quality.
Illustrative language:
"[Vendor Name] shall not sub-contract any portion of the outsourced activities described in this Agreement without prior written approval from [Manufacturer Name]. Where sub-contracting is approved, [Vendor Name] shall: (a) ensure the sub-contractor meets equivalent quality and regulatory requirements, (b) maintain a quality agreement or equivalent controls with the sub-contractor, (c) remain fully responsible for the sub-contractor's performance, and (d) notify [Manufacturer Name] of any sub-contractor changes. For cloud hosting services, [Vendor Name] shall maintain a current list of sub-processors and notify [Manufacturer Name] of additions or changes at least [30 days] before they take effect."
Common Auditor Objections and How to Address Them
| # | Auditor Objection | Why It's Raised | How to Address | Evidence to Provide |
|---|---|---|---|---|
| 1 | "No quality agreement with cloud hosting vendor" | Cloud vendors often resist SQAs; manufacturer relied on standard terms of service | Execute SQA even if vendor pushes back. Use SOC 2 Type II report + manufacturer risk assessment as bridge documentation if vendor refuses formal SQA. Escalate to vendor's compliance team — major cloud providers (AWS, Azure, GCP) have established SQA frameworks for regulated industries. | SQA; SOC 2 Type II report; manufacturer risk assessment; correspondence documenting SQA negotiation |
| 2 | "Quality agreement does not address cybersecurity/vulnerability notification" | Legacy SQAs were written for physical component suppliers | Add Clause 4 (vulnerability notification) per above. Include CVSS thresholds, notification timelines, and PSIRT coordination. | Updated SQA; PSIRT procedure reference; SBOM linkage documentation |
| 3 | "No audit rights clause for AI data vendor" | Manufacturer assumed standard PO terms were sufficient for data vendors | Add audit rights clause. If vendor refuses on-site, negotiate remote audit rights plus annual questionnaire + SOC 2 report review. | SQA with audit clause; annual vendor questionnaire; risk assessment |
| 4 | "Change notification clause is too vague — 'material changes' is undefined" | Generic language does not meet ISO 13485 Clause 7.4.2 specificity | Enumerate specific change triggers per vendor type (see Clause 3 table above). Avoid undefined terms like "material." | Updated SQA with enumerated change triggers |
| 5 | "No evidence of monitoring ASCA lab accreditation status" | Manufacturer assumed ASCA accreditation was permanent | Add clause requiring vendor to notify of accreditation changes. Independently verify on FDA ASCA list before each submission. For ASCA-specific evidence package guidance, see FDA ASCA Test Report Acceptance Package. | SQA with accreditation notification clause; FDA ASCA list verification records (screenshots with dates) |
| 6 | "Sterilization vendor SQA does not reference current validation status" | SQA was written before initial validation; never updated to reference revalidation | Include clause requiring vendor to maintain current validation status and notify manufacturer of revalidation schedule and results. | Updated SQA; validation report references; revalidation schedule |
| 7 | "CAPA cooperation clause missing from pen-test firm SQA" | Pen-test firms viewed as one-time service providers | Even per-engagement vendors need CAPA cooperation clauses. Findings from pen-test may require re-testing after remediation. | SQA with CAPA clause; pen-test report remediation verification records |
| 8 | "Records retention period in SQA shorter than regulatory requirement" | Vendor's standard retention policy (e.g., 3-5 years) conflicts with medical device requirements (minimum 10 years under MDR) | Specify minimum 10-year retention. For US-only devices, specify per 21 CFR 820 requirements. | Updated SQA; vendor record retention policy; gap analysis if vendor cannot meet requirement |
Pre-Audit Evidence Checklist
Before your next FDA inspection or ISO 13485 surveillance audit, verify the following for each critical vendor:
- SQA executed: Quality agreement signed by both parties, current version
- Scope defined: Outsourced activities clearly enumerated per ISO 13485 Clause 4.1.5
- Certifications current: Vendor certification copies on file; expiration dates tracked; renewal monitoring in place
- Change notification clause: Specific change triggers enumerated per vendor type; notification timeline defined
- Vulnerability notification clause (cloud/AI/cybersecurity vendors): CVSS thresholds, timelines, PSIRT coordination defined
- Audit rights clause: Reserved in SQA; audit schedule defined; last audit report on file
- CAPA cooperation clause: SCAR process defined; response timelines specified; last SCAR on file with closure evidence
- Records clause: Retention period specified (minimum 10 years); record types enumerated; access guaranteed
- Sub-contracting clause: Prior approval required; sub-contractor list maintained; quality controls specified
- ASCA accreditation verification (test labs): Verified on FDA ASCA list within last 30 days; status change notification clause in SQA
- Annual vendor review: Vendor performance review completed per ISO 13485 Clause 7.4.1; documented in QMS
- Risk assessment: Vendor risk classification documented; controls commensurate with risk level
Sample SQA Template Structure
For those building from scratch, use this section order:
- Parties and Effective Date
- Scope of Outsourced Activities (Clause 4.1.5 reference)
- Regulatory Framework (ISO 13485, QMSR, FDA Section 524B where applicable)
- Vendor Certifications and Qualifications
- Requirements and Specifications (product/service specifications per Clause 7.4.2)
- Change Notification (enumerated triggers, timelines, approval requirements)
- Vulnerability and Security Incident Notification (for cloud/AI/cybersecurity vendors)
- Verification and Acceptance (Clause 7.4.3 — how manufacturer verifies purchased product/service)
- Audit Rights (scheduled, unscheduled, remote, on-site)
- CAPA Cooperation and Complaint Handling
- Records and Documentation (types, retention, access)
- Sub-Contracting and Sub-Processing Controls
- Confidentiality and Data Protection
- Term, Termination, and Transition (data return/destruction upon termination)
- Dispute Resolution
- Signatures and Date
Key Regulatory References
| Reference | Description |
|---|---|
| 21 CFR Part 820 (QMSR) | FDA Quality Management System Regulation, effective 2 February 2026 |
| ISO 13485:2016 Clause 7.4 | Purchasing controls — evaluation, purchasing information, verification |
| ISO 13485:2016 Clause 4.1.5 | Control of outsourced processes |
| FDA Section 524B | Cybersecurity requirements for cyber devices |
| FDA Cybersecurity Guidance (February 2026) | Premarket cybersecurity, aligned with QMSR/ISO 13485 |
| MITRE (April 2026) | Cybersecurity Risk Analysis for Medical Devices in the Era of Evolving Technologies |
| ISO/IEC 17025:2017 | General requirements for competence of testing and calibration laboratories |
| FDA ASCA Program | Accreditation Scheme for Conformity Assessment |
| ISO 11135:2014 | Ethylene oxide sterilization |
| ISO 11137 series | Radiation sterilization |
| ISO 17665:2006 | Moist heat sterilization |
| MDR Article 10(15) | Record retention requirements (minimum 10 years) |
Internal Links
- QSR to QMSR Transition — QMSR overview
- QMSR Gap Analysis ISO 13485 Checklist — QMSR compliance mapping
- Supplier Audit Checklist — supplier audit procedures
- Medical Device Third-Party Vendor Cybersecurity Risk Management — vendor cybersecurity
- FDA ASCA Test Report Acceptance Package — ASCA evidence package
- SBOM-to-VEX Vulnerability Triage Workflow — vulnerability triage
- CAPA Guide — corrective and preventive actions
- ISO 13485 Implementation Guide — QMS implementation
- Contract Manufacturing Organization Selection — CMO quality agreements
- FDA QMSR Inspection Preparation — FDA inspection readiness