Vendor Register
Vendor Inventory
Section titled “Vendor Inventory”| Vendor | Service | Data Classification | Risk Tier | Trust/Compliance Page |
|---|---|---|---|---|
| Google Workspace | Email, productivity, identity, endpoint mgmt | Confidential | Critical | Google Cloud Trust |
| Google Cloud (GCP) | Cloud Run (web app and agent service hosting), Cloud Monitoring (uptime, alerting, logging), GCE | Confidential | Critical | Google Cloud Trust |
| Supabase | PostgreSQL, auth, RLS | Restricted | Critical | Supabase Security |
| Cloudflare | WAF, CDN, DDoS, DNS | Confidential | Critical | Cloudflare Compliance |
| CrowdStrike | Endpoint detection and response | Confidential | Critical | CrowdStrike Trust |
| Supabase Auth | Application identity, MFA, SSO, OAuth | Confidential | Critical | Supabase Security |
| GitHub | Source control, CI/CD, code review | Confidential | Standard | GitHub Security |
| 1Password | Password management, team vaults | Restricted | Standard | 1Password Security |
| Doppler | Secrets management, env var sync | Restricted | Standard | Doppler Security |
| Slack | Team communication, incident coordination | Internal | Standard | Slack Trust |
| Backblaze | Cloud object storage, backups | Confidential | Standard | Backblaze Compliance |
| Cube Backup | Google Workspace backup (Gmail, Drive, Calendar, Contacts) | Confidential | Standard | Cube Backup Security |
| Anthropic | AI model provider (Claude) | Confidential | Standard | Anthropic Security |
Risk Tier criteria: per Vendor Management Policy §3 Review cadence: Critical vendors quarterly; Standard/Low-Risk vendors annually All Restricted-data vendors must have a Data Processing Agreement (DPA) on file.
SOC 2 Report Collection Tracker
Section titled “SOC 2 Report Collection Tracker”| Vendor | Report Type | Coverage Period | Received Date | Reviewed By | Next Review | Findings |
|---|---|---|---|---|---|---|
| Google Workspace | Q2 2026 | |||||
| Google Cloud (GCP) | Q2 2026 | |||||
| Supabase | Q2 2026 | |||||
| Cloudflare | Q2 2026 | |||||
| CrowdStrike | Q2 2026 | |||||
| Supabase Auth | Q2 2026 | |||||
| GitHub | 2027 | |||||
| 1Password | 2027 | |||||
| Doppler | 2027 | |||||
| Slack | 2027 | |||||
| Backblaze | 2027 | |||||
| Cube Backup | 2027 | |||||
| Anthropic | 2027 |
Report Type values: SOC 2 Type II, SOC 2 Type I, ISO 27001, SIG Questionnaire, Pentest Report, N/A Status notes: Empty rows indicate collection pending. Quarterly vendor review issues track progress.
DPA Status
Section titled “DPA Status”| Vendor | DPA Required | DPA on File | DPA Date | Notes |
|---|---|---|---|---|
| Supabase | Yes (Restricted) | |||
| 1Password | Yes (Restricted) | |||
| Doppler | Yes (Restricted) | |||
| Google Workspace | Yes (Confidential PII) | |||
| Cube Backup | Yes (Confidential — processes GWS backup data) | |||
| Supabase Auth | Yes (Confidential PII) |
Related Documents
Section titled “Related Documents”Meridian Seven — Confidential