The purpose of this policy is to ensure the security and responsible management of Redgate's suppliers.
This policy applies to all employees, contractors, and third-party users who engage with suppliers on behalf of Redgate.
Services fall into two categories (critical and non-critical), based on the risk profile of the service (this is determined by the type of data and/or volume of confidential or sensitive information, availability and/or integrity requirements). In all cases:
Critical services shall undergo a full review prior to selection. Review areas include (where applicable):
Redgate shall maintain an up-to-date register of all suppliers and the products and services they supply to us.
Redgate shall maintain a list of embargoed countries/customers/suppliers.
Redgate shall maintain detailed records of all vendor agreements, contracts, and other documentation associated with the vendor relationship. Suppliers shall be viewed upon renewal or when Redgate are made aware of material changes to services. Business Critical Services will be reviewed at either contract renewal or earlier (at our discretion).
Suppliers shall be required to:
Redgate shall ensure that contractual agreements are put in place when personal information is shared between organisations.
Suppliers who may process credit card data falling under the scope of PCI-DSS requirements shall be required to maintain PCI-DSS compliance.
Redgate shall maintain a record of which PCI-DSS requirements are managed by each service provider.
Redgate shall verify compliance of such vendors annually.
In the event of a security incident involving a supplier:
A process shall be maintained for terminating supplier relationships in an orderly and secure manner. As part of this process:
A final review of the supplier relationship shall be conducted to ensure that all security and quality requirements have been met.