Supplier Security Policy (A.5.19)
Document ID: supplier-security-policy
Version: 1.0
Effective from: 2025-01-01
Owner: Founder / CEO
Review cycle: Annual (policy) + Quarterly (vendor register review)
Purpose
Ensure that suppliers and sub-processors who access, process, or store SigmaShake or customer information maintain appropriate security standards.
Supplier categories
| Category | Examples | Security requirement |
|---|---|---|
| Critical (data access) | Cloudflare, GitHub, Stripe | Annual DDQ + SOC 2 Type 2 or ISO 27001 report required |
| Important (limited access) | Resend, Linear, Discord | Annual DDQ + security questionnaire |
| Standard (no data) | Analytics tools, font CDNs | Vendor register entry only |
Supplier security requirements
Before onboarding a new Critical or Important supplier:
- Review their latest SOC 2 Type 2, ISO 27001 certificate, or equivalent
- Complete the vendor DDQ template in the compliance portal
- Confirm they have an incident notification SLA (target: 24 hours)
- Register in the
vendorstable with data access level - Obtain a DPA if the supplier processes personal data (GDPR Article 28)
Physical controls inheritance
SigmaShake has no physical infrastructure. All A.7 (Physical) controls are inherited from:
- Cloudflare — data centres, hardware security, environmental controls
- GitHub / Microsoft — repository hosting physical security
- AWS (via Cloudflare) — underlying cloud infrastructure
Quarterly attestation: physical-controls-inheritance attestation type in the attestations table.
Sub-processor list
The current sub-processor register is maintained in the compliance portal at /compliance/vendors. Key sub-processors:
| Vendor | Role | Data access |
|---|---|---|
| Cloudflare | CDN, Workers, D1, R2, KV | Infrastructure (no customer content) |
| GitHub | Source control, CI/CD | Source code, compliance automation |
| Stripe | Payment processing | Payment metadata only |
| Resend | Transactional email | Email addresses |
Annual review
The vendor-refresh collector runs monthly and opens a gap if any vendor report is expiring within 90 days. Full annual review conducted via risk-register-review.
Evidence
| Collector | Cadence | Control |
|---|---|---|
vendor-refresh | Monthly | A.5.19–A.5.22 |
risk-register-review | Quarterly | A.5.4 |
physical-access-inheritance | Quarterly | CC6.4 (SOC 2) |