Register Owner: CISO and CFO
Effective Date: May 16, 2026
Reviewed: Quarterly, reconciled against the Vendor Inventory and Vanta
Next Review: June 30, 2026 (Q2 2026 cycle — lands inside the initial Type II window)
The per-vendor due-date matrix for the annual vendor reviews required by the Third-Party Management Policy → Monitoring & review and operated per the Vendor Risk Assessment procedure → Process. Implements the “rolling” cadence committed in SOC 2 Readiness Timeline → Phase 3.8 with concrete dates per vendor.
Why some reviews are scheduled inside the initial Type II window. The Vendor Risk Assessment procedure was effective 2026-05-08, which would put every “first annual review” 12 months out (2027-05-08) — outside the initial Type II observation window (June 22 – September 22, 2026). To produce CC9.2 operating-effectiveness evidence inside the initial window, the six most-Confidential-touching High-tier vendors are reviewed early (June – August 2026). The remaining 12 High-tier vendors are reviewed inside the first subsequent 12-month window (Sep 22, 2026 – Sep 22, 2027) on their natural 12-month cadence from the procedure effective date.

Initial Type II window — early reviews (June – August 2026)

Six High-tier vendors are reviewed early so CC9.2 has operating evidence inside the 3-month initial window. The reviewer produces a Vendor Annual Review Note per the Vendor Risk Assessment procedure → Annual review note and files it in SharePoint Evidence Library / Vendor Reviews / 2026 / <vendor>.
VendorTierDueReviewerWhy prioritized
Amazon Web Services (AWS)High2026-06-30CISO + CTOPrimary cloud — majority of Confidential customer data; widest attack surface; largest subservice-organization reliance.
VultrHigh2026-07-15CISO + CTOSecondary cloud — Vault cluster + a portion of production compute / database. Subservice-organization reliance.
RipplingHigh2026-07-31CISO + CHROIdP / SSO / MDM / EDR / HRIS — gates workforce access to production; personnel records.
HashiCorp (Vault license)High2026-08-15CISO + CTOSoftware vendor for the cross-cloud secrets-of-record. License posture + vendor security narrative.
AnthropicHigh2026-08-30CISO + GCUpstream AI provider with the largest share of customer-content-bearing model traffic.
OpenAIHigh2026-08-30CISO + GCUpstream AI provider — second-largest share; both reviewed together to capture the AI-provider-class control surface.

First subsequent 12-month window — natural-cadence reviews (Sep 2026 – Sep 2027)

The remaining 12 High-tier vendors are reviewed inside the first subsequent window on the natural 12-month cadence from the procedure effective date. Dates below are targets; CISO + CFO confirm at the ISMS Management Review preceding each due date.
VendorTierDue (target)Reviewer
Microsoft 365High2026-09-30CISO
GitHub (incl. Advanced Security, Dependabot, Actions)High2026-10-31CISO + CTO
xAIHigh2026-11-30CISO + GC
CerebrasHigh2026-12-31CISO + GC
Portkey AIHigh2027-01-31CISO + GC
WorkOSHigh2027-02-15CISO
ResendHigh2027-02-28CISO + CTO
Temporal CloudHigh2027-03-15CISO + CTO
VercelHigh2027-03-31CISO + CTO
CloudflareHigh2027-04-15CISO + CTO
People Data LabsHigh2027-04-30CISO + GC
RocketReachHigh2027-05-08CISO + GC

Medium-tier — biennial cadence

The Vendor Risk Assessment procedure sets Medium-tier vendors at a 2-year re-review cadence. First biennial cycle is 2028-05-08 unless an intervening trigger (material change in scope, security incident, contract renewal) accelerates a Medium-tier review. The Medium-tier vendor list lives in Vendor Inventory; no per-vendor schedule is published here for Medium tier — the trigger-driven model is sufficient on a biennial cadence.

Triggers — out-of-cycle reviews (any tier)

A vendor review is performed out-of-cycle on any of:
  • Material change in vendor scope (new data class processed, new production-credential grant)
  • Vendor security incident affecting Neuroscale data
  • Contract renewal or DPA refresh
  • Vendor SOC 2 / ISO 27001 attestation lapse
  • Vendor M&A event materially changing the entity
  • Sub-processor change in the vendor’s stack that affects Neuroscale’s flow-down obligations
Out-of-cycle reviews follow the same Annual Review Note structure and reset the next-due date.

Evidence

For each review:
  • Vendor Annual Review Note (per the procedure) committed to SharePoint Evidence Library / Vendor Reviews / <YYYY> / <vendor> and mirrored in the Vanta vendor file.
  • Linear ticket opened by the reviewer at start; closed on note commit.
  • Vendor-side attestation refresh (SOC 2 Type II report, ISO 27001 cert, DPA) on file with date stamped in the note.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0May 16, 2026Initial schedule. Six High-tier vendors pulled into initial Type II window; 12 remaining High-tier on natural cadence in subsequent window.Cameron WolfeIshan Jadhwani