Vendor Management Policy
1. Purpose
Section titled “1. Purpose”Defines requirements for evaluating, onboarding, monitoring, and offboarding third-party vendors that process, store, or access Meridian Seven data or systems.
2. Scope
Section titled “2. Scope”All third-party vendors, service providers, and contractors that:
- Process or store Meridian Seven or customer data
- Have access to Meridian Seven systems or infrastructure
- Provide services critical to business operations
- Handle Confidential or Restricted data per the Data Classification Policy
3. Vendor Categorization
Section titled “3. Vendor Categorization”| Tier | Criteria | Examples | Review Frequency |
|---|---|---|---|
| Critical | Processes customer data, core infrastructure, or single point of failure | Supabase, Google Cloud (Cloud Run, Cloud Monitoring), Cloudflare, Google Workspace, CrowdStrike, Supabase Auth | Quarterly |
| Standard | Accesses internal data, supports development/operations, not a single point of failure | GitHub, 1Password, Doppler, Slack, GCP Cloud Monitoring, Backblaze, Anthropic | Annually |
| Low-Risk | No sensitive data access; easily replaceable; limited scope | Analytics tools, design tools, documentation platforms | Annually |
Categorization factors: data access level, system access, criticality, replaceability, data residency.
4. Vendor Inventory
Section titled “4. Vendor Inventory”The CISO maintains a Vendor Register listing all active vendors. Each entry includes: vendor name, service, data classification handled, SOC 2 status, risk tier, last review date, and contract renewal date. The register is updated whenever a vendor is added, removed, or changed.
5. Security Assessment Criteria
Section titled “5. Security Assessment Criteria”5.1 Pre-Onboarding Assessment
Section titled “5.1 Pre-Onboarding Assessment”| Criterion | Critical | Standard | Low-Risk |
|---|---|---|---|
| SOC 2 Type II report | Required | Required | Preferred |
| Security questionnaire | Required | Required | Not required |
| Penetration test results | Required | Preferred | Not required |
| Data encryption (transit + rest) | Required | Required | Required (transit) |
| MFA support | Required | Required | Preferred |
| Incident notification SLA | Required | Required | Not required |
| Business continuity plan | Required | Preferred | Not required |
| Data residency documentation | Required | Required | Not required |
5.2 Data Processing Assessment
Section titled “5.2 Data Processing Assessment”Before onboarding, document: what data the vendor accesses, its classification, storage location, transmission encryption, retention policy, and destruction procedure at relationship end.
6. SOC 2 Report Collection
Section titled “6. SOC 2 Report Collection”SOC 2 Type II reports collected annually for all Critical and Standard tier vendors. CISO reviews for: qualified/adverse opinions, auditor exceptions, Complementary User Entity Controls (CUECs) Meridian Seven must implement, and coverage period alignment.
If a vendor has no SOC 2, obtain alternative evidence: ISO 27001 certification, completed SIG questionnaire, or independent penetration test results. Collection status and findings tracked in the Vendor Register.
7. Vendor Onboarding Checklist
Section titled “7. Vendor Onboarding Checklist”Before granting access to any Meridian Seven systems or data:
- Risk tier assigned
- Security assessment completed per Section 5
- SOC 2 report or alternative evidence obtained and reviewed
- Data Processing Agreement (DPA) executed if vendor processes personal data
- Service agreement reviewed for: breach notification (≤72 hours), data handling/deletion obligations, audit rights, subprocessor notification, liability and indemnification
- Access provisioned using least-privilege principle
- Vendor added to Vendor Register
- Review date scheduled per risk tier
8. Annual Review
Section titled “8. Annual Review”8.1 Review Process
Section titled “8.1 Review Process”CISO conducts reviews per cadence in Section 3:
- Collect current SOC 2 report or alternative evidence
- Review security incidents involving the vendor in the past year
- Assess whether risk tier has changed
- Verify contractual security obligations are being met
- Confirm data access is still necessary and appropriate
- Update Vendor Register with review date and findings
8.2 Review Outcomes
Section titled “8.2 Review Outcomes”| Outcome | Action |
|---|---|
| Satisfactory | Update review date; continue relationship |
| Concerns identified | Document concerns; request remediation plan; schedule follow-up |
| Unacceptable risk | Escalate to CTO; initiate vendor replacement planning |
9. Data Processing Agreements
Section titled “9. Data Processing Agreements”A DPA must be in place with any vendor processing personal data on behalf of Meridian Seven or its customers. DPAs must address: processing scope, data categories, retention, security measures, subprocessors, breach notification, data subject rights, and data deletion. DPAs reviewed and updated when vendor relationships or processing activities change.
10. Vendor Offboarding
Section titled “10. Vendor Offboarding”When a vendor relationship ends:
- Revoke all system access within 24 hours
- Rotate any shared credentials or API keys
- Request written confirmation of data deletion
- Update Vendor Register to reflect termination
- Archive vendor documentation for the retention period
11. Related Documents
Section titled “11. Related Documents”- Vendor Register
- Data Classification Policy
- Information Security Policy
- Access Control Policy
Meridian Seven — Confidential