Skip to main content

Supplier and Third-Party Management Policy

Viola Di Veroli avatar
Written by Viola Di Veroli
Updated over 3 months ago

1. Purpose

The purpose of this policy is to establish a structured and secure framework for managing relationships with third-party vendors, suppliers, and service providers that have access to GoPerfect systems, data, or services. This policy ensures that all third parties comply with our security, data privacy, and business continuity requirements.

2. Scope

This policy applies to all third-party entities that process, store, or have access to GoPerfect’s systems, infrastructure, customer data, and other confidential information. It includes:

  • Cloud service providers

  • Data vendors

  • Software providers

  • Consultants and contractors

  • Business partners

  • Any other external entity accessing GoPerfect data or services

3. Third-Party Selection & Due Diligence

Before onboarding a third-party supplier, GoPerfect conducts a due diligence process to assess security, compliance, and operational risks. This includes:

  1. Security Assessment:

    • Evaluation of the vendor's security policies, certifications (e.g., ISO 27001, SOC 2), and compliance with industry standards (GDPR, CCPA, OWASP, etc.).

    • Assessment of security controls such as data encryption, authentication mechanisms, and vulnerability management.

  2. Legal & Compliance Review:

    • Verification that the supplier adheres to relevant data protection laws (GDPR, CCPA, Israeli Privacy Law, etc.).

    • Execution of Data Protection Agreements (DPAs) and review of privacy notices to ensure compliance with personal data protection requirements.

  3. Operational & Financial Risk Assessment:

    • Evaluation of financial stability and operational risks of the supplier.

    • Review of service-level agreements (SLAs) ensuring minimal service disruption in case of failures.

  4. Incident Response & Business Continuity:

    • Vendors must demonstrate incident response and disaster recovery plans with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

  5. Contractual Safeguards:

    • All vendors must sign agreements that explicitly outline their data processing, confidentiality, and security responsibilities.

    • Clauses regarding termination, data deletion, and liability in case of breaches are mandatory.

4. Data Security and Access Controls

GoPerfect enforces strict access controls for third-party suppliers based on the principle of least privilege (PoLP):

  1. User & Access Management:

    • Vendors are assigned role-based access controls (RBAC), ensuring minimal data exposure.

    • Multi-factor authentication (MFA) is required for accessing GoPerfect systems.

  2. Data Classification & Handling:

    • Third parties must comply with GoPerfect’s data classification and handling requirements, ensuring no unauthorized access, processing, or sharing.

    • Personally Identifiable Information (PII) and customer data must be stored and processed securely using encryption and access control mechanisms.

  3. Data Storage & Retention:

    • Vendors storing GoPerfect data must comply with the retention policy, ensuring data is deleted or anonymized when no longer needed.

    • Data must be stored within approved cloud environments (e.g., GCP with appropriate security controls).

  4. Monitoring & Audits:

    • Regular third-party security audits are conducted to ensure compliance with data protection and security policies.

    • Vendors must report security incidents and support security investigations upon request.

5. Continuous Monitoring & Risk Management

GoPerfect maintains ongoing monitoring and risk assessment for third-party suppliers:

  1. Annual Reviews & Audits:

    • Annual third-party risk assessments to verify compliance with contractual and regulatory obligations.

    • Penetration testing and vulnerability assessments for vendors handling critical infrastructure.

  2. Vendor Risk Scoring:

    • Vendors are assigned risk scores based on their data access level, past security incidents, and regulatory compliance history.

  3. Incident Reporting & Response:

    • Vendors must have an incident response plan in place and notify GoPerfect within 24 hours of any data breach or security incident.

    • GoPerfect reserves the right to terminate contracts with vendors failing to meet security and compliance standards.

6. Contract Termination & Offboarding

Upon termination of a contract with a third-party supplier, GoPerfect enforces secure offboarding procedures:

  1. Revocation of Access:

    • All vendor access to GoPerfect systems is immediately revoked upon contract termination.

  2. Data Deletion & Return:

    • Vendors must return or securely delete all GoPerfect data within 30 days of contract termination.

    • A certificate of data deletion may be required for compliance.

  3. Exit Review & Risk Assessment:

    • A final risk assessment is conducted to ensure no residual vendor risks remain.

    • Audit logs and access records are reviewed before closure.

7. Exceptions & Policy Updates

Any exceptions to this policy require formal approval from GoPerfect’s Chief Information Security Officer (CISO) or Legal Department. The policy is reviewed annually and updated based on evolving security threats, regulatory changes, and business needs.

Need more guidance? 🙋 Our LIVE support team (at the bottom right corner of your screen) replies to ANY question.

Did this answer your question?