# Vendor management policy

**Version:** 1.0
**Effective date:** 2026-04-17

## 1. Principle

Any third party that stores, processes, or transmits customer data is a sub-processor. Sub-processors must meet Frameboard's security bar before they are used in production, and the list is reviewed at least annually.

## 2. Selection criteria

Before adopting a new sub-processor, the following must all be true:

- The provider has a current SOC 2 Type II report, ISO 27001 certificate, or equivalent
- The provider's DPA covers our contractual commitments to customers
- Data residency matches our commitments (EU/UK/US only unless specifically negotiated)
- The provider offers audit logs for privileged actions where we have any
- There is a documented offboarding path if we need to leave

A one-page adoption record is filed in `docs/security/vendors/<name>.md` capturing: purpose, data types, region, certifications, DPA link, rotation plan if compromised.

## 3. Current sub-processor list

| Vendor | Purpose | Data types | Region | Certifications |
|---|---|---|---|---|
| Netlify | Hosting + serverless functions | All data in transit, logs | US/EU | SOC 2 Type II |
| Airtable | Primary datastore | User accounts, proposals, catalogue | US | SOC 2 Type II |
| Stripe | Payments | Card data (never touches us) | Global | PCI DSS Level 1, SOC 2 Type II |
| Mux | Video hosting | Customer video uploads | US | SOC 2 Type II |
| Resend | Transactional email | Recipient email + body | US/EU | SOC 2 Type II |
| Anthropic | AI generations | Input text for completion (no retention per API contract) | US | SOC 2 Type II |
| Plausible | Analytics | Anonymised visit data only | EU (Germany) | ISO 27001 |
| GitHub | Source control | No customer data | US | SOC 2 Type II |
| AWS (via Netlify Blobs) | File storage | Uploaded images/PDFs | US | Multiple |

This list is mirrored at `myframeboard.app/subprocessors` (public).

## 4. Monitoring

- Annual: request current SOC 2 / ISO report from each vendor. Any lapse is flagged in the risk register
- Quarterly: check vendor status pages and incident histories; note any incidents that affected our customers
- On news: if a vendor has a public breach, incident response policy applies regardless of whether our data was touched

## 5. Offboarding a vendor

- 30 days' written notice to vendor
- Export data where applicable
- Confirm vendor's deletion certification
- Update the list + notify customers in the next changelog