Yazi Vendor Management Policy

1. Introduction

This Vendor Management Policy ("Policy") outlines Yazi's approach to identifying, onboarding, monitoring, and managing all vendors and third-party service providers ("Vendors") who may have access to Yazi systems, networks, or data, including client data. The Policy is designed to minimise risks associated with third-party relationships, ensure compliance with applicable regulations (such as POPIA and GDPR), and protect Yazi’s operational integrity.

2. Scope

This Policy applies to all vendors that:

  • Process or store Yazi's or client data

  • Provide critical services or infrastructure

  • Have access to Yazi's systems or networks

  • Integrate with Yazi's WhatsApp research platform

It covers the lifecycle of the vendor relationship, including selection, due diligence, onboarding, ongoing monitoring, and termination.

3. Roles and Responsibilities

  • Vendor Relationship Owner (VRO): The Yazi employee responsible for initiating the vendor engagement, coordinating due diligence, and acting as the primary liaison.

  • Legal & Compliance Team: Ensures all contractual and regulatory obligations are addressed, conducts legal review of agreements, and advises on compliance.

  • Information Security Team: Evaluates and approves the security posture of Vendors, conducts risk assessments, and manages incidents.

  • Finance Team: Reviews financial viability and ensures that negotiated terms align with Yazi’s budget and payment processes.

  • Executive Management: Approves strategic or high-risk vendor relationships, especially those handling sensitive or mission-critical operations.

4. Vendor Classification

Yazi classifies Vendors into three risk-based levels:

4.1 Level 1 (Critical)

  • Vendors with direct access to personal or confidential data

  • Integration with Yazi's core platform services (e.g., AWS, WhatsApp Business API providers)

  • High impact on business continuity if services are disrupted

  • Example: Hosting providers, payment gateways, communication APIs

4.2 Level 2 (Important)

  • Vendors who have access to some internal systems or process non-sensitive data

  • Moderate impact on Yazi’s operations

  • Example: Analytics providers, specialised software tools

4.3 Level 3 (Standard)

  • Vendors with no direct access to systems or data

  • Minimal impact on business operations

  • Example: Office supplies, cleaning services

Classification ensures that due diligence and monitoring are proportionate to the level of risk.

5. Vendor Selection & Due Diligence

5.1 Identification and Evaluation

  1. Business Need Identification: Department requesting the service identifies business objectives and requirements.

  2. Preliminary Vendor Research: A shortlisting of possible Vendors based on capabilities, market presence, and references.

  3. RFP/RFQ Process (If Required): For major or complex engagements, a formal Request for Proposal (RFP) or Request for Quotation (RFQ) may be used to compare Vendors.

5.2 Initial Assessment

All prospective Vendors undergo an evaluation to ensure they meet Yazi’s standards:

  1. Security Capabilities Evaluation: Assess the Vendor’s information security controls and policies.

  2. Regulatory Compliance Check: Confirm Vendor adherence to POPIA, GDPR, or other relevant regulations.

  3. Financial Stability Review: Request financial statements or credit references to verify sustainability.

  4. Technical Capability Assessment: Evaluate the Vendor’s infrastructure, scalability, and compatibility with Yazi’s environment.

  5. Privacy Impact Assessment: For Level 1 Vendors, a formal privacy impact assessment is required to understand data handling risks.

5.3 Documentation Requirements

Depending on the Vendor’s classification, Yazi may request:

  • Information security policies (e.g., ISO 27001 certification)

  • Data protection procedures and certifications (e.g., SOC 2, ISO 27701)

  • Compliance certifications for relevant regulations

  • Business continuity and disaster recovery plans

  • Insurance coverage documents

  • Penetration test reports or vulnerability scans (Level 1 Vendors)

All documentation is reviewed by the relevant Yazi teams to confirm appropriateness.

6. Security Requirements

6.1 Baseline Security Requirements (All Vendors)

  • Data Encryption: All Vendor-managed data for Yazi must be encrypted both in transit (TLS 1.2 or higher) and at rest.

  • Access Controls: Implement role-based access with the principle of least privilege. Access to Yazi data or systems must be granted only as necessary.

  • Incident Reporting: Provide immediate notification to Yazi (within 24 hours) of any security incident affecting Yazi data or operations.

  • Regular Security Assessments: The Vendor must conduct periodic vulnerability assessments. Yazi may request copies of summary reports.

  • Employee Screening: Vendors must have background checks or vetting procedures for personnel handling Yazi data.

6.2 Additional Requirements for Level 1 Vendors

  • Multi-Factor Authentication (MFA): Mandatory for all user accounts with access to Yazi data.

  • Regular Penetration Testing: Provide evidence of at least annual penetration tests and remediation.

  • Security Audit Reports: Submit independent audit reports (e.g., ISO 27001, SOC 2 Type II) on a regular basis.

  • Data Localisation Compliance: Where regulations demand local data storage, the Vendor must ensure data residency within specified jurisdictions.

7. Contractual Requirements

7.1 Mandatory Contract Clauses

  1. Data Protection: Outline obligations regarding personal data handling, including privacy and data protection laws (POPIA, GDPR).

  2. Confidentiality: Prohibit unauthorised disclosure of Yazi information.

  3. Security Standards Compliance: Specify baseline security controls and regular audits.

  4. Incident Reporting: Define timelines and responsibilities for reporting and resolving security or data breaches.

  5. Right to Audit: Allow Yazi or a designated third party to review the Vendor’s compliance with contract terms.

  6. Termination & Exit Clauses: Establish conditions for termination and how data will be returned or destroyed.

  7. Liability & Indemnification: Clarify financial responsibility in the event of data breaches or non-compliance.

7.2 Contract Approval Process

All Vendor agreements must be reviewed and approved by:

  • Legal & Compliance: Ensures all legal, regulatory, and risk provisions are covered.

  • Information Security: Confirms alignment with security requirements.

  • Finance: Reviews financial terms and budgets.

  • Executive Management: Provides final sign-off for Level 1 Vendors or high-value contracts.

8. Monitoring and Review

8.1 Ongoing Performance Monitoring

  • Service Level Monitoring: The Vendor Relationship Owner tracks performance metrics (uptime, response times) monthly.

  • Periodic Review Meetings: Depending on the Vendor’s classification, quarterly or biannual check-ins are held to discuss service quality and any issues.

  • Risk Assessments: The Information Security Team may require Vendors to complete annual security questionnaires.

  • Compliance Checks: Vendors handling personal data may need to provide updated privacy statements or compliance reports.

8.2 Documentation

All reviews and assessments must be documented:

  • Assessment Results & Follow-up Actions

  • Compliance & Security Reports

  • Performance Metrics

  • Incident Reports

These records are maintained by the Vendor Relationship Owner in a central repository and are accessible for audit.

9. Access Control

For Vendors requiring system or data access:

  1. Unique Credentials: Each Vendor user must have a unique ID; shared accounts are prohibited.

  2. Role-Based Access: Access is granted based on job function and is periodically reviewed.

  3. Access Reviews: Departments must review and confirm active Vendor accounts on at least a quarterly basis.

  4. Prompt Termination: Access must be revoked immediately upon the completion of a project or change in Vendor personnel.

  5. Logging and Monitoring: Activities by Vendor accounts are logged; suspicious activity triggers an investigation.

10. Data Protection

When Vendors process Yazi or client data:

  1. Data Minimisation: Vendors should only collect and process the minimum amount of data necessary.

  2. Purpose Limitation: Data must be used solely for the contracted service.

  3. Storage & Retention: Data must be stored securely and retained only as long as necessary or legally required.

  4. Cross-Border Transfers: Any transfer of data across borders must comply with POPIA, GDPR, or local requirements.

  5. Encryption & Secure Disposal: Ensure encryption at rest, and securely destroy data after contract termination.

11. Incident Management

11.1 Vendor Obligations

  • Immediate Notification: Vendors must inform Yazi within 24 hours of discovering a breach that may affect Yazi data.

  • Collaboration: Provide complete cooperation during incident investigations and disclose relevant findings.

  • Root Cause Analysis & Remediation: Vendors must identify the issue, implement fixes, and prevent recurrence.

  • Client Notification Support: Where required by law or contract, Vendors must support Yazi in notifying affected clients.

11.2 Post-Incident Review

A post-incident review meeting may be held to evaluate response effectiveness and update any security or process gaps.

12. Business Continuity

12.1 Vendor Responsibilities

  • Continuity & Recovery Plans: Vendors must maintain documented plans for business continuity, disaster recovery, and workforce continuity.

  • Regular Testing: Plans must be tested at least annually.

  • Recovery Objectives: Clearly define recovery time and recovery point objectives (RTO/RPO) for critical services.

  • Backup Procedures: Data backups must be performed regularly and stored securely.

  • Alternative Arrangements: In case of an extended disruption, Vendors must have contingency options to continue critical services.

13. Vendor Termination

13.1 Exit Management

  • Notice Period: Observe contractually required notice.

  • Data Return/Destruction: Ensure all Yazi or client data is returned or securely destroyed.

  • System Access Removal: Revoke access rights promptly.

  • Knowledge Transfer: Where needed, Vendors must assist in transferring knowledge to new providers or Yazi teams.

  • Final Security Audit: May be performed to confirm that data has been appropriately disposed of.

13.2 Documentation

A formal termination report should record:

  • Reason for termination

  • Completed exit tasks

  • Lessons learned

14. Compliance Monitoring

14.1 Audits

Yazi reserves the right to audit Vendors for compliance with contractual and regulatory obligations, particularly if the Vendor handles Level 1 or Level 2 data.

14.2 Remediation

If audit findings reveal non-compliance or security gaps, the Vendor must provide a remediation plan and timeline.

15. Policy Governance

15.1 Review & Updates

  • Annual Review: This Policy is reviewed annually by Yazi’s Legal & Compliance and Information Security teams.

  • Continuous Improvement: Feedback from incidents, audits, or lessons learned is incorporated as needed.

  • Change Management: Major changes must be approved by Executive Management.

  • Stakeholder Communication: Updated versions are communicated to relevant internal and external stakeholders.

  • Training Requirements: Yazi employees involved in vendor management must complete periodic training on Policy requirements.

15.2 Documentation Requirements

Mandatory records:

  • Vendor agreements and addendums

  • Security assessments, questionnaires, and audit reports

  • Performance reports and SLAs

  • Incident logs

  • Access records and termination proofs

PreviousYazi Security and Data Management PoliciesNextQuality Control Plan for Yazi Research (Pty) Ltd

Last updated