Vendor Management Policy

1. Purpose and Scope

This Vendor Management Policy establishes the framework for identifying, selecting, onboarding, managing, and offboarding third-party vendors and service providers used by noIM₃. The goal is to ensure that vendors meet our standards for security, reliability, data handling, and service quality.

This policy applies to all third-party vendors who:

• Process, store, or transmit noIM₃ customer or business data
• Provide infrastructure, software, or services critical to platform operations
• Have access to noIM₃ systems, networks, or confidential information

[List your current key vendors, e.g. Vercel (hosting), Stripe (payments), Supabase/PostgreSQL (database), etc.]

2. Vendor Selection

Before engaging a new vendor, the following criteria are assessed:

• Technical capability and reliability track record
• Security posture (certifications, penetration testing, incident history)
• Data handling and privacy compliance (aligned with Australian Privacy Act and applicable regulations)
• Financial stability and business continuity provisions
• Geographic location of data processing and storage
• Contractual flexibility and exit provisions

3. Due Diligence

Prior to onboarding any vendor with access to customer data or critical systems, we conduct due diligence that includes reviewing the vendor's privacy policy, security documentation, relevant certifications (e.g. SOC 2, ISO 27001), and any applicable data processing agreements.

[Describe your due diligence process in more detail if you have a formal internal review process.]

4. Contractual Requirements

All vendors handling personal or sensitive data must execute:

• A written service agreement defining scope, service levels, and responsibilities
• A Data Processing Agreement (DPA) where the vendor processes personal information on our behalf
• Confidentiality and non-disclosure provisions
• Breach notification obligations (notification within 72 hours of discovery)
• Audit rights or third-party audit report provision

5. Ongoing Monitoring

Vendor performance and compliance are reviewed on a periodic basis. Reviews consider service level performance, security incident history, changes to the vendor's terms or data handling practices, and any regulatory developments affecting the vendor relationship.

[Define review frequency, e.g. quarterly for critical vendors, annually for others.]

6. Critical Vendor Designation

Vendors that are essential to platform availability or that process significant volumes of customer data are designated as critical vendors and subject to enhanced monitoring, including:

• Annual formal review
• Business continuity and disaster recovery plan alignment
• Documented contingency plan for vendor failure or exit

[List your critical vendor designations and review schedule.]

7. Vendor Offboarding

When terminating a vendor relationship, we ensure:

• All noIM₃ data is returned or securely deleted by the vendor
• Access credentials and API keys are revoked
• Data deletion confirmation is obtained in writing
• A transition plan is in place before termination to avoid service disruption

8. Policy Review

This policy is reviewed annually or when a significant vendor relationship changes, a vendor incident occurs, or regulatory requirements affecting vendor management are updated.