Appcircle Vendor Management Policy¶
Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)
Purpose¶
This policy establishes Appcircle's requirements for assessing, onboarding, and managing third-party vendors. Appcircle uses a range of third-party services across its operations and product infrastructure. While components may be outsourced, Appcircle remains wholly responsible to its customers for the security and reliability of the services it provides, including those delivered through third parties. Effective vendor management reduces the risks associated with outsourcing and third-party dependencies.
Scope¶
This policy applies to:
- All third-party services and suppliers used by Appcircle, including cloud infrastructure providers, software vendors, sub-processors, and service partners.
- All personnel responsible for selecting, onboarding, or managing vendor relationships.
Key vendors in scope include, but are not limited to: Google Cloud Platform (production infrastructure), Microsoft 365 and Entra ID (identity, email, and endpoint management), GitHub (source code), and other services that process or store Appcircle or customer data.
New vendor assessment¶
Before onboarding any new vendor, a formal assessment must be completed. This assessment includes:
- Business justification: A documented business case for the need.
- Cost-benefit analysis: An assessment of fees, time investment, and other associated costs.
- Information security risk assessment: An evaluation of how the service will be used, the types of data involved, and the applicable information security risks.
- Accreditation review: Review of the vendor's security certifications and compliance attestations, such as SOC 2 Type II and ISO 27001.
- Business dependency assessment: An evaluation of the risk posed by reliance on the vendor's availability and continuity.
- Alternative comparison: Consideration of alternative providers where applicable.
- Risk mitigation planning: Identification and documentation of controls to address material information security or continuity risks.
Management review and approval is required before selecting and onboarding a new vendor.
Vendor register¶
Appcircle maintains a vendor register that records all material third-party relationships. For each vendor, the register tracks:
- Accountable owner: The Appcircle employee responsible for ongoing management of the vendor relationship.
- Security accreditations: Third-party assurance reports and certifications (e.g. SOC 2, ISO 27001).
- Information security risk: The inherent risk level based on the type and volume of data the vendor processes or stores.
- Business dependency risk: The potential impact of a vendor service failure on Appcircle's ability to operate and serve customers.
- Vendor risk: A composite risk rating based on the vendor's size, reputation, certifications, and past performance.
- Review history: The date and responsible person for the most recent vendor review.
Ongoing monitoring and annual review¶
Each material vendor is reviewed at least annually to confirm or update the risk assessment and accreditation status. Ongoing monitoring activities include:
- Reviewing the vendor's compliance reports and certifications.
- Assessing any changes to the services provided or data involved.
- Confirming that contractual security obligations remain in place and are being met.
Vendor-related security incidents or material changes to service capabilities are assessed as they arise, outside of the annual review cycle.
Contractual requirements¶
Vendors that process or store Appcircle or customer data are required to maintain equivalent information security standards. Vendor contracts include provisions covering:
- Data protection and confidentiality obligations.
- Breach notification requirements consistent with Appcircle's incident response and regulatory obligations.
- Sub-processor restrictions and disclosure requirements where applicable.
- Data return and deletion obligations upon contract termination.
Roles and responsibilities¶
- Engineering Management (Policy Owner): Accountable for this policy; ensures all material vendors are assessed and maintained in the vendor register; approves new vendor onboarding.
- Engineering / Platform / Operations: Responsible for assessing vendors prior to onboarding; maintains ongoing ownership of assigned vendor relationships; performs periodic review.
- All personnel: Must not onboard new vendors or share Appcircle or customer data with third parties without following this policy.
Regulatory alignment¶
This policy supports compliance with:
- SOC 2 (Trust Services Criteria — Risk Management, Common Criteria)
- ISO/IEC 27001:2022 (A.5.19–A.5.22 Supplier relationships)
- GDPR (Article 28 — Processor obligations; Article 32 — Security of processing)
- KVKK (Article 12 — Data security obligations)
Exceptions¶
Exceptions to this policy must be:
- Documented with justification, scope, duration, and compensating controls.
- Approved by the policy owner or an authorised delegate.
- Reviewed before expiry and retired when no longer required.
Policy review and updates¶
This policy is reviewed at least annually and when significant changes occur to Appcircle's vendor relationships or regulatory requirements.
Note
This public policy describes Appcircle's vendor management approach at a high level. The vendor register, detailed risk assessments, and specific contractual terms are maintained internally and may be shared under appropriate agreements when required.
Related policies¶
- Information Security Policy
- System Access Control Policy
- Network Security Policy
- Incident Response Plan
- Business Continuity and Disaster Recovery Policy
- Asset Management and Data Classification Policy