Supplier policy


This policy describes rules and principles on how we manage supplier relationships in our organization.

The service manager and office manager are responsible to implement the policy.


  • The contract should contain our requirements for information security
    • Access to data and conditions
    • Service level agreement
    • Compliance to relevant Policies
    • KPIs should be added to Suppliers
  • If the supplier will process PII (personally identifiable information) on our behalf:
    • A data processing agreement (DPA) must be signed
    • The data should be located within the EU
    • There should have a privacy policy in which they adhere to GDPR
  • Suppliers should be assessed periodically, taking into account
    • Performance (are we happy with them?)
    • KPI performance (are they living up to the expectations?)
    • Recent incidents (where they a party in a recent information security incident?)