_private/qwestly-docs/Policies/Third-Party Management Policy.md

Table of Contents

Third-Party Management Policy

Purpose

To ensure the protection of Qwestly's data and assets that are shared with, accessible to, or managed by third-party organizations including service providers, vendors, contractors, and business partners. This policy establishes a framework for maintaining appropriate information security and service delivery standards while supporting Qwestly's mission of transforming the hiring landscape.

Scope

This policy applies to all Qwestly personnel and external parties, including:

  • All Qwestly employees and contractors
  • Service providers and vendors with access to company systems or data
  • Consultants and professional service providers
  • Any third party processing, storing, or transmitting Qwestly or customer data

Policy Framework

Pre-Engagement Requirements

Prior to engaging any third party, Qwestly shall:

  1. Conduct appropriate due diligence based on the service criticality and data access level
  2. Verify basic security practices and compliance certifications where applicable
  3. Execute written agreements defining security requirements and responsibilities
  4. Complete risk assessment appropriate to the vendor classification

Required Agreements

All third-party relationships must include documented agreements covering:

  • Data protection and confidentiality obligations
  • Security incident notification and response procedures
  • Liability and indemnification provisions
  • Data handling, retention, and destruction requirements
  • Termination and transition procedures

Vendor Classification and Approval

Tier 1: Critical Infrastructure (CEO + CTO Approval Required)

Definition: Vendors with direct access to production systems, customer data, or essential business operations

Examples:

  • Cloud infrastructure providers (AWS)
  • Identity and productivity systems (Google Workspace)
  • Source code repositories (GitHub)
  • Compliance and security platforms (Vanta)

Requirements:

  • SOC 2 Type II certification or equivalent
  • Comprehensive Data Processing Agreement
  • Cyber insurance coverage verification
  • Multi-factor authentication for administrative access
  • 24/7 incident response capability

Tier 2: Important Business Services (Department Head Approval)

Definition: Vendors supporting business operations with limited customer data access

Examples:

  • Application hosting platforms (Vercel)
  • Payment processing services (Stripe)
  • Analytics and monitoring tools
  • Customer support platforms
  • Marketing and CRM systems

Requirements:

  • Security questionnaire completion
  • Data Processing Agreement for personal data processing
  • Service Level Agreement with security provisions
  • Privacy policy compliance verification
  • Business continuity planning

Tier 3: Standard Business Tools (Manager Approval)

Definition: Vendors providing standard business functionality with limited company data access

Examples:

  • Accounting and finance software
  • Design and creative tools
  • Document storage and backup services
  • Professional services (legal, accounting)

Requirements:

  • Basic security assessment
  • Terms of service compliance review
  • Data handling policy verification
  • Professional credentials verification where applicable

Tier 4: Contractors and Professional Services (Project-Based Approval)

Definition: Individual contractors and service providers with project-specific access

Requirements:

  • Background verification appropriate to access level
  • Confidentiality and non-disclosure agreement execution
  • Project-specific security requirements definition
  • Professional liability insurance verification

Security Requirements by Vendor Type

General Security Standards

All vendors must maintain:

  • Access control and authentication mechanisms
  • Data encryption for data in transit and at rest
  • Regular security updates and patch management
  • Incident response and business continuity procedures
  • Staff security training and background checks

Enhanced Requirements for Customer Data Processing

Vendors processing customer data must additionally provide:

  • Compliance with applicable privacy laws (GDPR, CCPA)
  • Security incident notification within 24 hours
  • Data subject rights fulfillment capabilities
  • Geographic data processing restrictions compliance
  • Annual security assessments or certifications

Cloud Service Provider Management

Cloud infrastructure providers must demonstrate:

  • Comprehensive security configuration and monitoring
  • Identity and access management integration
  • Audit logging and compliance reporting
  • Disaster recovery and business continuity testing
  • Service availability monitoring and SLA compliance

Ongoing Vendor Management

Performance Monitoring

  • Monthly review of critical vendor performance and security posture
  • Quarterly assessment of important business services
  • Annual comprehensive review of all vendor relationships
  • Continuous monitoring of security incidents and service availability

Incident Response

When vendor security incidents occur:

  1. Immediate impact assessment and risk evaluation
  2. Customer notification planning and regulatory compliance review
  3. Coordinated response with vendor incident management teams
  4. Post-incident review and relationship assessment

Contract and Relationship Management

  • Regular contract performance review against SLA commitments
  • Annual security posture and compliance verification
  • Proactive contract renewal and term optimization
  • Vendor consolidation and cost optimization analysis

Specialized Requirements

AI and Machine Learning Services

  • Data processing transparency and algorithmic fairness assessment
  • Training data security and intellectual property protection
  • Model bias detection and mitigation procedures
  • Compliance with employment law and anti-discrimination requirements

International Data Processing

  • Cross-border data transfer mechanism compliance
  • Adequacy decision verification and Standard Contractual Clauses
  • Local data protection law compliance assessment
  • Data localization requirement evaluation

Exception Management

Exception Process

Requests for policy exceptions require:

  • Business justification and risk assessment documentation
  • Proposed compensating controls and mitigation measures
  • Defined duration and scope limitations
  • Appropriate approval authority based on risk level

Approval Authority

  • Low-risk exceptions: CTO approval
  • Medium-risk exceptions: CEO and CTO joint approval
  • High-risk exceptions: Board notification and approval

Training and Communication

Internal Training Requirements

All personnel must understand:

  • Vendor approval processes and authorization requirements
  • Data sharing protocols and classification handling
  • Security incident reporting procedures
  • Compliance obligations and regulatory requirements

Vendor Training and Onboarding

Vendors with system access must complete:

  • Qwestly security awareness training
  • Data handling and classification procedures
  • Incident reporting and escalation protocols
  • Access request and management procedures

Compliance and Documentation

Record Keeping

Qwestly maintains comprehensive documentation including:

  • Vendor inventory and classification registry
  • Executed contracts and Data Processing Agreements
  • Security assessment results and compliance certifications
  • Performance monitoring and incident response records

Regulatory Compliance

This policy supports compliance with:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • SOC 2 Trust Service Criteria
  • Industry-specific regulatory requirements

Contact Information and Escalation

Operational Contacts

Executive Escalation

Emergency Procedures

Critical security incidents require immediate notification to executive leadership via direct communication channels.

Enforcement and Violations

Internal Violations

Policy violations by Qwestly personnel may result in:

  • Additional training and process review
  • Formal disciplinary action
  • Termination of employment for serious violations

Vendor Non-Compliance

Vendor policy violations may result in:

  • Performance improvement planning and additional oversight
  • Contract penalties and service credit application
  • Contract termination and alternative vendor engagement

Document History

Version Date Description Written by Approved by
1.0.0 6/13/25 Dominick Pham Adam Boender