top of page

Hyarcs Investments (PTY) Ltd Vendor Management Policy


Purpose

Hyarcs Investments (Pty) Ltd T/A Stockroom ("COMPANY") utilizes third-party products and services to support its mission and goals. This Vendor Management Policy outlines the requirements for preserving and protecting COMPANY's information while ensuring compliance with relevant regulations, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable laws.

COMPANY commits to ensuring that all third-party vendors do not compromise the integrity, confidentiality, and privacy of COMPANY's data. This policy is subject to annual review and updates to remain in alignment with evolving regulations and business needs.

Audience and Scope

This policy applies to all vendors and partners who impact the confidentiality, integrity, and availability of COMPANY's technology, data, and sensitive information. It covers services that involve data handling, IT services, cloud storage, software development, and other functions within the scope of COMPANY's information security program.

Roles and Responsibilities

  • Vendor Managers shall:

    • Conduct a formal vendor risk assessment before onboarding, considering factors such as access to sensitive data, compliance requirements, and the vendor's security posture.

    • Ensure stakeholder requirements are complete and accurately documented.

    • Verify vendor responses to these requirements within 5 working days.

    • Support vendor selection through due diligence checks, including reviewing vendor compliance certificates (e.g., ISO 27001) and security protocols.

    • Establish Service Level Agreement (SLA) standards and define key performance indicators (KPIs) to monitor vendor performance.

    • Communicate contract status to stakeholders and manage the contract lifecycle, including renewals and termination.

    • Identify, monitor, and report key risks associated with each vendor.

    • Ensure prompt resolution of issues, disputes, or incidents, and implement a breach notification process in compliance with data protection regulations.

    • Oversee the termination and transition process, ensuring secure data destruction or return.

  • Compliance Officer shall:

    • Conduct periodic reviews of vendor compliance with legal, regulatory, and contractual obligations.

    • Maintain a record of vendor assessments and audits.

  • IT Security Team shall:

    • Define data security requirements for vendors, including encryption standards and access controls.

    • Monitor vendor activities for any potential security incidents and collaborate with vendor managers on remediation.

Vendor Selection and Onboarding

Before entering into a contract, all vendors must undergo a formal risk assessment process, which includes:

  • Evaluating the vendor's compliance certifications (e.g., ISO 27001, SOC 2) and adherence to relevant data protection laws.

  • Assessing the vendor's security practices, data handling procedures, and ability to safeguard COMPANY's sensitive information.

  • Reviewing the vendor's data breach and incident response plans.

Once approved, vendors must complete the onboarding process, during which they will agree to COMPANY's data security and confidentiality requirements.

Data Protection and Confidentiality

Vendors must:

  • Ensure data is encrypted both in transit and at rest.

  • Follow COMPANY's data sharing protocols and prohibit the use of COMPANY's data for purposes outside the agreed scope.

  • Report any security incidents directly to the Vendor Manager within 24 hours.

  • Obtain COMPANY’s approval before engaging any subcontractors or fourth-party vendors and monitor their information security practices.

Risk Management and Assessment

  • COMPANY will perform regular (at least annual) risk assessments of vendors to evaluate ongoing compliance with COMPANY's security standards.

  • The risk assessment will include reviewing vendor access controls, data protection measures, and adherence to regulatory requirements.

  • Results from these assessments will be documented, and any identified risks must be mitigated promptly.

Performance Monitoring

  • Vendors are subject to performance monitoring based on the agreed KPIs defined in the SLA. COMPANY will conduct periodic reviews (quarterly or as needed) to ensure that vendors meet these performance standards.

  • Failure to meet performance standards may result in corrective actions, including contract renegotiation or termination.

Termination Process

Upon contract termination, the vendor must:

  • Return or destroy all COMPANY's sensitive information within 7 working days, adhering to industry-standard secure data destruction methods.

  • Provide COMPANY with a certificate of data destruction as evidence of compliance.

  • Ensure that any subcontractors or fourth-party vendors follow the same procedures for data return or destruction.

Audit Process

  • COMPANY reserves the right to audit vendors annually or as needed to verify compliance with applicable security policies, legal, regulatory, and contractual obligations.

  • Vendors must cooperate with audit requests and provide relevant documentation or access to systems for review.

Enforcement and Exceptions

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions, including removal of access rights, contract termination, and potential legal actions.

Exceptions to this policy will only be granted under specific business needs, local situations, laws, or regulations, as approved by COMPANY management. A formal exception request process will be followed, detailing the reasons for the exception and alternative security measures.

Policy Review and Updates

This policy will be reviewed annually and updated as necessary to ensure compliance with evolving regulatory requirements and best practices.

Other Policies

bottom of page