Third-Party Risk Management Policy

Policy owner Effective date
@ZJvandeWeg 2023-06-01


To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.


All data and information systems owned or used by FlowFuse that are business critical and/or process, store, or transmit data classified as Confidential or Critical.


A list of approved vendors/partners must be maintained and reviewed annually. This list will be linked from the Vendor section of the handbook.

Approval from management must be in place before onboarding any new vendor or contractor that impacts FlowFuse production systems. Additionally, all changes to existing contract agreements must be reviewed and approved before implementation.

For any technology solution that needs to be integrated with FlowFuse production environment or operations, a review should be held to understand and approve the risk. Periodic compliance assessment and SLA review may be required.

FlowFuse Customers or Partners should not be allowed access outside of their own environment, meaning they cannot access, modify, or delete any data belonging to other third parties.

Additional vendor agreements should be obtained as required by applicable regulatory compliance requirements.


Requests for an exception to this policy must be submitted via email to the CEO or CTO for approval.

Violations & Enforcement

Any known violations of this policy should be reported to the CEO or CTO. Violations of this policy can result in immediate withdrawal or suspension of system access and/or disciplinary action in accordance with company procedures up to and including termination of employment.

Policy derived from JupiterOne/security-policy-templates (CC BY-SA 4 license) and Vanta