• Table of contents

This is documentation on how we manage Upmind suppliers. To ensure the secure selection, use, management, and termination of supplier and vendor relationships in alignment with Upmind’s information security requirements, maintaining compliance with relevant standards and minimizing risks.

This policy applies to all suppliers and vendors engaged by Upmind, including cloud service providers and subcontractors, who provide products, services, or infrastructure that could impact Upmind’s information security posture

As always, any incidents related to suppliers should reported following the 6.1. Reporting Incidents and logged in the ‣.

Supplier Selection and Approval

All suppliers must be thoroughly vetted before engagement and a new supplier checklist completed (‣)

Vetting criteria include:

• Alignment with Upmind’s security standards.
• Industry certifications (e.g., ISO 27001, SOC 2).
• Risk assessments of supplier-side processes and controls
• Vetting details should be detailed here: ‣

The depth of these due diligence checks will be based upon the risk assessment to take into account the contractual relationship, product or service to be supplied and it’s criticality to Upmind. For instance, Cloud providers must undergo thorough due diligence regarding the locations and storage of personal data (Cloud Service Providers).

The CEO must approve all suppliers prior to any contractual agreement. All payments must be made according to the ‣

Where a supplier is assessed as high risk, additional information security controls and contingency arrangements must be put in place, based on the results of a risk assessment. Suppliers that were not subject to information security due to diligence assessment prior to an agreement being made must be subject to an evaluation process to identify any required improvements or additional internal controls to mitigate identified risks

Supplier Agreements

Once a potential supplier has been positively assessed, any applicable information security requirements of the Company must be captured within the written contractual agreement, or be already included in the terms and conditions/public information available from the provider.

Where suppliers are already onboard we aim to review the supplier setups and adjust supplier agreements as required within the next year.

Where practicable, such documentation must take into account the classification of any information that is to be processed by the provider (including any required mapping between internal information classifications and those in use within the provider), legal and regulatory requirements and any additional information security controls.

• Supplier agreements must explicitly address:
  • Confidentiality, integrity, and availability of data.
  • Incident management procedures.
  • Subcontractor obligations, if applicable.
  • Termination processes, including data return and destruction.
• Agreements should include:
  • Security obligations for both parties.
  • Service Level Agreements (SLAs) for performance and security.
  • Audit and reporting rights to ensure compliance.

Appropriate legal advice must be obtained, when appropriate, to ensure that contractual documentation is valid within the country or countries in which it is to be applied.

Ongoing Supplier Management