Supplier Security Policy

1. Purpose

Ensure third-party suppliers do not introduce unacceptable risks to Clerk.io's information assets.

2. Scope

Covers all vendors, contractors and SaaS providers that store, process or transmit Clerk.io data or provide critical services.

3. Supplier Classification

4. Due Diligence & Onboarding

1. Request security questionnaire & certifications (ISO 27001, SOC 2).
2. Review Data Processing Agreement & ensure GDPR clauses.
3. Assess Tier 1 suppliers for sub-processor transparency.
4. Executive & ISM approvals documented in Jira.

5. Contractual Requirements

• Confidentiality & data-protection clauses.
• Right to audit or obtain independent audit reports.
• 30-day notification of any security breach.
• SLA & uptime targets for Tier 1.

6. Monitoring

• Annual reassessment for Tier 1 & 2 suppliers.
• Continuous monitoring via internal AI agents vendor monitor – real-time alerts on security incidents, certification expiry and breach news for all Tier 1 & 2 suppliers.

7. Termination & Off-boarding

Ensure data deletion or return certified by supplier; disable integrations and credentials.

8. Exceptions

Must be approved by ISM and documented with compensating controls.

Version 1.0 — effective 2025-07-01