# Yazi Vendor Management Policy ## 1. Introduction This Vendor Management Policy ("Policy") outlines Yazi's approach to identifying, onboarding, monitoring, and managing all vendors and third-party service providers ("Vendors") who may have access to Yazi systems, networks, or data, including client data. The Policy is designed to minimise risks associated with third-party relationships, ensure compliance with applicable regulations (such as POPIA and GDPR), and protect Yazi’s operational integrity. *** ### 2. Scope This Policy applies to all vendors that: * Process or store Yazi's or client data * Provide critical services or infrastructure * Have access to Yazi's systems or networks * Integrate with Yazi's WhatsApp research platform It covers the lifecycle of the vendor relationship, including selection, due diligence, onboarding, ongoing monitoring, and termination. *** ### 3. Roles and Responsibilities * Vendor Relationship Owner (VRO): The Yazi employee responsible for initiating the vendor engagement, coordinating due diligence, and acting as the primary liaison. * Legal & Compliance Team: Ensures all contractual and regulatory obligations are addressed, conducts legal review of agreements, and advises on compliance. * Information Security Team: Evaluates and approves the security posture of Vendors, conducts risk assessments, and manages incidents. * Finance Team: Reviews financial viability and ensures that negotiated terms align with Yazi’s budget and payment processes. * Executive Management: Approves strategic or high-risk vendor relationships, especially those handling sensitive or mission-critical operations. *** ### 4. Vendor Classification Yazi classifies Vendors into three risk-based levels: #### 4.1 Level 1 (Critical) * Vendors with direct access to personal or confidential data * Integration with Yazi's core platform services (e.g., AWS, WhatsApp Business API providers) * High impact on business continuity if services are disrupted * Example: Hosting providers, payment gateways, communication APIs #### 4.2 Level 2 (Important) * Vendors who have access to some internal systems or process non-sensitive data * Moderate impact on Yazi’s operations * Example: Analytics providers, specialised software tools #### 4.3 Level 3 (Standard) * Vendors with no direct access to systems or data * Minimal impact on business operations * Example: Office supplies, cleaning services Classification ensures that due diligence and monitoring are proportionate to the level of risk. *** ### 5. Vendor Selection & Due Diligence #### 5.1 Identification and Evaluation 1. Business Need Identification: Department requesting the service identifies business objectives and requirements. 2. Preliminary Vendor Research: A shortlisting of possible Vendors based on capabilities, market presence, and references. 3. RFP/RFQ Process (If Required): For major or complex engagements, a formal Request for Proposal (RFP) or Request for Quotation (RFQ) may be used to compare Vendors. #### 5.2 Initial Assessment All prospective Vendors undergo an evaluation to ensure they meet Yazi’s standards: 1. Security Capabilities Evaluation: Assess the Vendor’s information security controls and policies. 2. Regulatory Compliance Check: Confirm Vendor adherence to POPIA, GDPR, or other relevant regulations. 3. Financial Stability Review: Request financial statements or credit references to verify sustainability. 4. Technical Capability Assessment: Evaluate the Vendor’s infrastructure, scalability, and compatibility with Yazi’s environment. 5. Privacy Impact Assessment: For Level 1 Vendors, a formal privacy impact assessment is required to understand data handling risks. #### 5.3 Documentation Requirements Depending on the Vendor’s classification, Yazi may request: * Information security policies (e.g., ISO 27001 certification) * Data protection procedures and certifications (e.g., SOC 2, ISO 27701) * Compliance certifications for relevant regulations * Business continuity and disaster recovery plans * Insurance coverage documents * Penetration test reports or vulnerability scans (Level 1 Vendors) All documentation is reviewed by the relevant Yazi teams to confirm appropriateness. *** ### 6. Security Requirements #### 6.1 Baseline Security Requirements (All Vendors) * Data Encryption: All Vendor-managed data for Yazi must be encrypted both in transit (TLS 1.2 or higher) and at rest. * Access Controls: Implement role-based access with the principle of least privilege. Access to Yazi data or systems must be granted only as necessary. * Incident Reporting: Provide immediate notification to Yazi (within 24 hours) of any security incident affecting Yazi data or operations. * Regular Security Assessments: The Vendor must conduct periodic vulnerability assessments. Yazi may request copies of summary reports. * Employee Screening: Vendors must have background checks or vetting procedures for personnel handling Yazi data. #### 6.2 Additional Requirements for Level 1 Vendors * Multi-Factor Authentication (MFA): Mandatory for all user accounts with access to Yazi data. * Regular Penetration Testing: Provide evidence of at least annual penetration tests and remediation. * Security Audit Reports: Submit independent audit reports (e.g., ISO 27001, SOC 2 Type II) on a regular basis. * Data Localisation Compliance: Where regulations demand local data storage, the Vendor must ensure data residency within specified jurisdictions. *** ### 7. Contractual Requirements #### 7.1 Mandatory Contract Clauses 1. Data Protection: Outline obligations regarding personal data handling, including privacy and data protection laws (POPIA, GDPR). 2. Confidentiality: Prohibit unauthorised disclosure of Yazi information. 3. Security Standards Compliance: Specify baseline security controls and regular audits. 4. Incident Reporting: Define timelines and responsibilities for reporting and resolving security or data breaches. 5. Right to Audit: Allow Yazi or a designated third party to review the Vendor’s compliance with contract terms. 6. Termination & Exit Clauses: Establish conditions for termination and how data will be returned or destroyed. 7. Liability & Indemnification: Clarify financial responsibility in the event of data breaches or non-compliance. #### 7.2 Contract Approval Process All Vendor agreements must be reviewed and approved by: * Legal & Compliance: Ensures all legal, regulatory, and risk provisions are covered. * Information Security: Confirms alignment with security requirements. * Finance: Reviews financial terms and budgets. * Executive Management: Provides final sign-off for Level 1 Vendors or high-value contracts. *** ### 8. Monitoring and Review #### 8.1 Ongoing Performance Monitoring * Service Level Monitoring: The Vendor Relationship Owner tracks performance metrics (uptime, response times) monthly. * Periodic Review Meetings: Depending on the Vendor’s classification, quarterly or biannual check-ins are held to discuss service quality and any issues. * Risk Assessments: The Information Security Team may require Vendors to complete annual security questionnaires. * Compliance Checks: Vendors handling personal data may need to provide updated privacy statements or compliance reports. #### 8.2 Documentation All reviews and assessments must be documented: * Assessment Results & Follow-up Actions * Compliance & Security Reports * Performance Metrics * Incident Reports These records are maintained by the Vendor Relationship Owner in a central repository and are accessible for audit. *** ### 9. Access Control For Vendors requiring system or data access: 1. Unique Credentials: Each Vendor user must have a unique ID; shared accounts are prohibited. 2. Role-Based Access: Access is granted based on job function and is periodically reviewed. 3. Access Reviews: Departments must review and confirm active Vendor accounts on at least a quarterly basis. 4. Prompt Termination: Access must be revoked immediately upon the completion of a project or change in Vendor personnel. 5. Logging and Monitoring: Activities by Vendor accounts are logged; suspicious activity triggers an investigation. *** ### 10. Data Protection When Vendors process Yazi or client data: 1. Data Minimisation: Vendors should only collect and process the minimum amount of data necessary. 2. Purpose Limitation: Data must be used solely for the contracted service. 3. Storage & Retention: Data must be stored securely and retained only as long as necessary or legally required. 4. Cross-Border Transfers: Any transfer of data across borders must comply with POPIA, GDPR, or local requirements. 5. Encryption & Secure Disposal: Ensure encryption at rest, and securely destroy data after contract termination. *** ### 11. Incident Management #### 11.1 Vendor Obligations * Immediate Notification: Vendors must inform Yazi within 24 hours of discovering a breach that may affect Yazi data. * Collaboration: Provide complete cooperation during incident investigations and disclose relevant findings. * Root Cause Analysis & Remediation: Vendors must identify the issue, implement fixes, and prevent recurrence. * Client Notification Support: Where required by law or contract, Vendors must support Yazi in notifying affected clients. #### 11.2 Post-Incident Review A post-incident review meeting may be held to evaluate response effectiveness and update any security or process gaps. *** ### 12. Business Continuity #### 12.1 Vendor Responsibilities * Continuity & Recovery Plans: Vendors must maintain documented plans for business continuity, disaster recovery, and workforce continuity. * Regular Testing: Plans must be tested at least annually. * Recovery Objectives: Clearly define recovery time and recovery point objectives (RTO/RPO) for critical services. * Backup Procedures: Data backups must be performed regularly and stored securely. * Alternative Arrangements: In case of an extended disruption, Vendors must have contingency options to continue critical services. *** ### 13. Vendor Termination #### 13.1 Exit Management * Notice Period: Observe contractually required notice. * Data Return/Destruction: Ensure all Yazi or client data is returned or securely destroyed. * System Access Removal: Revoke access rights promptly. * Knowledge Transfer: Where needed, Vendors must assist in transferring knowledge to new providers or Yazi teams. * Final Security Audit: May be performed to confirm that data has been appropriately disposed of. #### 13.2 Documentation A formal termination report should record: * Reason for termination * Completed exit tasks * Lessons learned *** ### 14. Compliance Monitoring #### 14.1 Audits Yazi reserves the right to audit Vendors for compliance with contractual and regulatory obligations, particularly if the Vendor handles Level 1 or Level 2 data. #### 14.2 Remediation If audit findings reveal non-compliance or security gaps, the Vendor must provide a remediation plan and timeline. *** ### 15. Policy Governance #### 15.1 Review & Updates * Annual Review: This Policy is reviewed annually by Yazi’s Legal & Compliance and Information Security teams. * Continuous Improvement: Feedback from incidents, audits, or lessons learned is incorporated as needed. * Change Management: Major changes must be approved by Executive Management. * Stakeholder Communication: Updated versions are communicated to relevant internal and external stakeholders. * Training Requirements: Yazi employees involved in vendor management must complete periodic training on Policy requirements. #### 15.2 Documentation Requirements Mandatory records: * Vendor agreements and addendums * Security assessments, questionnaires, and audit reports * Performance reports and SLAs * Incident logs * Access records and termination proofs