Document information and change log

Document Information

Change log

Gender And Entity Neutrality

The masculine form is used solely for the sake of better readability. It always refers to persons of any gender identity (m/f/diverse). This document uses the abbreviation “Give” for all legal entities and subsidiaries.

Table of Contents

Introduction        3

Definition        3

Purpose        3

Scope        3

Policy Review and Updates        3

Compliance        3

Responsibilities        4

Vendor Selection and Due Diligence        4

Security Controls and Data Protection        4

Compliance and Legal Obligations        4

Business Continuity and Financial Stability        4

Service Level Agreements (SLAs)        5

Reputation and References        5

Geographic and Scalability Considerations        5

Contractual Terms        5

Access Controls and Incident Response        5

Ongoing Vendor Management        6

Security Awareness and Training        6

Documentation and Performance Monitoring        6

Amendments and Enforcement        6

Introduction

Definition

A vendor provides a product or service directly to Give or to Give’s customers on behalf of Give.

A third party interacts with Give. An example of a third party is a landlord or tenant relationship.

For the purpose of this policy, a vendor provides a product and or service that is core to Give’s business. The product and or service is provided directly to Give or to Give’s customers on behalf of Give.

 Individual independent contractors are subject to the employee background screening policy.

Purpose

The purpose of this policy is to establish guidelines for selecting, screening, and managing third party vendors. This policy ensures the protection of sensitive information, compliance with industry standards like PCI DSS, and risk mitigation in vendor relationships. Give aims to mitigate risks such as data breaches, service disruptions, legal liabilities, and reputational damage that can arise from engaging with vendors that do not adhere to the most current security standards, ethical conduct and efficient performance.

Scope

This policy applies to all third party vendors engaged by Give, including those handling, processing, or storing cardholder data. It covers the entire vendor lifecycle, from selection to termination.

Policy Review and Updates

Give will periodically review and update this policy. As technology changes, security measures evolve and new risks emerge, Give will adjust this policy and vendor agreements to reflect the changes. Changes will be communicated to all relevant parties.

Compliance

Adherence to this policy is mandatory for all parties involved in vendor management. Periodic reviews will be conducted to verify that vendors are complying with Give’s policies and procedures. There are consequences for non-compliance. Failure to correct non-compliance may lead to termination of the relationship. This policy aligns with PCI DSS requirements.

Responsibilities

Management, procurement, security, Risk and Compliance teams are responsible for implementing and enforcing this policy.

Vendor Selection and Due Diligence

Vendors are selected based on criteria including security standards, reputation, financial stability, capabilities, and ability to meet compliance requirements.

The selection process includes risk assessment, evaluating security controls, data protection policies, and compliance with legal obligations.

Security Controls and Data Protection

Vendors must implement appropriate security controls to protect cardholder data. The security controls include both physical security and cybersecurity. Data security standards protect sensitive information by preventing unauthorized access, disruption, using, changing, sharing, or destroying the data. Many of the security and protection factors reviewed are listed in Give’s PCI DSS, Information Security, Privacy, PIN Compromise, Data Compromise, Business Continuity and Disaster Recovery policies.

Annual assessment of vendor's security posture and data handling practices is required. The vendor’s physical access to the location(s) where sensitive information can be accessed will be included in the assessment. Only personnel authorized to have access the sensitive information

Compliance and Legal Obligations

Vendors must comply with industry specific regulations and standards.  Verification of vendor certifications and audit reports is essential.

Periodically, Give will conduct a vendor review to ensure continued vendor compliance. If gaps are noted, Give will require the vendor to remediate the gaps within a specific timeframe. Continued non compliance may result in ending the vendor relationship.

Business Continuity and Financial Stability

Give will conduct an evaluation of the vendor’s business continuity and disaster recovery plans during the due diligence process and throughout the life of the relationship.

An initial assessment of the vendor's financial stability and viability will be conducted to avoid disruption in our business.

Service Level Agreements (SLAs)

SLAs must align with Gives requirements.

Regular review of SLA compliance is necessary. Give will adhere to the terms of the contract including non compliance with SLAs.

Reputation and References

Gathering and assessing vendor reputation through client references and industry reviews.

Geographic and Scalability Considerations

Assessment of risks associated with vendor’s geographic location and scalability. In some instances, a site visit may be necessary to assess physical security of people and sensitive information.

Contractual Terms

There is thorough review of contractual terms, including security requirements and compliance clauses. Additionally, there are regular updates to contractual agreements to ensure relevancy.

Access Controls and Incident Response

Give has Implemented control processes to manage vendor access to sensitive data. Vendor access to sensitive information is granted on a need basis to complete a function or task. Give will periodically review each vendor’s access to ensure access levels are appropriate.

Give’s incident response procedures include vendors’ roles and responsibilities in the event of a breach. The incident response will be tested annually and vendors are expected to participate if appropriate. In the event of a security breach, each is expected to follow GIve’s incident response plan.

Ongoing Vendor Management

Vendors will be monitored for compliance with security requirements. Give will conduct consistent performance reviews and assessments. Periodically, each vendor’s risk will be assessed to determine if the risk rating is appropriate or should be updated. Higher risk vendors require frequent reviews and lower risk vendors will be reviewed less frequently.  

Security Awareness and Training

Give will conduct regular security training for vendors on data protection and compliance policies.  Vendors are expected to participate and comply with the training information.

Developer Training and Onboarding Policy

Developers bring a specific skill set and are brought onboard differently from the rest of the employee population. Training includes specific developer related training. Once approved by the Training Authority, the new developer is presented to the Lead Programmer for final approval. The Lead Programmer will approve the new developer by signing and approving the New Developer Request Form.

Documentation and Performance Monitoring

There is validation of the vendor's compliance with privacy regulations and data protection laws. Performance metrics are used to assess vendor service levels. Results from the validation and performance metrics are documented and retained inline with regulatory and Give’s record retention requirements.

Amendments and Enforcement

This policy is subject to amendments as per organizational and regulatory needs.

Enforcement of the policy is crucial for maintaining security and compliance standards. Enforcement of this policy aligns with the terms of the vendor agreement.

The information contained herein is intended to provide a general overview of the Company’s policies and procedures relating to compliance with this Policy and does not constitute legal advice or a complete description of the laws and regulations relating to this Policy. The Company has made every effort to ensure the accuracy and completeness of this Policy.  This document is intended to provide guidance to employees of Company on how to comply with applicable laws and regulations related to this Policy. Employees should consult with the Legal or Compliance Department if they have any questions about the Policy or how to comply with it. Company reserves the right to modify or update this Policy at any time without notice. Employees are responsible for reviewing the Policy on a regular basis to ensure that they are aware of any changes. This Policy applies to all employees of Company, regardless of their position or location unless stated otherwise in the Policy. Employees are responsible for complying with the Policy and for reporting any suspected violations to their respective supervisor, the Legal Department, AMLCO or respective recipient of such violation as outlined in this Policy.