Supplier Quality Addendum

This Supplier Quality Addendum (the “SQA”) is entered into by and between S.G. Systems, LLC, a limited liability company organized and existing under the laws of the State of Texas, with its principal office located at 6944 Meadowbriar Lane, Dallas, TX 75230 (“Provider”), and the individual or entity that has entered into the Provider Master Services Agreement (“Customer”).

Purpose. This SQA defines the operational quality framework and responsibilities that support Customer’s regulated use of Provider’s software and services, including expectations around change control, incident/quality issue handling, audit support, validation support services (where purchased), and deployment responsibilities for Hosted Services versus On-Premise Installations.

Who this is for. This SQA is generally requested by customers operating under GMP/GxP expectations (e.g., pharmaceutical manufacturing and regulated supply chain environments). Non-regulated customers typically do not require a supplier quality addendum.

Incorporation. This SQA is intended to be incorporated into and governed by Provider’s Master Services Agreement (the “MSA”) located at https://sgsystemsglobal.com/master-services-agreement/. Capitalized terms not defined in this SQA have the meanings given in the MSA.

No duplication. Where topics are already governed by the MSA (e.g., confidentiality, limitation of liability, fees, and general security obligations), this SQA will direct the reader to the applicable MSA section(s) rather than restate them.

1.1 Relationship to the MSA. This SQA supplements the MSA for regulated / GxP accounts and is intended to support supplier qualification and audit expectations. The commercial terms, licensing, confidentiality, privacy, intellectual property, warranty disclaimers, indemnities, limitations of liability, and dispute resolution are governed by the MSA (see, for example, MSA §§12–18).

1.2 When this SQA applies. This SQA applies only if it is referenced in a signed Order Form / Signed Proposal or a written addendum executed by both Parties.

1.3 Order of precedence. In the event of a conflict, the following order applies:

• (1) Order Form / Signed Proposal (for scope, deliverables, deployment elections, and commercial selections such as SLA tier);
• (2) This SQA (for regulated quality-operational obligations and regulated-account support constructs); and
• (3) The MSA (for all other terms, including legal/commercial framework).

1.4 No expansion of liability. Nothing in this SQA expands Provider’s liability beyond what is set forth in the MSA limitation of liability and disclaimers (see MSA §§15–17).

2.1 In-scope. This SQA applies to the Provider software and services purchased by Customer under the MSA and applicable Order Form / Signed Proposal, including (as applicable) Hosted Services, On-Premise Installation support, and regulated account support services.

2.2 Out-of-scope. Customer remains responsible for Customer’s quality system, SOPs, intended use definitions, process design, user training, and validation execution/approval within Customer’s environment (see MSA §7.2 and §10).

2.3 Hosted vs On-Premise boundary. Deployment responsibilities depend on the deployment selected in the applicable Order Form / Signed Proposal:

• Hosted Services. Provider is responsible for operating the Hosted Services consistent with the selected SLA and applicable MSA requirements (see MSA §4.2, §9, and §11). Customer remains responsible for its regulated process controls, access governance decisions, and validation within its QMS.
• On-Premise Installation. Customer is responsible for infrastructure, security, backups, and disaster recovery for the on-prem environment, unless otherwise stated in writing (see MSA §4.3 and §9.4). Provider provides software-focused support and documentation consistent with the MSA and any purchased services.

3.1 “Regulated Account” means a Customer engagement where Customer requires supplier qualification artifacts and/or formal supplier agreements consistent with GxP expectations.

3.2 “Quality Issue” means a suspected or confirmed issue that may impact GxP-relevant behavior, data integrity, traceability, auditability, availability of regulated operations, or documented system controls.

3.3 “Quality Event” means a Quality Issue that is confirmed or escalated for formal investigation and documented remediation, including corrective and/or preventive action where appropriate.

3.4 “Validation Services” means paid professional services that support Customer validation activities such as IQ/OQ assistance and/or UAT facilitation, where explicitly purchased and scoped in an Order Form / Signed Proposal (see MSA §3 and §7.4).

3.5 “SLA Tier” means the service level selection (if any) specified in the applicable Order Form / Signed Proposal that defines availability and recovery objectives for Hosted Services (see MSA §11).

3.6 “Hosted Environment” means the cloud hosting environment selected for Hosted Services, such as AWS, Microsoft Azure, or another mutually agreed provider, as stated in the applicable Order Form / Signed Proposal.

4.1 Primary channel for suspected quality issues. Customer shall report suspected Quality Issues through Provider Support at: support@sgsystemsglobal.com.

4.2 Ticketing and traceability (“closed loop”). Provider’s standard operational process for issue intake and closure is:

• Intake: Customer email to Support is logged as a case in Provider’s customer support system (Salesforce) and assigned a case identifier.
• Engineering tracking: When engineering work is required, Provider creates and links a corresponding work item in Provider’s development tracking system (Jira).
• Resolution & closure: Provider records resolution notes, release references (if applicable), and closure status in the support case, closing the loop for auditability.

4.3 Response targets. For Hosted Services, response and resolution targets are governed by the MSA SLA (see MSA §11.4). For On-Premise Installations, Provider will use commercially reasonable efforts to respond consistent with the support model in the applicable Order Form / Signed Proposal and MSA (see MSA §11.2).

4.4 Customer escalation. If a Quality Issue is suspected to impact regulated records, audit trails, or system control behavior, Customer should state “Potential GxP / data integrity impact” in the subject line to facilitate proper triage.

5.1 Shared responsibility principle. Regulated compliance is a shared responsibility. Provider supports regulated use through software controls, documentation, and (where purchased) validation support services. Customer remains responsible for intended use, configuration decisions, procedural controls, training, and validation execution/approval within Customer’s quality system (see MSA §7.2 and §10).

5.2 Practical responsibility split.

5.3 Confidentiality and data rights. Customer Data ownership, confidentiality, and privacy processing are governed by the MSA (see MSA §12, including §12.3–§12.5, and DPA if applicable).

6.1 Baseline support (included). During an active subscription, Provider provides reasonable assistance for questions about system behavior and configuration, and provides standard documentation and release notes as part of normal service delivery (see MSA §7.4 and §2.23).

6.2 Enterprise / paid Validation Services. For Regulated Accounts, Provider offers paid Validation Services that may include:

• IQ/OQ support: template packages and reasonable remote assistance aligned to Customer’s execution in Customer’s environment;
• UAT facilitation support: planning support, test cycle coordination, issue triage/retest coordination (as scoped);
• Regulated go-live support: structured cutover assistance aligned to Customer’s planned validation/go-live approach.

6.3 How Validation Services are purchased. Validation Services are not included by default. They are typically offered for Enterprise engagements and are priced and scoped within the applicable Order Form / Signed Proposal as additional paid professional services (see MSA §3 and §3.6).

6.4 Customer retains accountability. Customer remains responsible for final validation strategy, execution, review, approval, and ongoing periodic review decisions within Customer’s quality system (see MSA §7.2 and §10.1).

7.1 Independent assessment. Provider has had its system independently assessed by Dr. Bob McDowall for alignment with technical controls commonly associated with 21 CFR Part 11 expectations.

7.2 Access to assessment documentation (NDA required). Upon Customer request, Provider can make the assessment documentation available for Customer’s internal supplier qualification and audit support purposes, provided that:

• Customer has executed Provider’s non-disclosure agreement (NDA) (or the Parties have an NDA in place acceptable to Provider);
• Customer has an active subscription in good standing; and
• Customer agrees the documentation is Confidential Information and will be handled under the MSA confidentiality terms (see MSA §12).

7.3 Important limitation. The existence of an independent assessment supports Customer’s supplier qualification activities, but it does not replace Customer’s validation responsibilities or intended use determination (see MSA §7.2 and §10.1).

8.1 Controlled updates. Provider manages software updates under a controlled change approach appropriate for regulated environments. For the authoritative change control terms, refer to the MSA Change Control and Updates section (see MSA §8).

8.2 Hosted Services deployment. For Hosted Services, Provider controls deployment timing and provides advance notice for major updates consistent with the MSA (see MSA §8.1), except for emergency security patches (see MSA §8.4).

8.3 On-Premise deployment. For On-Premise Installations, Customer controls when updates are deployed to Customer environments. Provider provides release notes and reasonable support to assist Customer evaluation and testing (see MSA §8.2 and §8.3).

8.4 Release documentation. Provider release notes will identify material changes and, when applicable, include validation considerations for changes that may impact audit trails, access controls, or regulated workflows (see MSA §8.3 and §7.4).

9.1 Intake and triage. Suspected Quality Issues are reported via support@sgsystemsglobal.com. Provider will triage, request clarifying information as needed, and classify severity using the support approach aligned to the SLA/support model (see MSA §11.4 for Hosted Services).

9.2 Investigation and documentation. For confirmed Quality Events, Provider will document investigation notes, contributing factors, and remediation status within the linked Salesforce case and Jira work item (as applicable).

9.3 Corrective and preventive action. Where reasonable and appropriate, Provider will implement corrective actions (fixes/patches/process changes) and preventive actions to reduce recurrence risk. The depth of investigation and documentation may vary by severity and impact.

9.4 Customer-side controls. Customer is responsible for Customer’s own deviation management, change control, and impact assessment activities within Customer’s QMS. Provider will reasonably support Customer requests for information needed for Customer’s assessment, subject to confidentiality and the MSA (see MSA §7.2, §7.5, and §12).

10.1 Hosted environment selection. For Hosted Services, Customer may select the Hosted Environment (e.g., AWS, Microsoft Azure, or another mutually agreed provider) as specified in the applicable Order Form / Signed Proposal.

10.2 DR and recovery objectives depend on SLA Tier. For Hosted Services, disaster recovery and recovery objectives (including RTO/RPO where applicable) are governed by the SLA Tier selected in the Order Form / Signed Proposal and the MSA SLA terms (see MSA §11.5 and §11.9).

10.3 Security and incident response. Provider security obligations and Security Incident response commitments for Hosted Services are governed by the MSA (see MSA §9, including §9.2). For On-Premise Installations, Customer is responsible for infrastructure security and protection controls (see MSA §9.4).

10.4 Scheduled maintenance and exclusions. Hosted Services availability and SLA exclusions are described in the MSA (see MSA §11.10).

11.1 Audit support principle. Provider will reasonably cooperate with Customer’s audits related to the software controls and, for Hosted Services, relevant service delivery/security records, subject to confidentiality and reasonable scheduling (see MSA §7.5 and §12).

11.2 Audit approach (efficient by default). To reduce disruption and protect sensitive security information, Provider generally supports supplier qualification using:

• Provider’s standard documentation set (e.g., release notes and control summaries);
• Questionnaire responses; and
• Focused discussions limited to the system boundary and applicable controls.

11.3 Inspection support. If Customer notifies Provider that Customer is undergoing a regulatory inspection that may involve Provider’s software/services, Provider will use commercially reasonable efforts to support information requests related to Provider-controlled components, subject to confidentiality and the MSA.

11.4 Fees for extraordinary requests. If Customer requests extensive audit participation, custom documentation, onsite activities, or work beyond reasonable cooperation, such work may require additional fees and a written agreement (consistent with the professional services model in MSA §3 and §7.4).

12.1 Data rights and confidentiality. Customer Data ownership, confidentiality, and standard export assistance are governed by the MSA (see MSA §12.3–§12.5) and any applicable DPA (see MSA §12.4).

12.2 Post-termination SQL database copy (regulated accounts). For Regulated Accounts that are covered by this SQA, upon termination or expiration of the applicable subscription for any reason, Customer may request a copy of the SQL database associated with Customer’s production environment. Provider will make the SQL database copy available to Customer within thirty (30) days of termination, provided that:

• Customer submits the request in writing to support@sgsystemsglobal.com (or other designated support channel);
• All undisputed amounts due are paid; and
• The request is technically feasible within the system boundary and does not require Provider to disclose other customers’ data or Provider Confidential Information.

12.3 Format and delivery. Provider will deliver the SQL database copy using a commercially reasonable method appropriate for secure transfer. If Customer requires a specialized export format, transformation, or additional data extracts beyond the standard database copy, such work may require additional fees and written agreement.

12.4 Hosted retrieval window. Any additional post-termination data retrieval window and deletion timelines for Hosted Services are governed by the MSA (see MSA §5.4). This SQA section provides a regulated-account specific deliverable (SQL database copy) and does not otherwise expand post-termination support obligations.

13.1 Hosting providers. Hosted Services are delivered using a third-party cloud hosting provider in the selected Hosted Environment, as specified in the Order Form / Signed Proposal.

13.2 Subprocessors and third parties. Provider’s use of subprocessors and third-party service providers, including data protection obligations, is governed by the MSA and (where applicable) the DPA (see MSA §12.4).

13.3 Flow-down. Provider will use commercially reasonable efforts to ensure relevant obligations are flowed down to applicable third parties used to deliver Hosted Services, consistent with Provider’s standard vendor management practices.

14.1 Term. This SQA becomes effective when incorporated by reference in an Order Form / Signed Proposal (or executed addendum) and remains in effect for the term of the applicable subscription(s), unless terminated earlier consistent with the MSA.

14.2 Amendments. Any changes to this SQA must be in writing and signed by both Parties, consistent with the MSA amendment requirements (see MSA §18.9).

14.3 Helpful MSA cross-references.

• Regulatory & shared responsibility: MSA §7 and §10
• Change control & updates: MSA §8
• Security & incident response: MSA §9
• SLA (Hosted Services): MSA §11
• Confidentiality & Customer Data: MSA §12
• Term/termination & hosted data retrieval: MSA §5
• Professional services / onboarding: MSA §3

14.4 Contact. For quality issues, suspected data integrity concerns, or regulated-account requests under this SQA, contact: support@sgsystemsglobal.com.