I run a CFIA-licensed mushroom production facility in Brantford, Ontario. CFIA is the Canadian Food Inspection Agency — Canada's federal food regulator. I buy from suppliers every week — substrate, spawn, packaging, ingredients — and I have to keep a supplier file each of them shows up in. The first version of that file was a Notion database. It worked until I had eighteen suppliers and lost track of which audit certificates were expiring. The supplier management module in HACCPlan is the version I built when I outgrew the Notion database. It is the same file shape that satisfies FSMA in the US, FSVP for importers, SFCR in Canada, and the supplier sections of SQF and BRCGS. One supplier record, five regulatory views. Here is what it does, what it does not do, and what it costs.
01The binder problem
Why most supplier programs fail an audit — and what software has to fix.
There is a binder in almost every small food facility I have walked through, and it has the same problem. Eighty pages of supplier documents. Half of them expired. None of them cross-referenced to the hazard plan. Mine looked like that in year one. The first auditor passed it because the binder looked full. The second auditor opened it, picked five suppliers at random, and asked me to show the verification activity for each one. I could not. The lesson was not subtle: there is a difference between having documents and having a supplier program. The two words sound the same. They are not the same thing.
The four failure patterns I see again and again at the SME scale:
- 01
The supplier will not send the HACCP plan
HACCP stands for Hazard Analysis and Critical Control Points — the food-safety planning framework every commercial food operation runs on. You ask the supplier for theirs. You get back the spec sheet and a one-line email that says "we are HACCP compliant." You file it. Six months later the auditor asks what the file actually proves. The answer is: not much. Software has to make asking persistent, tracked, and auditable — not a Gmail thread that nobody can find.
- 02
The binder of expired CoAs
CoA is Certificate of Analysis — the lab document a supplier sends with each lot showing the results of the tests they ran. The first auditor finds the binder full of CoAs and passes. The second auditor counts and finds that 40 percent of the CoAs are more than twelve months old and none of them are cross-referenced to the product spec. The SQF Edition 10 framing — released in March 2026 and audited starting January 2, 2027 — explicitly looks for clear justification rather than routine completion. Auditors are going to push on thin documentation.
- 03
The Letter of Guarantee myth
The single biggest myth in small-food supplier management is "we have a Letter of Guarantee from every supplier, so we are covered." You are not. A Letter of Guarantee (LoG) is a liability shield under section 303(c) of the Federal Food, Drug, and Cosmetic Act. The suggested form lives at 21 CFR §7.13. It is useful — collect it, keep it on file — but it is not a section 117 Subpart G verification activity. The two are different categories of evidence. Software has to embed the distinction in the workflow or operators will keep believing the LoG is the whole file.
- 04
The cost trap
The FDA's own Regulatory Impact Analysis put the annual cost of an onsite supplier audit at $3,250 to $4,375 for small facilities. Twelve suppliers run to about $40,000 to $52,000 a year if every one of them triggers a full audit. The legitimate way out is 21 CFR §117.430(a)'s "written determination" — a documented justification for choosing a different verification activity. But it has to be written down, defensible, and refreshed. Software has to scaffold the determination, not leave the operator to invent the format under inspection pressure.
The job of supplier management software is to turn a binder of documents into a program with structure. Not to invent new compliance work — the regulations already exist — but to make the existing work fast, the existing records retrievable, and the existing decisions defensible.
02One file, five regulations
One supplier file. Five overlapping regulations.
The reason supplier management is harder than most operators expect is that a single supplier sits inside multiple regulatory regimes at the same time. If you sell domestically in the US, FSMA applies. If you import into the US, FSVP applies. If you sell in Canada, SFCR applies. If you carry a GFSI certification, SQF or BRCGS applies on top of all of that. Most software platforms pick one and ignore the rest. HACCPlan's supplier file is built to satisfy all five, because my own operation actually has to satisfy all five.
A quick glossary before the table — every acronym defined once.
- FSMA — Food Safety Modernization Act, the 2011 US law that overhauled food safety
- FSVP — Foreign Supplier Verification Program, the FSMA rule for US importers
- SFCR — Safe Food for Canadians Regulations, the Canadian framework
- SAHCODHA — Serious Adverse Health Consequences Or Death to Humans or Animals; FDA's term for the worst-class hazards
- PCQI — Preventive Controls Qualified Individual; the US role that signs off on supplier decisions
- GFSI — Global Food Safety Initiative, the body that benchmarks SQF, BRCGS, FSSC 22000, and others
- CFR — Code of Federal Regulations; how US federal rules are codified
FSMA (US domestic)
21 CFR §117 Subpart G
Sections 117.405 through 117.475. Risk-based supply-chain program. Approval before receiving. Defined verification activities. Annual onsite audit when the hazard is SAHCODHA, unless a written determination supports a different activity. Records kept two years.
FSVP (US imported)
21 CFR Part 1 Subpart L
Sections 1.500 through 1.514. Hazard analysis per food and per foreign supplier. Supplier evaluation and approval. Verification activities matched to hazard severity. Reassessment every three years. Records retrievable in English within 24 hours of an FDA request.
SFCR (Canada)
§86 + §89(4)
Written Preventive Control Plan required under section 86. Section 89(4) requires Canadian importers to document that foreign suppliers have preventive controls equal to SFCR sections 47 through 81. CFIA names four pathways for that documentation. The Canada-specific layer no US-built platform usually carries.
SQF Edition 10
Approved Supplier Program
Edition 10 was released in March 2026; audits begin January 2, 2027. The Approved Supplier Program is a heightened-focus area. Three high-risk categories called out explicitly: allergen-containing materials, ready-to-eat materials, and foreign suppliers. Auditors are looking for clear justification, not routine completion.
BRCGS Issue 9
Clause 3.5
Clause 3.5 is a Fundamental Requirement — a non-negotiable. Per-material risk assessment required, including allergen content and cross-contact. Three approval pathways accepted: certification, audit, or questionnaire-plus-traceability test with a written risk justification. Service suppliers (consultants, trainers, labs) included for the first time, with ongoing performance review required.
How HACCPlan handles it
One file, five views
One supplier record at the center. Toggle the regulatory view for the audit you are prepping for. The same data answers all five — section 117.410(d) factor list, FSVP hazard analysis, SFCR section 89(4) pathway, SQF approved-supplier evidence, BRCGS clause 3.5 risk assessment — because the underlying requirements overlap by about 80 percent. The software builds the overlap once and surfaces the regulator-specific cuts.
The supplier section of the pillar at /learn/supplier-management walks the underlying rules in plain English. The pages at /solutions/us-fsvp-importers and /solutions/canada-sfcr cover the importer-specific edge cases. This page is about what the product does with those rules.
03Risk-rank once
Risk-rank once, cadence runs itself.
The single feature that pays for the subscription faster than any other is the risk-ranking engine. Most small operators have a supplier list that is structurally wrong — boxes, labels, MRO (Maintenance, Repair, and Operations) supplies sitting in the same list as the spawn supplier and the substrate supplier. When I sat down with 21 CFR §117.410(d) and actually applied the six factors to my list, twenty-four "suppliers" collapsed into seven tier-one or tier-two food-safety suppliers and seventeen tier-four vendors that did not need to be in the program at all. The shrink was real. The defensible program got built around the seven.
HACCPlan's risk-ranking model encodes five axes pulled from section 117.410(d):
- 01
Hazard severity
Is the hazard the supplier controls a SAHCODHA-class hazard? That is the biggest single driver. Listeria in a ready-to-eat food is SAHCODHA. Filth in a dry shelf-stable ingredient typically is not. The classification triggers the default verification cadence on its own.
- 02
Where the hazard is controlled
Is the hazard controlled at the supplier's facility (you depend on them) or at your facility (your kill step or other control eliminates it)? If it is controlled downstream at your facility, the supplier risk tier drops.
- 03
Product type and allergen status
Ready-to-eat foods rank higher than ingredients with a downstream kill step. Allergen-containing materials rank higher than non-allergens — a point Edition 10 and BRCGS Issue 9 both make explicitly.
- 04
Supplier track record
FDA warning letters, import alerts, recalls, your own non-conformance data, the supplier's GFSI certification status. The software cross-checks the warning-letter and recall databases on the supplier name during onboarding and surfaces hits.
- 05
Volume and frequency
A supplier you buy from weekly is not the same risk as one you buy from once a year. The cadence engine weights frequency into the verification schedule.
The output is a tier assignment and a default cadence per tier:
Tier 1 — High
SAHCODHA at supplier
Annual onsite audit, or a GFSI third-party audit accepted under section 117.435, plus a Certificate of Analysis per lot, plus an annual records review. The cadence engine pre-populates the calendar so the next verification due date is always visible on the supplier card.
Tier 2 — Medium
Non-SAHCODHA or allergen
Annual records review, CoA per lot, and a three-year onsite audit rotation (or annual GFSI certificate review). For most ingredient suppliers under SFCR and FSMA, this is the realistic working tier.
Tier 3 — Low
Controlled at your facility
Letter of Guarantee, spec confirmation, periodic CoA review. The supplier still sits inside the program — they are just verified at a lighter cadence because your downstream kill step or other control eliminates the hazard.
Tier 4 — Out of program
No food-safety hazard
Boxes, labels, MRO supplies, marketing-pamphlet printers. Basic vendor records only. Not in the supplier program. The shrink from "everyone we buy from" to "the suppliers whose lots could hurt a customer" is what makes the program manageable at the SME scale.
A QA manager can override any tier assignment with a written determination — the section 117.430(a) workflow scaffolds the determination as a structured field with a date, signature, justification text, and review cycle. The override gets stored against the supplier so the next auditor reads the reasoning, not a blank exception.
The cost math behind the risk-rank
Before I built the risk-rank, my "list" had twenty-four suppliers. At the FDA Regulatory Impact Analysis figure of about $4,500 per onsite audit, twenty-four annual audits would have been over $100,000 — most of a year's profit. After the section 117.410(d) exercise, seven suppliers were tier-one or tier-two and the rest were out of the program. I budgeted onsite audits for the SAHCODHA suppliers, GFSI certificate reviews for the rest, and a written determination for two edge cases. The total annual verification cost dropped under $20,000. The audit defends. The cost math works. That is the work the risk-ranking engine packages.
04CoA library
CoA library with AI extraction — extract, match, flag, file.
A Certificate of Analysis is the lab document a supplier sends with each lot. CoAs arrive as PDFs in every format imaginable — sometimes legible, sometimes a fax of a scan of a printout. Manually transcribing the values into a spec-comparison spreadsheet is the data-entry job nobody wants to do. Skipping it is the audit risk nobody wants to take. The FDA's 2025 enforcement uptick named "accepting supplier certificates of analysis without conducting any independent verification" as a specific failure mode. Reviewing the CoA against the spec — and showing the inspector you reviewed it — is the verification activity. The software has to make the review fast or the operator skips it.
HACCPlan's CoA pipeline runs the same pattern the staria expense module uses for receipts, adapted for lab documents:
- 01
Upload
Drag the PDF or image into the CoA panel on the inbound lot record, or forward the supplier email to a parse address tied to your workspace. Either path produces the same downstream record.
- 02
Extract
The AI extractor reads the manufacturer name, product, lot code, manufacture date, best-before date, and every tested parameter with its unit and result. It does not invent values — if a field is illegible or missing, the field is flagged for human entry, not silently filled.
- 03
Match
The extracted product is matched to the spec on file. Each result is compared to the spec limit. If you have a lot code on the inbound receiving record, the CoA links to the lot automatically.
- 04
Flag
Any out-of-spec value triggers an alert. The lot can be held from release, the QA manager is notified, and the disposition decision (release on concession, reject, retest) is logged against the lot record.
- 05
File
The CoA is stored in the supplier's CoA library, linked to the receiving lot, and retained per section 117.475 (FSMA) or section 1.510 (FSVP). The retention clock runs automatically — two years from last use of the supplier or food.
- 06
Score
The CoA outcome (in spec, flagged, late) feeds the supplier scorecard described later. Patterns build over time so the next risk-rank reassessment has data behind it, not a guess.
A short caveat on the AI piece. The model extracts and compares — it does not approve. The qualified individual (a PCQI for FSMA or a QI for FSVP) reviews the extraction, confirms the values against the original PDF, and signs the disposition. Both actions are captured in the audit trail. The inspector sees the original PDF, the AI extraction, the spec comparison, and the human sign-off side by side. AI speeds up the work. It does not replace the qualified individual.
05LoG library
Letter of Guarantee library — and the myth the UI refuses to encode.
Letters of Guarantee are useful and they are misunderstood in equal measure. The single biggest mistake I see in SME supplier programs is treating a LoG as the verification activity. It is not. A LoG is a liability-allocation document — a written attestation that the food is not adulterated or misbranded under the Federal Food, Drug, and Cosmetic Act. The 21 CFR §7.13 suggested form is the industry-standard template most operators use. It is worth collecting. It is not a substitute for the section 117 Subpart G verification activity.
HACCPlan's LoG library covers four things, in this order:
- 01
Storage and classification by type
Per supplier, one or many LoGs. Each one classified as single-shipment, continuing guaranty, or customized. Expiry tracked per LoG type — single-shipment expires with the shipment, continuing guaranty refreshes annually, customized carries its stated expiry.
- 02
Section 7.13 template generator
A pre-populated template using your legal entity, the supplier's legal entity, and the standard FFDCA attestations (compliance with the Act, allergen disclosure, food-contact compliance, notification on supplier change). One-click send to the supplier as a fillable PDF. Saves the back-and-forth of explaining why you need it.
- 03
Expiry alerts
Continuing-guaranty annual refreshes prompt at 60, 30, and 7 days before the renewal date. Single-shipment LoGs auto-tombstone when the shipment is logged as consumed. The dashboard surfaces every expiring LoG in one list — no more "I think we had one from them last year" conversations.
- 04
The disambiguation the UI refuses to drop
Every LoG record in HACCPlan carries a label that reads "Section 303(c) liability shield — not a section 117 verification activity." It cannot be hidden. The next step the workflow surfaces is "schedule the verification activity the LoG does not replace." It is annoying. It is on purpose. Software shapes belief. If the UI lets you treat the LoG as the file, you will treat the LoG as the file, and the auditor will read your file the way the UI taught you to build it.
The deep-dive guide at /learn/supplier-management/letter-of-guarantee covers the regulatory history of the LoG in plain English and the specific reason FFDCA section 303(c) and 21 CFR section 117 Subpart G live in different parts of the rulebook. Worth reading once if you are about to defend a supplier program.
06Audit certificates
Audit certificate tracker — expiry alerts and the scope check most operators miss.
A GFSI third-party audit certificate (SQF, BRCGS, FSSC 22000, Global GAP) can satisfy the section 117.435 onsite audit requirement if the receiving facility accepts it and if the scope of the certificate covers the specific food the supplier sells you. Both conditions matter. The scope check is the one operators miss — the supplier sends an SQF certificate, the operator files it, and nobody notices the certificate scope is for "dry goods packaging" while the supplier is actually selling you a wet ready-to-eat product. The certificate does not cover that commodity. The acceptance is invalid. The auditor finds it three years later.
The tracker captures the certificate details that matter:
- Scheme (SQF, BRCGS, FSSC 22000, Global GAP, Organic, Kosher, Halal)
- Audit body and auditor name
- Grade or score
- Scope text (free-form, plus a structured commodity-list match)
- Issue date and expiry date
- File attachment (the certificate PDF)
- A scope-versus-procurement check that compares the certificate scope to the SKUs you actually buy from the supplier
Expiry alerts fire at 60, 30, 15, and 7 days. The alerts go to both the supplier (so they can renew without you chasing them) and your QA team (so the lot acceptance does not lapse silently). On a new certificate upload, the workflow auto-creates a "certificate review" entry in the verification activity log — so the certificate is not just stored, it is reviewed and the review is recorded.
A note on Edition 10: SQF Edition 10 is releasing in March 2026 with audits starting January 2, 2027. The approved-supplier program is a heightened-focus area. Edition 10 audits will look for documented selection, evaluation, approval, and monitoring methods, with past performance and risk level considered. HACCPlan's supplier file produces all of those records by default. You do not have to retro-fit anything for Edition 10 — the record set is already shaped for it.
07Verification log
The verification activity log — the single most-asked-for document at audit.
If there is one document the FDA, SQF, BRCGS, and CFIA all reach for first when they sit down at your supplier program, it is the verification activity log. Per 21 CFR §117.475 and the FSVP records section at 21 CFR §1.510, every verification activity has to be documented — who did it, when, what they found, what they decided. HACCPlan's log captures one record per event with the fields the rule asks for:
- Supplier (linked to the supplier record)
- Activity type — onsite audit, sampling and testing, records review, or other
- Date of activity
- Conducted by (qualified individual, internal auditor, third-party auditor)
- Findings
- Non-conformances identified
- Corrective actions taken (linked to the CAPA log — Corrective and Preventive Action)
- Next-due date for the next activity of this type
The log exports as a single PDF per supplier or per date range. One click. The inspector reads it in the order they expect. The "this is the most-asked-for document" claim is not marketing — it is the second thing every auditor I have hosted asked to see, after the written supply-chain program itself. The product makes the answer immediate.
For the section 117.430(a) annual onsite audit clock specifically, the cadence engine computes the "before first use and at least annually thereafter" requirement automatically for SAHCODHA suppliers. If you rely on a GFSI third-party certificate instead, the engine tracks the certificate validity period and schedules a certificate review at issuance and annually. The clock is not something you have to remember.
08Scorecard
Supplier scorecard — eight metrics, updated quarterly.
A defensible supplier scorecard is the difference between "we like that supplier" and "the data says this supplier is in good standing." HACCPlan computes eight metrics from records that already exist in the workspace:
- 01
CoA compliance rate
The percentage of lots received with a CoA that met spec on every parameter. Slipping rates flag a process drift at the supplier worth a conversation before the next risk-rank refresh.
- 02
On-time CoA rate
The percentage of lots where the CoA arrived before release. A supplier whose CoAs land after the lot is already on the line is a different operational risk than one whose CoAs arrive ahead.
- 03
Receiving non-conformance rate
Rejected lots divided by total lots. A spike here is usually the first signal of a problem upstream that will eventually show up in CoAs.
- 04
Documentation timeliness
Days from a compliance-document request to receipt. The "we asked four times" pattern shows up here as a number.
- 05
Audit or certificate score
The current GFSI grade or third-party score. Pulled from the audit certificate tracker.
- 06
Recall participation
Recalls in the last 24 months. Cross-checked against the FDA and CFIA recall databases on supplier-name match.
- 07
Complaint contribution
Customer complaints traced to the supplier. Target benchmarks for food manufacturing: fewer than two complaints per thousand transactions is excellent, fewer than five is acceptable.
- 08
Verification activity completion
The percentage of due activities completed on time. A supplier whose annual records review is six months overdue does not have a good score here, no matter how clean their CoAs are.
Each metric feeds the overall risk score. The score feeds the cadence engine. The cadence engine feeds the next verification due date. The loop closes — a supplier whose scorecard slips automatically gets a tighter verification schedule the next quarter, without QA having to remember to update anything.
09FSVP module
The FSVP workspace — Subpart L, DUNS, and the 24-hour FDA export.
If you import food into the US, FSVP is not optional. The unit of work is per food, per foreign supplier — every food, every supplier, separate record. HACCPlan's FSVP workspace organizes the supplier file around that unit:
- §1.502 — The plan develops, maintains, and follows itself per food and per supplier, in one workspace
- §§1.504-1.505 — Hazard analysis and supplier evaluation pull from the same six-factor list section 117.410(d) uses, so a domestic supplier already in the workspace does not get re-keyed if they also import
- §1.506(e) — The toggle that prevents double work when a section 117 supply-chain program already satisfies FSVP for the same food
- §1.509 — DUNS (the Dun & Bradstreet identifier the FDA accepts as the Unique Facility Identifier) stored per foreign supplier and surfaced for the customs broker at entry
- §1.510 — Two-year retention, English (or translated) records, retrievable in 24 hours of an FDA request via a one-click record-set export
- §1.511 — Three-year reassessment clock with reminders at 60 and 30 days
A note on the 24-hour clock. The 2024 and 2025 FSVP warning-letter wave called out four named cases — Zest US Wholesale, Xin Ao International, Gongora USA, San Juan Produce — for not having an FSVP at all. The common thread across roughly seventy FSVP warning letters between 2024 and 2025 was the same: "the importer did not develop, maintain, and follow an FSVP." If a Form 482d arrives at your office asking for FSVP records, you have a 72-hour response window via the FSVP Importer Portal, and the records themselves have to be producible in 24 hours when the inspector asks. The workspace assembles the record set in the format the portal accepts — hazard analysis, supplier evaluation, verification records, corrective actions, DUNS, qualified-individual credentials — in one bundle. The deeper walkthrough is at /solutions/importers-fsvp.
10SFCR workspace
The Canadian importer workspace — the SFCR section 89(4) pathway.
Almost no US-built supplier management platform addresses the Canadian importer requirement. Section 86 of the Safe Food for Canadians Regulations requires a written Preventive Control Plan. Section 89 lists what the plan has to contain. Section 89(4) — the importer-specific subsection — requires Canadian importers to document that each foreign supplier has preventive controls equal to or equally effective as SFCR sections 47 through 81. CFIA names four acceptable pathways for that documentation:
- 01
Country-level recognition
The food comes from a country with a CFIA food-safety systems recognition arrangement. The pathway documentation is the recognition arrangement plus the country-of-origin proof.
- 02
Competent-authority certification
The supplier's exports are certified by a competent food-safety authority in a country with an equivalent system. The certification document is the pathway evidence.
- 03
GFSI third-party audit
The supplier is subject to a GFSI-benchmarked audit (SQF, BRCGS, FSSC 22000) at a scope and frequency that satisfies SFCR sections 47 through 81. The certificate plus the scope-match record is the pathway evidence.
- 04
Operator's own evaluation
The importer conducts their own evaluation that confirms the supplier's preventive controls are equivalent. This is the most work, the most flexible, and the pathway most often used when the first three do not apply.
The HACCPlan CFIA importer workspace prompts for which pathway applies per foreign supplier and categorizes the supporting evidence. The pathway selection appears on the supplier card, so the next CFIA inspector reads the reasoning immediately rather than digging through document attachments. The plain-English walkthrough of the four pathways is at /learn/cfia-sfcr/preventive-control-plan/importer.
From my own facility
My Brantford CFIA inspector audits Nature Lion under SFCR every six months. The section 86 PCP is the first document she opens. The supplier list and the section 89(4) pathway determinations are usually the second and third. The discipline of pathway-per-supplier got built into HACCPlan because I do it on my own program every six months. The system has to make pathway documentation a five-minute exercise per supplier, not a panic the week before the inspection. That is the bar.
11Built by an operator
Built by an operator who buys from suppliers every week.
I am not a software founder who decided supplier management was an interesting market. I run Nature Lion Inc. — a CFIA-licensed mushroom production facility in Brantford, Ontario — and I have been operating under SFCR since the licence was issued in 2023. I buy from suppliers every week. Substrate suppliers, spawn suppliers, packaging suppliers, ingredient suppliers, equipment vendors, and the occasional one-off. Every one of them gets a supplier record. Every shipment gets a CoA review. Every certificate gets a scope check and an expiry alert. The first version of all of this was a Notion database. The current version is HACCPlan, and I run my own program inside the product I sell.
I am a contributing author of Chapter 29 of Mushroomology, edited by Professor Jianping Xu of McMaster University and published by Brill Academic Publishers (ISBN 9789004751699, publishing 2026). The chapter covers the operational side of cultivation at the SME scale — including supplier control for substrate and spawn inputs, which is exactly the supplier-program problem this product solves. The credentials matter for one reason. The enterprise platforms in this category are built by software companies that have never run a CFIA inspection. HACCPlan is built by an operator who passes one every six months.
12Honest comparison
Honest comparison — when other platforms are the right answer.
The supplier management software category is real. The major platforms in it are real. They are not wrong — they are built for different operators. The honest version of where each one fits:
Enterprise ingredient brands
Pick the category leaders
The enterprise platforms (TraceGains, FoodLogiQ, ReposiTrak, SafetyChain) are best in class at what they were built for. TraceGains owns the networked-ingredients lane — if your operation runs 500-plus ingredient suppliers with GDSN (Global Data Synchronization Network) sync and a dedicated supply-chain team, that is the right tool and worth the enterprise price tag. FoodLogiQ is right for mid-large brands running co-packer networks at scale. ReposiTrak is the right tool when a retailer like Kehe or UNFI requires their distributor network as a condition of supplying. SafetyChain is built for mid-market operators with production-floor compliance needs that span past supplier management.
SME operators
HACCPlan sits in the gap
The operators I built HACCPlan for: 5 to 100 active suppliers, $300K to $15M revenue, one or two qualified individuals wearing every compliance hat, no dedicated supply-chain team, no GDSN connector required. The Pro tier ($149/mo) covers the full module — directory, approval workflow, risk-ranking engine, CoA library with AI extraction, LoG library, certificate tracker, verification log, supplier scorecard, FSVP workspace, SFCR section 89(4) workspace. The Co-Packer tier ($349/mo) adds per-brand workspaces for operators producing under multiple client brand names from one facility.
Where HACCPlan does not compete, said out loud: GDSN-synced ingredient spec networks (TraceGains owns that lane and should). Real-time EDI (Electronic Data Interchange) with major retailers. Buyer-side distributor networks like ReposiTrak's RTN — where network membership is contractually required, HACCPlan does not replace the network membership. Multi-thousand-supplier portfolios with FTE supply-chain teams — that scale needs the enterprise tier and the dedicated implementation services that come with it. Honest framing beats every-tool-is-best framing every time.
13Pricing
Pricing.
Three tiers. Public. No "talk to sales" anywhere on the page.
Free
$0
Supplier directory only. Add suppliers, capture the basic contact and product detail, store a few documents. No CoA library, no verification activity log. Right for operators with fewer than 5 suppliers running a manual build. Email required to create the workspace. No credit card. No upgrade prompts.
Pro
$149/mo
Full Supplier Management module. Directory plus approval workflow plus risk-ranking engine plus CoA library with AI extraction plus LoG library plus audit certificate tracker plus verification activity log plus 8-metric scorecard plus FSVP workspace plus SFCR section 89(4) workspace plus one-click PDF supplier file. Unlimited suppliers. Unlimited CoAs. Unlimited LoGs. Roughly $1,788 per year — below ReposiTrak's network-only fee.
Co-Packer
$349/mo
Everything in Pro plus per-brand workspaces. Built for co-packers and 3PLs running multiple brand-owner SKUs from one facility — different brand on every label, one set of internal records, per-brand scoping on the supplier file and the regulatory exports. The data model came directly from my private-label division at Nature Lion.
What you do not pay
None
No per-supplier fee. No per-user fee. No supplier-network fee charged to your suppliers. No annual commitment — month-to-month on the Pro and Co-Packer tiers. The price on this page is the price you sign for.
Cross-checked against the public market: ReposiTrak RTN runs $2,148 per year per facility before supplier-network onboarding fees. TraceGains entry-tier estimates from public TrustRadius data range from $3,500 to $25,000 per year. FoodLogiQ runs $30,000-plus annually with custom quoting. HACCPlan Pro at $1,788 per year sits below the ReposiTrak network-only fee while including the full internal supplier program. That gap is the point of the product.
14Starter Pack
Where to start — the free Supplier Management Starter Pack.
If you are not ready to commit to software, start with the records that get cited most often. The Supplier Management Starter Pack is a free download with three editable templates. No account required, no upgrade prompts.
- 01
Supplier Approval Form
Supplier and manufacturer name, DUNS number, products, risk tier with written justification, hazard analysis cross-reference, GFSI certificate status with expiry, required-document checklist, qualified-individual signature, re-approval due date. The same fields the workspace populates — usable on paper until you graduate to the software.
- 02
Supplier Verification Activity Log
One row per event — supplier, activity type, date, conducted by, findings, non-conformances, corrective actions, next due. The single most-asked-for document at audit, in the format auditors expect.
- 03
Letter of Guarantee Request Template
A cover letter plus a 21 CFR §7.13-adapted continuing-guaranty attestation plus the four FFDCA attestations (compliance, allergen disclosure, food-contact compliance, notification on supplier change). Send it as-is to the suppliers who never quite got around to providing a LoG.
The starter pack is the same shape as the workspace records. Operators who run on the templates for a few weeks before subscribing find the transition straightforward — the fields match, the workflow matches, the discipline transfers cleanly.
15First 30 days
What the first 30 days on HACCPlan actually look like.
A realistic onboarding for a single-facility SME with 10 to 30 active suppliers runs roughly like this:
- 01
Days 1 to 3 — set up the workspace
Create the workspace, register the qualified individual of record (with training credentials and signed competency declaration), enter the legal entity for the section 7.13 template. Toggle the regulatory views you need — FSMA, FSVP, SFCR, SQF, BRCGS — any combination. Upload any existing supplier documents you have, even if they are a draft Letter of Guarantee or a stale audit certificate.
- 02
Days 4 to 10 — load the supplier directory
Add every active supplier. The list is usually shorter than people remember — the risk-rank exercise typically cuts the working list by half. For each supplier: legal name, FDA Facility Registration number where applicable, DUNS, country, audit certifications with expiry, GFSI scope, and a date-stamped approval determination signed by the qualified individual. For Canadian, New Zealand, or Australian suppliers in eligible product categories, flag the section 1.513 streamlined pathway.
- 03
Days 11 to 20 — run the risk-rank and set verification cadences
Apply the five-axis model to each supplier in the working list. Output the tier assignment and the default cadence. Override anywhere a written determination is more defensible — the workflow scaffolds the determination text. Set the verification activity per tier (onsite audit, GFSI certificate review, sampling-and-testing, records review). Schedule the next-due dates with alerts at 60, 30, and 7 days.
- 04
Days 21 to 30 — turn on CoA extraction and run an audit drill
Connect the parse-address email so supplier CoAs route into the workspace automatically. Drag in the most recent 20 to 30 CoAs to populate the supplier scorecards. Then run an audit drill — pick a random supplier, pretend to be the inspector, ask for the supplier file. Time how long it takes to assemble. If you can produce a complete supplier file (approval determination, hazard analysis, verification log, CoAs, certificate, LoG, scorecard) in under five minutes, the system is working. If not, the gaps are exactly what month two cleans up.
By day 30 you should have a defensible supplier file for every active supplier, a working verification schedule, and a tested audit-drill workflow. That is the difference between a binder full of documents and a supplier program an auditor can read.
Start your supplier workspace
Start free — build your first supplier file in under an hour.
The free tier covers the supplier directory, the section 7.13 Letter of Guarantee template, and a single audit-certificate tracker. Pro adds the full module — CoA library with AI extraction, verification log, scorecard, FSVP workspace, SFCR section 89(4) workspace, and the one-click supplier file export. The free Supplier Management Starter Pack downloads with the email confirmation.
Email required to save your supplier workspace. No credit card. No upgrade prompts during the free tier.
Footnotes
1.21 CFR Part 117 Subpart G — FSMA supply-chain program (sections 117.405 through 117.475) — ecfr.gov
2.21 CFR Part 1 Subpart L — Foreign Supplier Verification Programs — ecfr.gov
3.21 CFR §7.13 — Suggested form of continuing guaranty — law.cornell.edu
4.21 CFR §117.410 — Verification activities — law.cornell.edu
5.21 CFR §117.430 — Onsite audit verification — law.cornell.edu
6.21 CFR §117.475 — Records — law.cornell.edu
7.21 CFR §1.510 — FSVP records — law.cornell.edu
8.CFIA — Preventive Control Plan regulatory requirements (SFCR sections 86 and 89) — inspection.canada.ca
9.CFIA — Importer PCP guide (SFCR section 89(4) four pathways) — inspection.canada.ca
10.Food Safety Magazine — SQFI announces release date for SQF Edition 10 — food-safety.com
11.FDA — Industry Resources on Third-Party Audit Standards and FSMA Supplier Verification — fda.gov
12.Food Safety News — June 2025 FSVP warning letters (Zest, Xin Ao, Gongora, San Juan Produce) — foodsafetynews.com
Andrew Langevin·CFIA-licensed facility, Brantford ON· Published 2026-06-04· 11 min read· Wikidata Q139112497