Skip to content

Third Party Security, Vendor Risk Management and Systems/Services Acquisition

2026.1

Changineers makes every effort to assure all third party organizations are compliant and do not compromise the integrity, security, and privacy of Changineers or Changineers Customer data. Third Parties include Vendors, Customers, Partners, Subcontractors, and Contracted Developers.

Policy Statements

Changineers policy requires that:

(a) A list of approved vendors/partners must be maintained and reviewed annually.

(b) Approval from management, procurement and security must be in place prior to onboarding any new vendor or contractor. Additionally, all changes to existing contract agreements must be reviewed and approved prior to implementation.

(c) For any technology solution that needs to be integrated with Changineers production environment or operations, a Vendor Technology Review must be performed by the security team to understand and approve the risk. Periodic compliance assessment and SLA review may be required.

(d) Changineers Customers or Partners should not be allowed access outside of their own environment, meaning they cannot access, modify, or delete any data belonging to other 3rd parties.

(e) Additional vendor agreements are obtained as required by applicable regulatory compliance requirements.

Controls and Procedures

Vendor Technology Risk Review

Changineers requires a technology risk review before a new third-party service is integrated with Changineers operations or infrastructure. Employees engage the Security team to initiate the review, either by email or by opening a ticket.

The Security team assesses the vendor through documentation review and questionnaires, covering:

  • The vendor’s compliance certifications and attestations (SOC 2, ISO 27001, or equivalent, where available).
  • Data handling, retention, and deletion practices relevant to the data Changineers would send the vendor.
  • Authentication and access control, including SSO support.
  • Sub-processor list and locations.
  • Encryption of data at rest and in transit.
  • Incident response and breach notification commitments.

The Security team facilitates a discussion with the requesting business owner to determine whether the residual risk is acceptable. Vendor remediation may be required before approval.

Revision History

Date Summary Approved by
2020-01 Initial revision. James Gregory
2026-04-24 Adopted vendor technology risk review procedure. James Gregory