Appearance

Synthetic Users Third-Party Risk Management Policy

Version: 1.0

Effective Date: 7 January 2025

Owner: Security & Compliance Lead

Approved By: CEO

1. Purpose

The purpose of this policy is to ensure that all third parties and vendors engaged by Synthetic Users maintain security, privacy, and compliance standards consistent with our internal controls and regulatory obligations. This policy defines how Synthetic Users assesses, monitors, and manages third-party risks throughout the vendor lifecycle.

2. Scope

This policy applies to all third parties that store, process, or access Synthetic Users’ company data, customer data, or production systems. It includes service providers, SaaS vendors, infrastructure platforms, consultants, and open-source dependencies used within Synthetic Users’ environment.

3. Objectives

  • Identify and mitigate risks associated with third-party relationships.
  • Ensure vendors comply with SOC 2, and GDPR, and other relevant standards.
  • Maintain accountability and visibility across the vendor ecosystem.
  • Enforce contractual and technical safeguards for data protection.

4. Roles and Responsibilities

RoleResponsibility
Security & Compliance LeadOversees vendor risk assessments, manages vendor register, ensures ongoing compliance.
Procurement/FinanceEnsures contractual clauses (DPA, confidentiality) are included before engagement.
Engineering & Product TeamsIdentify and review technical dependencies (SaaS tools, APIs, SDKs).
Executive Team (CTO/CFO)Approves onboarding of critical or high-risk vendors.

5. Vendor Risk Management Lifecycle

5.1 Identification

  • All new third-party engagements must be reported to the Security & Compliance Lead before contract signing or data exchange.
  • Vendors are categorized by risk level (Low, Medium, High) based on data sensitivity and business criticality.

5.2 Due Diligence and Assessment

  • A Third-Party Risk Assessment (TPRA) is conducted prior to onboarding.
  • Assessment includes:
    • Review of SOC 2, ISO 27001, or equivalent certifications.
    • Verification of encryption, access control, and data protection measures.
    • Evaluation of incident response and breach notification procedures.
    • Review of subcontractor and data residency arrangements.

5.3 Contractual Requirements

All vendor contracts must include:

  • A Data Processing Agreement (DPA) where personal data is involved.
  • Confidentiality and non-disclosure clauses.
  • Clear obligations for data protection, breach notification, and deletion upon termination.
  • Right to audit or require attestation reports (e.g., SOC 2 Type II).

5.4 Ongoing Monitoring

  • High-risk vendors are reviewed annually or after significant infrastructure or ownership changes.
  • Continuous monitoring of dependencies through automated tools (e.g., Dependabot for open-source packages).
  • Incident notifications from vendors are tracked and reviewed to assess downstream impact.

5.5 Offboarding

  • Upon termination, Synthetic Users ensures:
    • All customer and company data is deleted or returned securely.
    • A Certificate of Data Destruction or written confirmation is obtained when possible.
    • System credentials and access are immediately revoked.

6. Risk Categorization Framework

Risk LevelDescriptionExamples
HighVendor stores or processes customer data or production systemsAWS, Heroku, OpenAI
MediumVendor processes internal business data but not production dataIntercom, Notion, Stripe
LowVendor provides non-critical services with no access to sensitive dataMarketing or analytics tools

Each category determines review frequency, approval level, and contractual requirements.

7. Reporting and Escalation

  • Any vendor-related incident or suspected breach must be reported immediately to the Security & Compliance Lead.
  • If customer data is affected, the Incident Response Plan and Notification Protocol are triggered.
  • Major vendor risks are reported to the Executive Team during quarterly security reviews.

8. Policy Review and Maintenance

  • This policy shall be reviewed annually or following any major vendor onboarding, breach, or regulatory update.
  • Updates require approval from the CTO and Security & Compliance Lead.
  • The latest version is stored in the company’s internal Security Repository.

9. References

  • Access Control Policy
  • Encryption Policy
  • Incident Response Plan
  • Data Protection and Privacy Policy
  • Vendor Risk Assessment Template (TPRA)
  • Certificate of Data Destruction Procedure

Released under the MIT License.

Copyright © 2024-2026 Synthetic Users