Vendor Management Policy

1. Purpose

Ensure that third-party vendors do not introduce unacceptable risks to security, availability, confidentiality, or privacy.

2. Scope

Applies to all external service providers that process, store, or transmit customer or corporate data, or that could impact the delivery of services (e.g., cloud hosting, email delivery, payroll).

3. Onboarding Process

1. Risk Tiering – Vendor classified as Critical, High, or Standard based on data sensitivity and service reliance.
2. Due Diligence Questionnaire – Security & privacy questionnaire distributed via internal AI agents; evidence of SOC 2, ISO 27001, or equivalent requested.
3. Data Processing Agreements – Legal ensures GDPR-compliant DPA and SCCs where required.
4. Approval – ISM + Legal + Budget Owner sign-off before use in production.

4. Monitoring

• Annual Re-assessment for Critical & High vendors — review latest SOC 2, penetration test reports, SLAs.
• Automated Monitoring — internal AI agents alert on vendor security incidents or certification expiry.

5. Offboarding

Data export or secure deletion confirmed; access tokens revoked; billing cancelled.

6. Register

Authoritative vendor list maintained at https://docs.google.com/spreadsheets/d/… and mirrored in this repo under /gdpr/sub-processors.md.

7. Automation

A nightly GitHub Action (.github/workflows/vendor-sync.yml) calls the internal AI agents API, updates the authoritative Google Sheet, and opens a pull-request updating src/gdpr/sub-processors.md. Changes require ISM review before merge.

Version 1.0