Purpose
This procedure defines how Maelstrom AI assesses, selects, and manages suppliers and vendors so that they are assessed against our security requirements.
Critical Suppliers
Cloudflare
Services: Workers, KV, Durable Objects, Pages, Analytics, DDoS protection Criticality: High - Complete service dependency Security Assessment:
- SOC 2 Type II certified
- ISO 27001 certified
- Enterprise SLA (99.99% uptime)
- Regular security audits published
Contract Terms:
- Data processing agreement
- Security and privacy provisions
- Incident notification requirements
- Right to audit
Monitoring:
- status.cloudflare.com for outages
- Security advisories reviewed
- Annual contract review
GitHub
Services: Source control, CI/CD (Actions), artifact hosting, security scanning Criticality: High - Development dependency Security Assessment:
- SOC 2 Type II certified
- GitHub Advanced Security features enabled
- Bug bounty program
- Regular security updates
Contract Terms:
- GitHub Enterprise Cloud agreement
- Data protection addendum
- Security features included
Monitoring:
- GitHub status page
- Security advisories
- Dependabot alerts
Vendor Selection Process
For New Vendors
Step 1: Requirements
- Define business need
- Identify security requirements
- Determine criticality level
Step 2: Assessment
- Review vendor security posture
- Check certifications (ISO 27001, SOC 2)
- Review terms of service
- Assess data handling practices
Step 3: Approval
- Security Lead: Security assessment
- ISMS Owner: Final approval for critical vendors
- Document in vendor register
Step 4: Onboarding
- Sign contracts/agreements
- Configure security settings
- Document access credentials
- Add to monitoring
Vendor Risk Assessment
Risk Factors
| Factor | Low Risk | Medium Risk | High Risk |
|---|---|---|---|
| Data Access | No data access | Operational data | Signing keys, secrets |
| Criticality | Nice-to-have | Important for operations | Critical path |
| Security Posture | ISO 27001 + SOC 2 | Basic security | Unknown/weak |
| Geographic Location | Trusted jurisdictions | Standard | Concerning |
Current Vendor Ratings
- Cloudflare. High criticality, Low risk (strong security)
- GitHub. High criticality, Low risk (strong security)
- npm Registry. Medium criticality, Low risk (supply chain controls)
Ongoing Monitoring
Quarterly Review:
- Verify vendor still meets requirements
- Check for security incidents
- Review contract compliance
- Update risk assessment
Continuous Monitoring:
- Status pages for outages
- Security advisories
- News/breach notifications
Vendor Incidents
If vendor has security incident:
- Assess impact to Maelstrom AI
- Activate incident response if needed
- Communicate with vendor
- Document in incident register
- Review vendor relationship
- Update risk assessment
Vendor Termination
Offboarding Process:
- Revoke vendor access to our systems
- Retrieve/delete our data from vendor
- Terminate contracts
- Document lessons learned
- Update vendor register
Open Source Dependencies
Managed via: Supply Chain Security procedures
Controls:
- Dependency scanning (cargo audit, npm audit)
- License compliance reviews
- Vulnerability monitoring
- Hermetic builds (locked versions)
Related Documents
- Supply Chain Security procedures
- Risk Register - Supplier risks
- Statement of Applicability - Controls A.5.19-A.5.22
Document Information
- Version. 1.1
- Effective Date. 2025-01-13
- Last Updated. 2026-02-16
- Owner. ISMS Owner
- Review Frequency. Annually
- Classification. Public