Vendor Policy

• Policy Owner: Operations Team
• Approved by: Senior Management Team
• Effective Date: April 2025

Purpose and Scope

This Vendor Risk Management Policy establishes guidelines for identifying, assessing, and mitigating risks associated with Code Towns’s engagement of third-party Vendors.

This policy applies to all employees involved in selecting, contracting, or managing third-party relationships.

Our Commitments

The following policy statements outline how we manage risks associated with third-party relationships to protect our information assets and promote regulatory compliance.

Vendor Risk Management Principles

Code Town is committed to:

• Conducting due diligence before engaging with third party vendors
• Maintaining a vendor inventory, incl. what data they have access to, what their risk level is and who the account owner from Code Towns’s side is
• Continuously monitoring and reassessing vendor risks throughout the relationship lifecycle
• Maintaining appropriate controls to mitigate identified risks
• Ensuring vendor compliance with applicable laws, regulations, and Code Town’s policies

Vendor Risk Assessment

All potential third parties must undergo a risk assessment before engagement. Vendors that have any of the following will be given higher priority over similar vendors that do not:

• The vendor has an established security program and clear documentation on data management.
• The vendor has a security compliance stance such as SOC2, ISO27001, or similar frameworks.
• The vendor has data segregation controls in place that will isolate our company data from other customers.
• The vendor has a support function and documentation available, including support for data management and deletion.

Risk Categorization

Vendors will be categorized based on their risk level:

Risk level	Description
High Risk	Critical to operations or with access to sensitive data
Medium Risk	Important but not critical, with limited access to sensitive data
Low Risk	Non-critical with no access to sensitive data

Due Diligence

Due diligence will be conducted proportionate to the risk level of the third party, which may include questionnaires, document reviews, on-site assessments, and third-party audits.

Results of due diligence will be documented and reviewed by appropriate stakeholders.

Contracting and Legal Considerations

All third-party relationships are governed by written contracts. Contracts must include appropriate clauses addressing:

• Service level agreements (SLAs)
• Data protection and confidentiality
• Compliance with applicable laws and regulations
• Termination rights

Third parties must disclose and obtain approval for any subcontractors.

Ongoing Monitoring, Reporting and Escalation

Reassessment of risks of high-risk third party vendors are conducted on an annual basis and of medium-risk vendors every two years.

Regular reporting on third-party risk status to senior management is established.

Immediate escalation of significant issues or breaches related to third parties to appropriate management and security teams is required.

Compliance and Enforcement

Compliance with this policy is mandatory for all employees, contractors, and third parties with access to Code Town’s data.

In rare cases, business needs, local laws, or regulations may require exceptions. Management will approve any exceptions and define alternative solutions.

Non-compliance may lead to disciplinary action, including termination, as per Code Town’s policies.

Policy Review and Maintenance

This policy will be reviewed annually or when significant changes occur to maintain its continuing suitability, adequacy, and effectiveness.

Reviews must consider changes in the regulatory landscape.