Appearance

Synthetic Users Third-Party Risk Management Policy

Version: 2.0

Effective Date: March 25, 2026

Last Updated: March 25, 2026

Owner: CTO — Artur Ventura

Approved By: CEO — Kwame Ferreira

Classification: Internal – Confidential

CRA Control: CRA 19.1.3

Change History

VersionDateAuthorChanges
1.0January 7, 2025Security & Compliance LeadInitial release
2.0March 25, 2026Artur Ventura, CTOAdded formal risk tier classification (HIGH / MEDIUM / LOW) with JPMC-required factors; added full subcontractor risk register (19 vendors); added due diligence requirements by tier; added monitoring frequency table. Updated per JPMC SCA CRA 19.1.3.

1. Purpose

The purpose of this policy is to ensure that all third parties and vendors engaged by Synthetic Users maintain security, privacy, and compliance standards consistent with our internal controls and regulatory obligations — including those required by JPMC under the Security Controls Assessment (SCA). This policy defines how Synthetic Users assesses, categorizes, monitors, and manages third-party risks throughout the full vendor lifecycle.

2. Scope

This policy applies to all third parties that store, process, or access Synthetic Users' company data, customer data, or production systems. It includes service providers, SaaS vendors, infrastructure platforms, AI/GenAI model providers, consultants, and open-source dependencies used within Synthetic Users' environment.

3. Objectives

  • Identify and mitigate risks associated with third-party relationships
  • Ensure vendors comply with SOC 2, GDPR, and other relevant standards
  • Maintain accountability and visibility across the vendor ecosystem
  • Apply formal risk tier classification (HIGH / MEDIUM / LOW) to all active subcontractors
  • Enforce contractual and technical safeguards for data protection
  • Meet JPMC SCA CRA 19.1.3 requirements for subcontractor risk management

4. Roles and Responsibilities

RoleResponsibility
CTO — Artur VenturaPolicy owner; oversees vendor risk assessments; approves onboarding of HIGH-risk vendors; manages AI/GenAI provider risk
CFO — Zumbi FerreiraApproves financial and commercial vendor commitments; ensures DPAs are in place for data-processing vendors
Engineering & Product TeamsIdentify and review technical dependencies (SaaS tools, APIs, SDKs); flag new third-party integrations
CEO — Kwame FerreiraFinal approval for HIGH-risk vendor onboarding; notified of vendor-related security incidents affecting JPMC engagement

5. Risk Tier Classification

5.1 Tier Definitions

Vendors are assigned a risk tier based on the following JPMC-required factors:

FactorHIGHMEDIUMLOW
Data SensitivityProcesses customer PII, JPMC data, or production secretsProcesses internal business data (non-customer, non-JPMC)No access to sensitive data
System AccessDirect access to production systems or infrastructureAccess to internal tools or business systemsNo access to production or business systems
Business CriticalityOutage causes platform downtime or data lossOutage causes operational disruption but no data lossOutage has minimal business impact
Volume of DataLarge volumes of customer or regulated dataModerate volumes of internal dataMinimal or no data processed
Regulatory ScopeIn scope for GDPR, CCPA, SOC 2, or JPMC contractual obligationsPartial scope (e.g., internal data only)Not in regulatory scope
Data ResidencyProcesses or stores data in jurisdictions requiring contractual controlsData residency in primary operating countriesNo data residency concerns
SubcontractingSubcontracts to further parties with access to sensitive dataLimited subcontractingNo further subcontracting

6. Subcontractor Risk Register

All active Synthetic Users subcontractors and their assigned risk tiers are documented below. This register is reviewed and updated annually.

Last reviewed: March 25, 2026

6.1 HIGH Risk Subcontractors

VendorServiceData/AccessCertificationsDPAReview Frequency
Amazon Web Services (AWS)Cloud infrastructure (compute, storage, database, networking)Customer PII, production data, JPMC study dataSOC 2 Type II, ISO 27001, PCI DSSYesAnnual
RenderApplication hosting, environment configuration, deploymentProduction application, environment variables, secretsSOC 2 Type IIYesAnnual
OpenAILLM inference API (via LLM Shuffle)Prompt data including customer context; output dataSOC 2 Type IIYes (no training on API data)Annual
AnthropicLLM inference API (Claude, via LLM Shuffle)Prompt data including customer context; output dataSOC 2 Type IIYes (no training on API data)Annual
Google Cloud / GeminiLLM inference API (via LLM Shuffle); embedding servicesPrompt data; embedding inputsSOC 2 Type II, ISO 27001YesAnnual
Google FirebaseApplication user authentication and identity managementUser credentials, session tokens, MFA eventsSOC 2 Type II, ISO 27001YesAnnual
Google WorkspaceEmployee identity management, SSO, MFA, email, collaborationEmployee credentials, session tokens, MFA events, corporate emailSOC 2 Type II, ISO 27001Yes (DPA)Annual
GitHubSource code repository, CI/CD, security scanningProprietary source code, secrets scanning, deployment pipelinesSOC 2 Type IIYesAnnual

6.2 MEDIUM Risk Subcontractors

VendorServiceData/AccessCertificationsDPAReview Frequency
StripePayment processingPayment card data (Stripe handles PCI compliance; Synthetic Users does not store card data)PCI DSS Level 1, SOC 2YesAnnual
NotionInternal documentation and operationsInternal business data, operational recordsSOC 2 Type IIYesAnnual
IntercomCustomer communications and supportCustomer email addresses, support conversation contentSOC 2 Type IIYesAnnual
1PasswordCredential and secret managementEmployee passwords, API keys, service credentialsSOC 2 Type IIYesAnnual
Mistral AILLM inference API (via LLM Shuffle)Prompt dataEU AI Act alignment; DPAYesAnnual

6.3 LOW Risk Subcontractors

VendorServiceData/AccessDPAReview Frequency
Vercel / NetlifyStatic asset hosting (if applicable)No PII; public static files onlyN/ABi-annual
LinearEngineering project managementInternal task data; no customer PIIN/ABi-annual
LoomInternal video recordingInternal communications onlyN/ABi-annual
FigmaDesign toolingProduct designs; no customer PIIN/ABi-annual
SlackInternal team communicationInternal messages; no production system accessSOC 2Yes
Calendly / scheduling toolsMeeting schedulingContact emails; no PII beyond schedulingN/ABi-annual
Google WorkspaceEmail, docs, calendarInternal communications; employee dataYesAnnual

7. Due Diligence Requirements by Tier

RequirementHIGHMEDIUMLOW
Third-Party Risk Assessment (TPRA)Required before onboardingRequired before onboardingNot required
SOC 2 / ISO 27001 / equivalent reviewRequired; must be current (< 12 months)Required if availableNot required
Data Processing Agreement (DPA)RequiredRequired if personal data involvedNot required
Encryption verification (in transit + at rest)RequiredRequiredNot required
Incident response SLA reviewRequiredRecommendedNot required
Subcontractor disclosure reviewRequiredRecommendedNot required
CEO approval for onboardingRequiredCTO approval sufficientCTO awareness
Annual security questionnaireRequiredRecommendedNot required

8. Vendor Risk Management Lifecycle

8.1 Identification

  • All new third-party engagements must be reported to the CTO before contract signing or data exchange
  • New vendors are assigned a risk tier before any data sharing or system access is granted

8.2 Due Diligence and Assessment

A Third-Party Risk Assessment (TPRA) is conducted prior to onboarding HIGH and MEDIUM risk vendors. Assessment includes:

  • Review of SOC 2, ISO 27001, or equivalent certifications
  • Verification of encryption, access control, and data protection measures
  • Evaluation of incident response and breach notification procedures
  • Review of subcontractor and data residency arrangements
  • For AI/GenAI providers: review of data retention, training opt-out, and prompt logging practices

8.3 Contractual Requirements

All HIGH and MEDIUM risk vendor contracts must include:

  • A Data Processing Agreement (DPA) where personal data is involved
  • Confidentiality and non-disclosure clauses
  • Clear obligations for data protection, breach notification (72 hours), and deletion upon termination
  • Right to audit or require attestation reports (e.g., SOC 2 Type II)

8.4 Ongoing Monitoring

Risk TierReview FrequencyActivities
HIGHAnnualFull TPRA review; DPA reconfirmation; SOC 2 / certification update; security questionnaire
MEDIUMAnnual (or upon material change)DPA reconfirmation; certification check
LOWBi-annualConfirm service is still in use; confirm no change in data access

Continuous monitoring of open-source dependencies via Dependabot. Vendor incident notifications tracked and reviewed to assess downstream impact.

8.5 Offboarding

Upon termination of any vendor relationship, Synthetic Users ensures:

  • All customer and company data is deleted or returned securely
  • A Certificate of Data Destruction or written confirmation is obtained for HIGH-risk vendors
  • System credentials and access are immediately revoked
  • The subcontractor risk register is updated

9. Reporting and Escalation

  • Any vendor-related incident or suspected breach must be reported immediately to the CTO
  • If customer data or JPMC data is affected, the Incident Response Plan is triggered and the CEO is notified
  • Major vendor risks are reported to the Executive Team during quarterly security reviews

10. Policy Review and Maintenance

This policy is reviewed annually or following any major vendor onboarding, breach, or regulatory update. Updates require approval from the CTO and CEO.

11. Related Documents

Synthetic Users, Inc. — 3201 Coolidge Ave, Los Angeles, CA 90066, USA

Download

Released under the MIT License.

Copyright © 2024-2026 Synthetic Users