# WiBiz Vendor and Third-Party Risk Management Policy

**Document ID:** WBZ-SEC-VRM-001
**Version:** 1.0
**Effective Date:** 15 April 2026
**Owner:** Nicklaus D'Cruz, CEO
**Legal Entity:** Digital Benefits Pte Ltd (Singapore)
**Classification:** Internal
**Review Cycle:** Annual (next review: April 2027)

---

## 1. Purpose

This policy establishes the process for assessing, managing, and monitoring security risks associated with third-party vendors and service providers that access, process, or store WiBiz or client data.

## 2. Scope

This policy applies to all third-party vendors, service providers, sub-processors, and technology platforms used by WiBiz in the delivery of its services. This includes SaaS platforms, cloud infrastructure providers, payment processors, communication channel providers, AI and voice service providers, and automation tools.

## 3. Vendor Risk Assessment Process

### 3.1 Pre-Onboarding Assessment

Before any new vendor is approved for use, the following assessment must be completed:

1. **Security questionnaire:** The vendor completes a security questionnaire covering data handling, encryption, access controls, incident response, business continuity, and compliance certifications.
2. **Certification review:** Review of vendor's security certifications (SOC 2 Type II, ISO 27001, or equivalent). For Critical and High vendors, certification evidence is required. For Medium and Low vendors, self-attestation is acceptable.
3. **Data flow mapping:** Document what WiBiz or client data the vendor will access, process, or store, and where that data will reside geographically.
4. **Risk rating assignment:** Assign a vendor classification based on the criteria in Section 4.

Vendors that refuse to complete a security questionnaire or cannot demonstrate adequate security controls are not approved.

### 3.2 Assessment Responsibility

The Governance Lead (currently Chielo) coordinates vendor assessments. The CEO approves onboarding of Critical-tier vendors. High-tier and below may be approved by the Governance Lead.

## 4. Vendor Classification

Vendors are classified into four tiers based on their level of access to WiBiz and client data:

| Tier | Criteria | Examples |
|---|---|---|
| **Critical** | Processes or stores client PII, handles core platform functionality, or a failure would cause service outage | CRM/automation platform, hosting provider (Vercel), payment processors (Stripe, Razorpay) |
| **High** | Accesses client communication data or provides customer-facing functionality | Communication channel providers (Meta/WhatsApp Business API), AI model providers, voice synthesis providers |
| **Medium** | Accesses limited internal data, supports operational workflows, or provides development tooling | Automation orchestration platforms, e-signature providers, project management tools |
| **Low** | No access to client data, provides general business tools | Office productivity suites, design tools, internal communication tools |

Classification is reviewed when a vendor's scope of access changes.

## 5. Required Vendor Security Controls

### 5.1 Minimum Controls by Tier

**All tiers:**
- Data encrypted in transit (TLS 1.2 or higher)
- Security incident notification to WiBiz within 72 hours of discovery
- Defined data retention and deletion practices

**Critical and High tiers (additional):**
- Data encrypted at rest (AES-256 or equivalent)
- Role-based access controls with least privilege enforcement
- Multi-factor authentication for administrative access
- SOC 2 Type II, ISO 27001, or equivalent certification current within the past 12 months
- Annual penetration testing performed by a qualified third party
- Business continuity and disaster recovery plan documented and tested
- Security incident notification to WiBiz within 24 hours of discovery (overrides the 72-hour general requirement)
- Sub-processor disclosure and notification of changes

**Medium tier (additional):**
- Access controls documented
- Annual security review or self-assessment

### 5.2 Data Residency

For Critical and High tier vendors processing client PII, data residency must be documented. Where client contracts specify data residency requirements, vendor data processing locations must be compatible.

## 6. Contract Security Requirements

### 6.1 Required Contract Clauses

All vendor contracts for Critical, High, and Medium tiers must include:

- **Data Processing Agreement (DPA):** Defines the scope of data processing, data categories, processing purposes, and the vendor's obligations as a data processor under PDPA and applicable privacy laws.
- **Confidentiality obligations:** Vendor personnel with access to WiBiz or client data are bound by confidentiality terms.
- **Breach notification clause:** Vendor must notify WiBiz within the timeframes specified in Section 5.1 upon discovering a security incident affecting WiBiz data.
- **Service Level Agreement (SLA):** Defines uptime commitments, support response times, and remedies for non-compliance.
- **Right to audit:** WiBiz retains the right to request evidence of security controls (certification reports, penetration test summaries, or security questionnaire updates) on reasonable notice.
- **Data return and deletion:** Upon contract termination, vendor must return or securely delete all WiBiz and client data within 30 days and provide written confirmation.
- **Sub-processor restrictions:** Vendor must disclose sub-processors and notify WiBiz of changes with at least 30 days notice.

### 6.2 Existing Vendor Contracts

For vendors already in use at the time this policy takes effect, contract gaps are identified during the next scheduled review cycle and remediated at contract renewal.

## 7. Vendor Review Schedule

| Tier | Review Frequency | Review Scope |
|---|---|---|
| Critical | Annually | Full reassessment: updated security questionnaire or certification review, data flow validation, contract clause verification, incident history review |
| High | Annually | Updated certification or self-assessment review, data flow validation, incident history review |
| Medium | Every two years | Self-assessment review, contract clause check |
| Low | Every two years | Confirmation of continued use and scope |

Reviews are tracked in the vendor register maintained by the Governance Lead. Missed reviews are escalated to the CEO.

## 8. Current Critical and High Vendor Register

The following vendor categories are classified as Critical or High as of the effective date of this policy:

### Critical Vendors

| Vendor Category | Function | Data Access | Classification |
|---|---|---|---|
| CRM and automation platform | Core platform infrastructure for all client sub-accounts, workflows, and automation | Full client PII, communication logs, CRM data | Critical |
| Cloud hosting provider (Vercel) | Hosts WiBiz web applications, APIs, and front-end services | Application data, session data, environment secrets | Critical |
| Payment processor (Stripe) | Primary payment processing for client subscriptions and transactions | Payment card data (PCI-compliant), transaction records | Critical |
| Payment processor (Razorpay) | Payment processing for Singapore/SGD transactions | Payment card data (PCI-compliant), transaction records | Critical |

### High Vendors

| Vendor Category | Function | Data Access | Classification |
|---|---|---|---|
| Communication channel providers (Meta/WhatsApp Business API) | Customer-facing messaging channels | Customer conversation data, phone numbers, message content | High |
| AI model providers | Powers AI response generation and intelligence features | Conversation context, business knowledge base content | High |
| Voice synthesis providers | AI voice capabilities for Pro-tier clients | Voice interaction data, conversation transcripts | High |
| Automation orchestration platforms | Workflow automation connecting systems | API data passing through workflows, client operational data | High |
| E-signature provider (Adobe Sign) | Contract and handover document execution | Signatory PII, document content | High |

This register is maintained by the Governance Lead and updated when vendors are added, removed, or reclassified.

## 9. Sub-Processor Management

### 9.1 Sub-Processor Disclosure

Critical and High tier vendors must disclose their sub-processors that will process WiBiz or client data. WiBiz maintains a record of disclosed sub-processors.

### 9.2 Sub-Processor Changes

Vendors must notify WiBiz at least 30 days before engaging a new sub-processor that will handle WiBiz or client data. WiBiz reserves the right to object to a sub-processor change. If the objection cannot be resolved, WiBiz may terminate the affected service with a reasonable transition period.

### 9.3 WiBiz as Sub-Processor

When WiBiz itself acts as a sub-processor (processing data on behalf of clients), WiBiz maintains its own sub-processor list disclosing the Critical and High tier vendors listed in Section 8. This list is made available to clients upon request.

## 10. Vendor Offboarding

When a vendor relationship is terminated, the following steps are completed:

1. **Notification:** Vendor is formally notified of termination per contract terms.
2. **Data return or deletion:** Vendor returns all WiBiz and client data in a usable format, or securely deletes it, within 30 days. Written confirmation of deletion is obtained and retained.
3. **Access revocation:** All API keys, tokens, webhooks, and integrations connecting WiBiz systems to the vendor are revoked or disabled.
4. **Credential rotation:** Any shared credentials or API keys that the vendor had access to are rotated.
5. **Migration verification:** If a replacement vendor is being onboarded, data migration is verified before the departing vendor's data is deleted.
6. **Register update:** The vendor register is updated to reflect the termination date and offboarding completion.

The Governance Lead is responsible for executing and documenting the offboarding checklist.

## 11. Incident Response for Vendor Breaches

If a vendor reports a security incident affecting WiBiz or client data:

1. The Governance Lead is notified immediately upon receipt of the vendor notification.
2. The CEO is informed within 4 hours for Critical and High tier vendor incidents.
3. The scope of affected data is determined in coordination with the vendor.
4. Affected clients are notified in accordance with WiBiz's Incident Response Policy and applicable data protection laws.
5. The incident is documented in the vendor's risk register entry.
6. A post-incident review determines whether the vendor's classification, controls, or contract terms need to be updated.

## 12. Policy Compliance and Exceptions

Compliance with this policy is mandatory for all vendor engagements. Exceptions require written approval from the CEO, documentation of the risk accepted, and a defined expiry date. No exception is permanent.

This policy is reviewed annually or when significant changes to the vendor landscape, threat environment, or regulatory requirements occur.

---

**Approval:**
Nicklaus D'Cruz, CEO, Digital Benefits Pte Ltd
Date: 15 April 2026