# Vendor Management Policy — Apache-3 Inc.

**Document version:** 1.0
**Effective date:** 2026-05-20

## Purpose

Apache-3 Inc. uses cloud services (SaaS), data processors, and contractors to deliver services. This policy governs the selection, monitoring, and offboarding of vendors.

## Scope

Applies to every vendor whose service touches Apache-3 systems or Customer Data.

## Vendor categories

**Critical** — vendors handling Customer Data or payment processing (Supabase, Stripe, Resend, Anthropic, OpenAI, AWS, Google Cloud, Vercel)

**Important** — vendors enabling daily operations (Google Workspace, GitHub, Cloudflare)

**Supporting** — incidental tools that touch only Apache-3 internal data (productivity software, training platforms)

## Selection criteria

Before onboarding a new vendor, Apache-3 evaluates:

1. **Security posture.** SOC 2 / ISO 27001 / FedRAMP authorization? Public security documentation? Recent breaches?
2. **Data handling.** Does the vendor process customer data? What's their data residency? Do they offer DPAs?
3. **Business stability.** Funded? Profitable? Track record?
4. **Contractual terms.** Acceptable terms of service? Reasonable liability and indemnity? Termination flexibility?
5. **Alternatives.** Is there a comparable vendor with better posture? Is there an open-source self-hosted alternative?

For **Critical** vendors, all five criteria must be assessed and documented.
For **Important** vendors, criteria 1-3 are required.
For **Supporting** vendors, a lightweight review is sufficient.

## Onboarding

When adopting a new vendor:

1. Document the vendor in the vendor inventory (workspace-admin/docs/vendors.md, private)
2. Execute the vendor's DPA (or get one in place) for Critical vendors
3. Configure MFA on the Apache-3 account
4. Document the credentials in the dotenv repo (encrypted)
5. Note the renewal date + contact for the account

## Monitoring

For each vendor:

- **Daily**: automated availability check for production-dependency vendors (Supabase, Vercel)
- **Quarterly**: review of vendor security advisories and changelog
- **Annually**: full risk reassessment per the selection criteria

## Subprocessor change notification

When a Critical vendor changes its subprocessor list (often surfaced in DPA changes), Apache-3 evaluates whether the change affects any Customer DPA commitments.

## Offboarding

When sunsetting a vendor:

1. Export any data Apache-3 needs to retain
2. Verify deletion of data from the vendor's systems (or wait for the contractual retention period to expire)
3. Cancel the subscription / close the account
4. Revoke all integrations (OAuth, API keys, webhooks)
5. Update the vendor inventory + dotenv repo
6. If the vendor processed Customer Data, ensure data is returned/deleted per the DPA

## Current Critical / Important vendor list

See apache3.com/compliance/subprocessors.md (public version, refreshed quarterly).

## Review cadence

This policy is reviewed annually or upon material change.

---

*Apache-3 Inc. — UEI JQMHLJNNJYN1 — CAGE 8DFR5*