Supplier Management Policy

Introduction

The purpose of this policy is to ensure the security and responsible management of Redgate's suppliers.

Scope

This policy applies to all employees, contractors, and third-party users who engage with suppliers on behalf of Redgate.

Policy

Supplier Selection

Services fall into two categories (critical and non-critical), based on the risk profile of the service (this is determined by the type of data and/or volume of confidential or sensitive information, availability and/or integrity requirements). In all cases:

• All Suppliers that process Redgate information or have access to Redgate’s systems must be evaluated and approved by the Software Asset Management Group before being approved for use. This evaluation shall include a review of their security practices and policies in place, proportional to the risk that working with the supplier poses to Redgate
• Suppliers must be required to sign a confidentiality agreement (or address this in their contracts).

Critical services shall undergo a full review prior to selection. Review areas include (where applicable):

• Data Privacy
• Data Processing Agreements
• Security Review
• Insurance Cover
• Technical Review
• Regulatory Legal Compliance
• Contractual Legal Review
• Commercial Review
• Service Level Agreements
• Licence Review

Supplier Management

Redgate shall maintain an up-to-date register of all suppliers and the products and services they supply to us.

Redgate shall maintain a list of embargoed countries/customers/suppliers.

Documentation

Redgate shall maintain detailed records of all vendor agreements, contracts, and other documentation associated with the vendor relationship. Suppliers shall be viewed upon renewal or when Redgate are made aware of material changes to services. Business Critical Services will be reviewed at either contract renewal or earlier (at our discretion).

Data Protection

Suppliers shall be required to:

• Protect the confidentiality, integrity, and availability of Redgate's data and systems.
• Implement or have in place appropriate security measures to prevent unauthorized access to or disclosure of Redgate’s data and systems.
• Comply with relevant data protection laws and regulations.

Redgate shall ensure that contractual agreements are put in place when personal information is shared between organisations.

Processing of Credit Card Data

Suppliers who may process credit card data falling under the scope of PCI-DSS requirements shall be required to maintain PCI-DSS compliance.

Redgate shall maintain a record of which PCI-DSS requirements are managed by each service provider.

Redgate shall verify compliance of such vendors annually.

Security Incident Response

In the event of a security incident involving a supplier:

• The incident must be reported to IT Ops or █████ immediately.
• IT Ops will coordinate with relevant stakeholders to respond to the incident and restore normal operations.
• A post-incident review shall be conducted to identify and address any security weaknesses that contributed to the incident (within 2 weeks).

Termination of Supplier Relationships

A process shall be maintained for terminating supplier relationships in an orderly and secure manner. As part of this process:

• All assets and data shall be returned or destroyed, as appropriate, and access to Redgate's systems and data shall be revoked.

A final review of the supplier relationship shall be conducted to ensure that all security and quality requirements have been met.