Third-Party & Vendor Management Policy

Wealthy’s commitment to managing third-party and vendor risk — assessment, contracts, monitoring, offboarding.

Third-Party & Vendor Management Policy

Field Value
Document ID POL-022
Classification Internal
Owner CTO (interim CISO)
Effective Date April 2026
Review Cycle Annual

1. Purpose

Every third party with access to Wealthy’s systems, data, or infrastructure introduces risk. This policy commits Wealthy to identifying, assessing, contracting, monitoring, and offboarding third parties in a way that keeps customer data safe and regulatory obligations satisfied.

This Policy states what we commit to; the Vendor Security Assessment Standard (STD-015) describes how — assessment questionnaire, scoring bands, contract clauses, review cadence, vendor inventory.

2. Scope

Applies to every vendor, service provider, sub-processor, or partner that:

  • Accesses, processes, or stores Wealthy data (customer PII, financial data, transaction records)
  • Provides infrastructure, hosting, or SaaS used in production
  • Integrates with Wealthy systems via APIs
  • Has physical or logical access to Wealthy networks
  • Provides security, audit, or compliance services

Applies equally to single-engagement audit vendors, permanent infrastructure providers, and everything in between.

3. Principles

  1. No vendor without assessment. A security assessment is mandatory before a new contract, at every renewal, and when scope materially expands.
  2. Risk-proportionate review. Review depth matches vendor criticality (see categories in §4). Critical vendors get full reassessment every 6 months; Low-risk vendors get self-attestation biennially.
  3. Minimum necessary access. Vendors receive only the access required for their contracted function — no standing broad access.
  4. Contractual security. Every vendor contract includes mandatory security, data protection, and compliance clauses (detailed in the Standard).
  5. Continuous monitoring. Integration health, compliance-certificate validity, SLA performance, and public breach disclosures are monitored on an ongoing basis.
  6. Clean offboarding. When a relationship ends, access revocation, credential rotation, and data return/destruction are non-negotiable.
  7. Accountability. Every vendor has a named internal owner responsible for the relationship and security of the integration.

4. Vendor Risk Categories

Category When it applies
Critical Access to core production infrastructure, payment data, customer PII at scale, or market-facing trading systems
High Access to customer PII in bounded scope, security services (VPN, SIEM), source code, domain / DNS control
Medium Access to internal metadata, design assets, or support data without direct customer PII
Low No data access; utility or informational services only

Current categorisation of active vendors is maintained in the Vendor Security Assessment Standard (STD-015) §7 (Current Vendor Inventory).

5. Regulatory Alignment

This policy operationalises:

  • IRDAI Cyber Security Guidelines 2024 — third-party risk management requirements for Insurance Intermediaries (Corporate Agents), including MeitY empanelment, STQC audit, data-elimination-on-termination, and sub-processor consent clauses
  • SEBI CSCRF Annexure-F — third-party / vendor risk register
  • DPDP Act 2023 — Data Processor agreements

6. Roles & Responsibilities

Role Responsibility
CTO (interim CISO) Overall vendor security strategy, final approval for Critical vendors, annual Board reporting
Compliance Team Manage assessments, maintain risk register, track vendor certifications
SRE Team Technical assessment, vendor access monitoring, integration health checks
Engineering Teams Report vendor integration issues, support technical assessments
Operations Day-to-day SLA monitoring, vendor relationship management
Legal Contract review, enforcement of security clauses, data-protection terms
Procurement Vendor onboarding flow, contract lifecycle

7. Governance

  • Vendor Risk Register is reviewed quarterly by the CTO and reported to ISRMC.
  • Material vendor changes (Critical vendor onboarded, breach disclosure, offboarding) are reported within the quarter they occur.
  • Annual external cyber audit covers vendor management trail.
  • Audit artefacts — assessment reports, contracts, acknowledgements — retained per the regulatory retention period.

8. Exceptions

Any exception to this policy follows the Exception Management Policy (POL-013). No exception is valid without written CTO sign-off and documented compensating controls; exceptions are reviewed at ISRMC.

9. Operational Standard

For the concrete assessment process — questionnaire sections, scoring bands, mandatory contractual clauses, review cadences, re-assessment triggers, offboarding checklist, and the current vendor inventory — see the Vendor Security Assessment Standard (STD-015).

The Standard is maintained by the CTO + Compliance Team and reviewed annually. This Policy is reviewed annually by the Board.

Reviewed annually. Last revision: April 2026. Contact: security@wealthy.in.