- handbook
- Company
- Company
- Board
- Communications
- Decision making
- Guides
- KPIs and OKRs
- principles
- Remote Work
- Security
- Asset Management Policy
- Business Continuity & Disaster Recovery Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Risk Management Policy
- Third-Party Risk Management Policy
- Human Resources Security Policy
- Access Control Policy
- Incident Response Plan
- Cryptography Policy
- Information Security Policy and Acceptable Use Policy
- Secure Development Policy
- Data Management Policy
- strategy
- values
- Operations
- Product
- Feedback
- Market Segments
- Metrics
- Node-RED Dashboard
- personas
- Pricing Principles
- Principles
- Responsibilities
- Strategy
- Versioning
- Customer department
- Customer
- Customer Success
- Hubspot
- Marketing
- How we work
- Marketing
- Video
- Customer Stories
- Social Media
- blog
- Community
- Marketing - Website
- Webinars
- FlowFuse Messaging
- Sales
- Engineering & Design Practices
- Design
- Engineering
- Certified Nodes
- contributing
- Front End
- Packaging Guidelines
- Platform Ops
- Deployment
- Incident Response
- Observability
- Production Environment
- FlowFuse Dedicated
- Staging Environment
- Project Management
- Releases
- Security Policy
- tools
- Website A/B Testing
- Internal Operations
- People Ops
# Third-Party Risk Management Policy
| Policy owner | Effective date |
|---|---|
| @ZJvandeWeg | 2023-06-01 |
# Purpose
To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.
# Scope
All data and information systems owned or used by FlowFuse that are business critical and/or process, store, or transmit data classified as Confidential or Critical.
# Policy
A list of approved vendors/partners must be maintained and reviewed annually. This list will be linked from the Vendor section of the handbook.
Approval from management must be in place before onboarding any new vendor or contractor that impacts FlowFuse production systems. Additionally, all changes to existing contract agreements must be reviewed and approved before implementation.
For any technology solution that needs to be integrated with FlowFuse production environment or operations, a review should be held to understand and approve the risk. Periodic compliance assessment and SLA review may be required.
FlowFuse Customers or Partners should not be allowed access outside of their own environment, meaning they cannot access, modify, or delete any data belonging to other third parties.
Additional vendor agreements should be obtained as required by applicable regulatory compliance requirements.
# Exceptions
Requests for an exception to this policy must be submitted via email to the CEO or CTO for approval.
# Violations & Enforcement
Any known violations of this policy should be reported to the CEO or CTO. Violations of this policy can result in immediate withdrawal or suspension of system access and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Policy derived from JupiterOne/security-policy-templates (CC BY-SA 4 license) and Vanta