The operational procedure that implements the Third-Party Management Policy.
When to run an assessment
A vendor risk assessment is required before:
- Sharing or transmitting Confidential data to a third party.
- Granting a third party access to Neuroscale production systems or networks.
- Entering into a contract that involves processing customer data.
For low-risk vendors (no Confidential data, no production access, public information only), a lightweight review is sufficient.
Process
- Intake. Requestor opens a vendor request via the Vendor Risk Assessment intake form. Captures: vendor name, purpose, data accessed, integrations, contract value.
- Tiering. Security tiers the vendor — High / Medium / Low — based on data sensitivity and integration depth.
- Diligence.
- High — full questionnaire (SIG Lite or equivalent), SOC 2 / ISO 27001 review, data-processing addendum (DPA), penetration-test summary if available.
- Medium — SOC 2 review, DPA where personal data is involved.
- Low — review of public trust page; minimal documentation.
- Approval. the CISO and CFO approve before contract signature.
- Onboarding. IT provisions integration; vendor is added to the Vendor Inventory.
- Re-review. High-tier vendors are re-reviewed annually; medium-tier every 2 years.
Documentation kept on file
- Signed agreement (MSA / DPA / SOW).
- Latest SOC 2 / ISO 27001 / equivalent attestation.
- Completed security questionnaire.
- Tier rationale and approval.
- Evidence of annual re-review.
Vendor inventory
The current vendor inventory lives at the Vendor Inventory page (mirrored to Vanta for continuous monitoring).
Version history
| Version | Date | Description | Author | Approved by |
|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |
