Supplier qualification, for example through an IT supplier audit, is an essential part of ensuring the quality and conformity of GxP IT systems.

GxP regulations require that all IT systems used for critical processes are validated. This applies not only to a company’s internal systems, but also to those provided by external suppliers. Thorough supplier qualification ensures that suppliers’ products and services meet regulatory requirements and have implemented data integrity controls to prevent loss, corruption or unauthorized access to critical data.

By evaluating and selecting qualified suppliers, potential risks associated with the implementation and operation of IT systems can be reduced. This includes assessing the supplier’s quality assurance systems, their development processes and their ability to provide ongoing support and maintenance.

A robust software development life cycle (SDLC) provides data and documentation that can be used in subsequent implementation and validation.


  • Definition of qualification processes including roles and responsibilities
  • Definition of standards for the evaluation and continuous management of suppliers (including regulatory and security requirements)
  • Planning, implementation and follow-up of qualification measures such as postal, remote and on-site audits of technology suppliers and other service providers.
  • Definition of processes for audit and inspection support
  • Conducting mock audits (preparation for audits and inspections)
  • Training and support for supplier audits
  • Specialized GxP training for the compliant implementation and use of XaaS systems

If you have any questions about IT supplier audits, please contact us using our contact form.


  • XaaS stands for “Everything as a Service” or “Anything as a Service” and refers to a business model in which various IT resources and services are provided via the internet. XaaS encompasses a variety of services that are offered as a service, including
    • SaaS (Software as a Service): software applications delivered over the Internet. Examples: Microsoft 365, Google Workspace.
    • PaaS (Platform as a Service): Platforms for the development, testing and deployment of applications. Examples: SAP BTP, Microsoft Azure, Google App Engine.
    • IaaS (Infrastructure as a Service): Virtual IT infrastructures such as servers, storage and networks that are provided via the internet. Examples: Amazon Web Services (AWS), Microsoft Azure.
  • XaaS models offer companies flexibility, scalability and cost efficiency, as they can use and pay for IT resources as required.
  • Provision and maintenance of the infrastructure:
    • The Supplier shall provide the necessary hardware and infrastructure required to operate the Services. This includes servers, networks and storage systems.
    • Maintenance and updates of the infrastructure to ensure that it functions smoothly and meets current security standards.
  • Software development and deployment:
    • Development and continuous improvement of the software solutions offered as a service.
    • Provision of updates, patches and new versions of the software to improve functions and close security gaps.
  • Scalability and availability:
    • Ensuring the scalability of services to meet the needs of customers, regardless of how fast or large demand grows.
    • Ensuring high availability of services through redundant systems and automatic failover mechanisms.
  • Security management:
    • Implementing and managing security measures to protect data and infrastructure. This includes encryption, firewalls, access controls and regular security checks.
    • Monitoring and defense against cyber attacks as well as regular security updates and patches.
  • Data management and storage:
    • Management and storage of customer data, including backup and recovery in the event of data loss.
    • Ensuring data integrity and availability in accordance with the agreed Service Level Agreements (SLAs).
  • Support and customer service:
    • Providing technical support and customer service to help customers use the services and resolve issues.
    • Training and provision of resources to help customers make the best use of the services.
  • Compliance and regulations:
    • Compliance with legal and regulatory requirements relevant to the customer’s industry, such as data protection regulations (e.g. GDPR).
    • Provision of evidence and reports on compliance requirements.