Skip to content

Third-party risk management policy

  • Policy owner: Pedro Piñera Buendía
  • Effective Date: January 7th, 2025

Purpose

To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers. This document outlines the baseline security controls that Tuist GmbH expects partners and other third-party companies to meet when interacting with Tuist GmbH Confidential data.

Scope

This policy applies to all employees of Tuist GmbH and to all external parties, including consultants, contractors, business partners, vendors, suppliers, outsourced service providers, and other third-party entities with access to Tuist GmbH data, systems, networks, or system resources.

General requirements

  1. Information security requirements for mitigating risks associated with supplier access to the organization's assets shall be agreed upon with the supplier and documented.

  2. Pre-contract due diligence must include:

    • Financial health assessment to ensure the supplier’s stability and reliability.
    • Risk assessment to identify potential vulnerabilities and threats.
    • Information security evaluation to verify compliance with security standards.
    • Compliance checks to ensure adherence to applicable legal, regulatory, and certification frameworks.
  3. Proper due diligence shall be performed prior to granting access to Tuist GmbH Confidential data, systems, or networks. Regulatory or certification requirements to be considered may include ISO 27001, SOC 2, PCI DSS, CCPA, GDPR, or other frameworks.

Addressing security in agreements

Written agreements with suppliers that access, process, store, or transmit Confidential data must include:

  • Acknowledgment of responsibilities for confidentiality and security.
  • Commitments regarding the integrity, availability, and/or privacy controls required by Tuist GmbH’s information security program.

Technology supply chain

Tuist GmbH will assess risks associated with suppliers and the technology supply chain. Agreements must address relevant risks related to information and communications technology services and products.

Monitoring & review of third-party services

  1. Tuist GmbH shall monitor and audit supplier service delivery regularly. Reviews of supplier security and performance must occur at least annually.
  2. Any material changes by suppliers will be risk-assessed and agreements updated as necessary.

Third-party risk management

Tuist GmbH shall identify, document, and mitigate risks posed by third-party access to Confidential data or systems. No data shall be shared with third parties without a risk assessment and a fully executed contract outlining service levels and information security requirements.

Information security for use of cloud services

Cloud service usage shall comply with the following:

  • Risk management: All risks related to cloud services must align with this policy.
  • Service agreements: Protections for Tuist GmbH’s data must be clearly outlined.
  • Incident management: Cloud-related incidents will follow the Incident Response Plan.
  • Exit strategy: Vendor lock-in risks must be evaluated prior to acquisition.

Third-party security standards

All third parties must maintain reasonable organizational and technical controls. Evaluations will include:

  • Information security policy: Policies must be supported by executive management and regularly reviewed.
  • Risk assessment & treatment: Programs must assess, evaluate, and manage information and technology risks.
  • Access control: Programs must prevent unauthorized access to Tuist GmbH resources.
  • Human resources: Policies must include background checks for employees accessing Confidential data.
  • Compliance: All relevant regulations must be considered.

Exceptions

Requests for exceptions must be submitted to the IT Manager for approval.

Violations & enforcement

Violations of this policy must be reported to the IT Manager. Non-compliance may result in disciplinary actions, up to termination of employment.

Version history

The version history of this document can be found in Tuist's handbook repository.