xcPEP Vendor Risk Management Policy

xcPEP Vendor Risk Management Policy

 

1. Purpose and Scope

This Vendor Risk Management Policy defines Advanced Structures India Private Limited's framework for managing the risks associated with third-party vendors and service providers who have access to, or can impact the security of, our systems or customer data related to the xcPEP SaaS platform. This policy applies to all departments and personnel involved in the selection, engagement, and management of third-party vendors.

2. Policy Objectives

  • To ensure that all third-party vendors meet Advanced Structures India Private Limited's security and data protection standards.
  • To minimize risks introduced by third-party relationships.
  • To establish a consistent process for vendor onboarding, monitoring, and offboarding.
  • To ensure compliance with legal and regulatory obligations related to third-party data processing.

3. Vendor Risk Management Lifecycle

The vendor risk management process comprises the following stages:

  • A. Vendor Selection & Due Diligence (Onboarding):
    • Identification of Need: Business units identify a need for a new vendor service.
    • Initial Assessment: Vendors are initially assessed based on the criticality of the service they provide and the level of access they require to our systems or data.
    • Security Assessment: For critical vendors (especially those processing customer data), a comprehensive security assessment is conducted. This may include:
      • Review of security certifications (e.g., SOC 2 Type 2, ISO 27001).
      • Security questionnaires.
      • Review of their security policies and procedures.
      • Vulnerability reports or penetration test summaries.
    • Data Protection Assessment: Verification of their data protection practices and compliance with relevant privacy regulations (e.g., GDPR, local data protection laws).
    • Contractual Review: Legal and security teams review proposed contracts to ensure robust data protection clauses, security SLAs, audit rights, and incident notification requirements are included. This involves a Data Processing Addendum (DPA) where personal data is processed.
  • B. Ongoing Monitoring & Management:
    • Performance Monitoring: Continuous monitoring of vendor performance against contractual obligations and security SLAs.
    • Periodic Reviews: Critical vendors undergo periodic security reviews (e.g., annually) to ensure continued compliance with our standards. This may involve updated security assessments or review of renewed certifications.
    • Incident Notification: Vendors are contractually obligated to notify Advanced Structures India Private Limited of any security incidents or data breaches affecting our data without undue delay, as per our xcPEP Data Breach Notification Policy.
    • Communication: Maintain open communication channels with vendors for security-related matters.
  • C. Offboarding & Termination:
    • Data Return/Deletion: Upon termination of a vendor relationship, procedures are followed to ensure the secure return or deletion of all Advanced Structures India Private Limited data and customer data processed by the vendor, in accordance with contractual agreements and our xcPEP Data Retention and Deletion Policy.
    • Access Revocation: All vendor access to our systems and data is promptly revoked.
    • Post-Termination Review: A review is conducted to ensure all contractual obligations regarding data and security have been met.

4. Roles and Responsibilities

  • Vendor Management Committee (or equivalent): Oversees the overall vendor risk management program.
  • Information Security Officer (ISO): Defines security requirements for vendors, conducts security assessments, and advises on contractual security clauses.
  • Legal Department: Reviews and approves vendor contracts, particularly data processing agreements.
  • Procurement/Business Owners: Initiate vendor engagements and are responsible for ongoing vendor relationship management.

5. Documentation

All vendor assessments, contractual agreements, and review records are systematically documented and retained for audit purposes.

6. Policy Review and Updates

This xcPEP Vendor Risk Management Policy is reviewed at least annually and updated as necessary to reflect changes in regulatory requirements, industry best practices, and our organizational structure or vendor landscape.