Supplier Assessment Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure defines how Glassbreak assesses a new sub-processor before engagement and how existing sub-processors are re-assessed. It operationalises the vendor-and-sub-processor commitments in the Information Security Policy §3.7 and the 30-day customer-notice obligation in the published DPA at /legal/dpa.

2. Scope

Every sub-processor that processes Glassbreak customer data, processes administrative metadata, or operates infrastructure on which Glassbreak depends materially.
Every supplier whose failure or compromise would affect Glassbreak's ability to deliver service to its committed RTO and RPO (see /policies/business-continuity §3).
Suppliers of workforce-supporting services where the service handles workforce credentials, Glassbreak source code, or other Glassbreak-sensitive material.

Suppliers of consumed-only resources that do not handle Glassbreak data and whose failure would not affect customer-facing service (commodity stationery, generic productivity tools used without Glassbreak data) are out of scope.

3. Procedure for a new sub-processor

3.1 Intake request

The engagement is proposed in writing to the Security Officer. The proposer describes the function the supplier is to perform, the data classes the supplier will receive, the data residency required, the operational dependency introduced, and any alternatives considered.
The Security Officer confirms the proposal is in scope of this procedure (section 2) before proceeding to assessment.

3.2 Intake checklist

The Security Officer assesses each candidate against the intake checklist. Items not relevant to the proposed use are marked N/A with a rationale; items missing entirely are recorded as gaps with a decision whether the gap is acceptable.

3.2.1 Security posture

Public security or trust page describing the supplier's controls.
Documented vulnerability-disclosure / coordinated-disclosure programme.
Documented incident-notification commitment with a timing target acceptable to Glassbreak's DPA.
Encryption-at-rest and encryption-in-transit standards.
Identity, access, and MFA controls for the supplier's own workforce.
Logging and customer-accessible audit-trail capability where applicable.

3.2.2 Certifications and reports

SOC 2 Type II report (current, with a fresh observation window), or equivalent (ISO/IEC 27001:2022 certificate with current Statement of Applicability, or HITRUST, etc.).
Industry-specific attestations relevant to the function (PCI-DSS for payment processors, ISO 27018 for cloud-data privacy where applicable).
Bridge letters covering any gap between report period and engagement date.
Where no current attestation exists, a documented pathway and timeline to obtain one, and a documented set of compensating controls.

3.2.3 Privacy and data-protection posture

Published DPA or DPA-eligibility, with SCCs (EU SCCs Module 2 / 3, UK IDTA, Swiss FADP addendum) where the engagement involves cross-border transfer of personal data.
Data-residency commitments matching the customer-facing commitments at /legal/sub-processors.
Sub-sub-processor list and notification cadence.
Data-subject-rights support mechanism.
BAA eligibility where the function may handle PHI, even if PHI handling is not currently in scope.

3.2.4 Business continuity

Documented BCP/DR including RTO and RPO commitments acceptable to Glassbreak.
Evidence of tested recovery (test cadence, most-recent test date, summary of result).
Geographic diversity of operations sufficient to survive a regional event.
Status-page or other public mechanism for notification during disruption.

3.2.5 Operational and commercial

Financial-stability indicators (publicly available funding or revenue indicators sufficient to give confidence in continuing operation).
Contractual commitments around price stability and notice-on-termination acceptable to Glassbreak.
Service-level agreement with measurable targets and credit remedies on breach.
Termination and data-return commitments aligned to the Glassbreak DPA.

3.3 Decision

The Security Officer is the decision authority for every sub-processor assessment. The Security Officer approves engagement, declines engagement, or approves engagement with documented compensating controls.
Approval with compensating controls is recorded in the supplier-assessment register with an expiry date by which the residual gap must close or the engagement must be reviewed again.
Where the engagement results in a new sub-processor that handles customer data, the DPA notification process is initiated to give customers at least 30 days' advance notice before the sub-processor begins processing — per the DPA at /legal/dpa.
The sub-processor list at /legal/sub-processors is updated.

4. Engagement

The engagement is executed under a written contract that includes a DPA where personal data is processed, an information-security schedule, an incident-notification commitment, and the sub-processor's SLA.
Where the engagement requires sub-processor admin credentials to be issued to Glassbreak workforce members, those credentials are provisioned with MFA and recorded in the access register per /policies/onboarding §4.2.
Where the sub-processor issues physical or cryptographic material (a hardware key, an operator certificate), that material is tracked in the asset register per the Off-site Assets Procedure.

5. Annual re-assessment

5.1 Cadence

Every sub-processor in scope is re-assessed at least annually. The re-assessment month is set in the supplier-assessment register at intake.
An ad-hoc re-assessment is triggered by any of the following:
- A material change in the sub-processor's services, ownership, or jurisdiction.
- An incident at the sub-processor that may affect Glassbreak customers (per the Threat Intelligence Procedure §6.3).
- Loss of a key certification or report without an acceptable replacement.
- Material weakening of the published DPA, data-residency, or notification commitments.

5.2 Re-assessment scope

The intake checklist (section 3.2) is re-run against current evidence. Items previously accepted with compensating controls are re-evaluated.
The sub-processor's incident history over the past year is reviewed against the threat-intelligence register.
The Glassbreak operational dependency on the sub-processor is re-stated; if dependency has grown materially, the assessment depth is increased.
Sub-sub-processor changes are reviewed against customer commitments.

5.3 Re-assessment decision

Continue. The supplier remains approved; the next re-assessment month is confirmed.
Continue with new compensating controls. A new residual-gap entry is recorded with an expiry date for the next re-evaluation.
Continue with notice-period to migrate away. The supplier remains in service while a migration is planned; a target migration date is recorded.
Terminate. The engagement is terminated and the sub-processor list at /legal/sub-processors is updated; customer notification follows the DPA.

6. Decision authority

The Security Officer is the decision authority for every approval, re-approval, and termination decision under this procedure. Where the decision has material commercial or contractual implications, the Security Officer consults leadership before recording the decision. The Security Officer's authority is stated in the Information Security Policy §4.

7. Records

The supplier-assessment register lists every sub-processor in scope, with: function, data classes processed, intake date, intake-checklist result, decision, current residual gaps, compensating controls and expiries, next re-assessment month, and reference to the contract and DPA.
Re-assessment results are appended to the register entry with date and outcome.
Termination decisions and customer-notification references are recorded against the entry before the entry is closed.
Records are retained for at least 5 years after the supplier ceases to be engaged.

8. Public sub-processor list

The current sub-processor list is published at /legal/sub-processors. Additions and material changes trigger the 30-day advance customer notification under the DPA. The supplier-assessment register entry is the internal counterpart of the published list entry.

9. Roles

Security Officer — owns this procedure, performs intake assessments and annual re-assessments, signs every decision.
Engineering and operations — surface candidate sub-processors, provide the operational-dependency context, support re-assessment with usage information.
Leadership — consulted on commercially or contractually material decisions before they are recorded.

10. Review

This procedure is reviewed at least annually and after any sub-processor incident that exposed a weakness in the assessment process itself. The next scheduled review is 27 May 2027.

11. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.