← All policies

Vendor / Supplier Management Policy

1. Purpose

To ensure that third parties engaged by the Company — particularly those processing Customer Personal Data — are selected, contracted with, and monitored to a standard consistent with the Company's own information-security obligations.

2. Scope

All third parties that, in the course of providing services to the Company, may:

• Process Customer Personal Data on the Company's behalf (sub-processors under GDPR Art. 28);
• Have access to Confidential or Restricted Company information;
• Provide critical infrastructure or operational services (Vercel, Supabase, OpenAI, Postmark, GitLab, domain registrar, email, password manager, accounting, banking);
• Act on behalf of the Company under a written mandate, including the EU Representative under GDPR Article 27.

The EU Representative is a sui-generis party — neither a sub-processor nor a typical service provider — but their selection, on-going review, and termination follow the same diligence framework as a sub-processor (§5–§10 below) adapted to their narrow scope. The Representative does not receive Customer Personal Data and does not require a back-to-back DPA; their obligations and indemnity are set out in the EU Representative Mandate.

Excludes consumer SaaS used by personnel for non-business purposes and routine office vendors with no access to Company information.

3. Roles

4. Vendor classification

5. Selection and due diligence

Before engaging a Critical or High vendor, the Director shall:

1. Identify the data flow — which Company information will the vendor process; classification level; data minimisation considered.
2. Verify certifications — SOC 2 Type II, ISO 27001, or equivalent; require evidence (report, certificate) under NDA.
3. Review the vendor's security and privacy posture — public trust page, sub-processor list, and breach history.
4. Assess transfer mechanisms — for cross-border transfers of personal data, confirm 2021 EU SCCs are in their DPA, or DPF certification, or other valid mechanism.
5. Check the vendor's own sub-processors — fourth-party risk; confirm they meet equivalent standards.
6. Confirm contractual security commitments — encryption, access control, breach notification, audit rights, deletion on termination.
7. Document the decision — recorded in the Sub-processors list for sub-processors, or in an internal vendor register for non-sub-processors.

6. Contracting requirements

For every Critical and High vendor, the contract shall include:

• A signed Data Processing Agreement for vendors processing Customer Personal Data, incorporating the 2021 EU SCCs (Module 2 or 3 as appropriate).
• A confidentiality clause covering all Company information.
• Breach notification within a defined window (typically 24–72 hours).
• Audit rights sufficient to verify compliance, even if exercised through certification reports rather than direct audit.
• Sub-processor flow-down equivalent to the obligations the Company commits to with its own customers.
• Data return and deletion on termination, with certification of deletion on request.
• Liability provisions appropriate to the data sensitivity.

7. Onboarding

For Critical and High vendors:

• Account created with a dedicated company-domain email (not personal).
• MFA enabled on day one.
• Access provisioned at the minimum level required.
• Vendor added to the Sub-processors list (if a sub-processor) with at least 30 days' advance notice to customers per the DPA.
• Recovery / billing details stored in the password manager.

8. Ongoing monitoring

Cadences shall, at minimum annually, review for each Critical and High vendor:

• Whether their certifications remain in force (SOC 2 / ISO 27001 reports renewed);
• Whether their sub-processor list has changed in ways that affect Cadences's customers;
• Whether their published breach history shows new incidents;
• Whether the contract terms remain appropriate;
• Whether the vendor remains the right choice (cost, capability, alternative providers).

Findings are recorded and any material changes communicated to customers per the Sub-processors list change procedure.

9. Sub-processor change procedure

When the Company intends to engage a new sub-processor, change a sub-processor's role, or replace one with another:

1. The new or replacement sub-processor is added to the public Sub-processors page with a target activation date at least 30 days in the future.
2. Subscribed customers are notified by email with the same 30-day window.
3. A customer's reasonable objection on data-protection grounds triggers a discussion and, if no remediation is found, the customer's right to terminate the affected service for cause.
4. After 30 days without objection, the sub-processor moves to active status.

10. Termination and offboarding

When a vendor relationship ends:

• All credentials revoked on the same day as termination.
• Data return or export completed before final shutdown.
• Confirmation of deletion requested in writing where the vendor processes Customer Personal Data.
• Sub-processor removed from the published list with a final-effective date.

11. Compliance and references

ISO/IEC 27001:2022 Annex A: A.5.19 (information security in supplier relationships), A.5.20 (addressing information security in supplier agreements), A.5.21 (managing security in the ICT supply chain), A.5.22 (monitoring and review of supplier services), A.5.23 (information security for use of cloud services).

GDPR Article 28 (processor) and 29 (processing under the authority of controller / processor).

Singapore PDPA — Protection Obligation (Section 24).

12. Version history