Vendor Management Policy

Policy | VMP

Matthew Lee avatar
Written by Matthew Lee
Updated over a week ago

Purpose and Scope

This policy defines the rules for relationships with the organization’s ("Shuffl") Information Technology (IT) third-party vendors, data processors, and partners. This policy applies to all IT vendors and partners who have the ability to impact the confidentiality, integrity, and availability of the organization’s technology and sensitive information, or who are within the scope of the organization’s information security program. This policy applies to all employees and contractors that are responsible for the management and oversight of IT vendors and partners of the organization.


The overall security of the organization is highly dependent on the security of its contractual relationships with its IT suppliers and partners. This policy defines requirements for effective management and oversight of such suppliers and partners from an information security perspective. The policy prescribes minimum standards a vendor must meet from an information security standpoint, including security clauses, risk assessments, service level agreements, and incident management. For additional guidelines on our sub-data processors, please refer to Shuffl's DPA.



IT vendors are prohibited from accessing the organization’s information security assets until a contract containing security controls is agreed to and signed by the appropriate parties. All IT vendors must comply with the security policies defined and derived from the Information Security Policy (Reference 1). All security incidents by IT vendors or partners must be documented in accordance with the organization’s Security Incident Response Policy (Reference 2) and immediately forwarded to the Managing Partner. The organization must adhere to the terms of all Service Level Agreements (SLAs) entered into with IT vendors. As terms are updated, and as new ones are entered into, the organization must implement any changes or controls needed to ensure it remains in compliance.

Before entering into a contract and gaining access to the parent organization’s information systems, IT vendors must undergo a risk assessment.

  • Security risks related to IT vendors and partners must be identified during the risk assessment process.

  • The risk assessment must identify risks related to information and communication technology, as well as risks related to IT vendor supply chains, to include sub-suppliers.

  • IT vendors and partners must ensure that organizational records are protected, safeguarded, and disposed of securely. The organization strictly adheres to all applicable legal, regulatory and contractual requirements regarding the collection, processing, and transmission of sensitive data such as Personally-Identifiable Information (PII).

  • The organization may choose to audit IT vendors and partners to ensure compliance with applicable security policies, as well as legal, regulatory and contractual obligations.

When using sub-processors, the organization to place a deep level of scrutiny in their data protection standards as they share on their DPA. All sub-processors must provide at least the same or higher level of protection for Personal Data as the organization does, to the extent applicable.

  • We review internally in a careful selection process with any applicable trial of said services and security measures before sending personal data to their systems.

  • When possible, selection of sub-processors within similar infrastructure and hosting ecosystems (AWS) is preferred to ensure standardized platform availability in cases of outages and disruption.

Standard Controls Satisfied


Did this answer your question?