Vendor Security Policy (Annex A.15)

Public version

Effective Date: 01 July 2025

Owner: Chief Risk Officer (CRO)

Applies To: All employees, contractors, and systems of Advntg.AI

ISO 27001 & SOC 2 Mapping

This policy supports compliance with the following standards and controls:

ISO 27001 Annex A Controls

  • A.9 – Access Control: Restricting vendor access to least privilege and enforcing authentication requirements.
  • A.12 – Operations Security: Ensuring vendors maintain operational security measures, including endpoint protection and patch management.
  • A.13 – Communications Security: Securing data in transit and at rest during vendor operations.
  • A.15 – Supplier Relationships: Establishing security requirements for supplier selection, agreements, monitoring, and termination.
  • A.16 – Information Security Incident Management: Requiring vendors to report and cooperate in incident investigations.

SOC 2 Trust Services Criteria

  • Security (CC6.x) – Logical and physical access controls for vendors.
  • Confidentiality (C1.x) – Safeguarding confidential Company data handled by vendors.
  • Availability (A1.x) – Ensuring vendor operational practices do not impair the availability of Company systems and services.


Table of Contents

1. Purpose

2. Scope

3. Vendor Selection and Risk Assessment

4. Contractual Security Requirements

5. Access Control

6. Security Monitoring and Compliance

7. Incident Management

8. Data Return or Destruction

9. Enforcement and Violations

Version control

Version

Date

Made By

Approved By

Comments

1.0

01 July 2025

CRO

CEO

n/a

1. Purpose

This Policy establishes the framework for managing vendor security in line with ISO 27001 Annex A.9 and SOC 2 requirements.

The purpose of this Policy is to ensure that all third-party vendors, suppliers, and service providers with access to Company data, systems, or facilities adhere to the Company’s security, compliance, and privacy requirements.

2. Scope

This policy applies to all of the Company’s computer systems, facilities, and information assets, including those managed or hosted on the Company’s behalf by third parties. Specifically, this policy applies to:

  1. All vendors providing products or services to the Company, regardless of contractual duration or engagement type.
  2. All subcontractors engaged by vendors who may process, store, or transmit Company information.
  3. All Company data, including personal data, client data, and proprietary or confidential information, in any form (digital, physical, or cloud-based).

3. Vendor Selection and Risk Assessment

3.1. Pre-Contract Security Assessment

Prior to contract award, all vendors must undergo a security risk assessment to evaluate their ability to safeguard Company data and systems. The assessment must include:

  • Verification of current security certifications (e.g., ISO 27001, SOC 2, PCI DSS, or equivalent).
  • Review of data protection controls, including encryption, access management, and secure disposal practices.
  • Evaluation of incident response capabilities, including detection, containment, and notification procedures.

3.2. Data Protection Compliance

Vendors handling personal data must comply with all applicable data protection and privacy laws, including but not limited to:

  • General Data Protection Regulation (GDPR).
  • Health Insurance Portability and Accountability Act (HIPAA).
  • Any other jurisdictional requirements relevant to the engagement.

3.3. Documentation & Audit

All vendor risk assessments must be:

  • Documented in the Company’s vendor management system.
  • Retained for a minimum of 5 years in accordance with the Company’s audit retention policy.
  • Available for review by auditors or regulators upon request.

4. Contractual Security Requirements

4.1. All vendors and their subcontractors must execute legally binding agreements before commencing work for the Company, including but not limited to:

  • Non-Disclosure Agreement (NDA).
  • Work-for-Hire Agreement (where applicable).
  • Ownership of Intellectual Property and Assets Clause.
  • Independent Contractor Agreement.

4.2. All vendor agreements must contain clear, enforceable clauses that address the following:

  • Confidentiality Obligations
  • Vendors must protect all Company data, including client and personal data, as confidential information.
  • Confidentiality obligations shall survive the termination of the agreement.
  • Same requirements should be established for the vendors’ subcontractors.
  • Data Handling Requirements
  • All Company data must be encrypted in transit and at rest using Company-approved encryption standards.
  • Vendors must implement secure storage, processing, and disposal procedures to prevent unauthorized access or disclosure.
  • Same requirements should be established for the vendors’ subcontractors.
  • Incident Notification Timelines
  • Vendors must notify the Company of any actual or suspected security incident involving Company data within 24 hours of detection.
  • Notifications must include sufficient detail to enable the Company to assess impact and take appropriate action.
  • Same requirements should be established for the vendors’ subcontractors.
  • Right-to-Audit Provisions
  • The Company, or a designated third-party auditor, must be granted the right to audit the vendor’s compliance with contractual security obligations.
  • Audits may include security assessments, document reviews, and on-site inspections where applicable.
  • Same requirements should be established for the vendors’ subcontractors.
  • Termination and Data Return/Destruction
  • Upon termination of the agreement, vendors must either (i) return all Company data in a secure format, or (ii) irreversibly destroy all Company data and provide written certification of destruction.
  • Same requirements should be established for the vendors’ subcontractors.

4.3. Company’s clients shall be aware of the Company’s vendors and are entitle to approve or not approve them within a reasonable time frame.

5. Access Control

5.1. Principle of Least Privilege

  • Vendors shall be granted only the minimum level of access required to perform their contracted duties.
  • Access must be limited to specific systems, applications, or data necessary for their scope of work.

5.2. Vendor Account Requirements

All vendor accounts must:

  1. Use Multi-Factor Authentication (MFA) where technically feasible and approved by the Company.
  2. Have expiry dates that correspond to the vendor’s contract term or project end date, whichever is sooner.
  3. Be reviewed quarterly by the Cybersecurity Team or designated system owners to confirm necessity, appropriateness, and compliance with access control policies.

6. Security Monitoring and Compliance

6.1. Vendor Security Controls

Vendors must maintain and, upon request, provide evidence of the following security measures:

  1. Active endpoint protection — including anti-malware, firewall, and endpoint detection and response (EDR) solutions.
  2. Patch and vulnerability management — timely application of security updates, patches, and remediation of identified vulnerabilities.
  3. Logging and monitoring — comprehensive logging of all access to Company data, with monitoring for suspicious activity.

6.2. Ongoing Security Reviews

  • Vendors classified as high-risk based on the Company’s risk assessment must undergo annual security reviews.
  • Reviews may include documentation requests, security questionnaires, penetration testing, or on-site assessments.

7. Incident Management

7.1. Incident Reporting

Vendors must report any actual or suspected security incident involving Company data to the Company’s Cybersecurity Team within 24 hours of detection.

Incident reports must include:

  • Date and time of detection.
  • Systems, data, or services affected.
  • Known or suspected cause.
  • Immediate actions taken.

7.2. Cooperation in Investigations

Vendors must fully cooperate in all incident investigations conducted by the Company or its designated representatives.

Cooperation includes, but is not limited to:

  • Providing relevant logs, forensic data, and security reports.
  • Granting timely access to affected systems for investigation purposes.
  • Implementing agreed-upon remediation measures within specified timeframes.

8. Data Return or Destruction

8.1. Secure Data Return

Upon contract termination or at the Company’s written request, vendors must securely return all Company data in a Company-approved format and via a secure transfer method.

8.2. Secure Data Destruction

If data return is not required or feasible, vendors must irreversibly destroy all Company data in their possession, custody, or control using industry-accepted secure deletion methods.

8.3. Confirmation of Destruction

Vendors must provide written confirmation of data destruction, including:

  • Date and time of destruction.
  • Method used.
  • Name and title of the person performing the destruction.

9. Enforcement and Violations

9.1. Compliance Requirement

All vendors, subcontractors, and service providers with access to Company systems, data, or facilities must comply with this policy and all related contractual security obligations.

9.2. Consequences of Non-Compliance

Failure to comply with this policy may result in:

  1. Suspension of services until compliance is achieved.
  2. Termination of contract for repeated or severe violations.
  3. Legal action or regulatory reporting where required by applicable law, contractual agreements, or industry regulations.

9.3. Reporting and Remediation

All suspected or confirmed violations must be reported to the Company’s Cybersecurity Team immediately.

Vendors must cooperate fully in any remediation efforts to address policy breaches.

This Policy shall be reviewed and edited from time to time, subject to the CISO’s approval.

For questions or reports regarding this Policy, contact:
security@advntg.ai

* * *