Vendor Security Assessment Standard
Process for evaluating, onboarding, and continuously monitoring third-party vendor security posture. Operationalises the Third-Party & Vendor Management Policy.
Vendor Security Assessment
| Field |
Value |
| Document ID |
STD-015 |
| Classification |
Internal |
| Priority |
🟡 Medium |
| Owner |
CTO / Compliance Team |
| Approved By |
CTO |
| Effective Date |
April 2026 |
| Review Cycle |
Annual |
| Parent Policy |
Third-Party & Vendor Management (POL-022) |
1. Purpose
This standard defines the process for evaluating, onboarding, and continuously monitoring the security posture of third-party vendors who have access to Wealthy’s systems, data, or infrastructure. It ensures that vendor relationships do not introduce unacceptable security risks to the organization.
2. Scope
This standard applies to all third-party vendors, service providers, and partners who:
- Access, process, or store Wealthy’s data (customer PII, financial data, transaction records)
- Provide infrastructure or hosting services
- Integrate with Wealthy’s systems via APIs
- Provide software or SaaS tools used in production
- Have physical or logical access to Wealthy’s networks
2.1 Vendor Categories
| Category |
Risk Level |
Examples |
| Critical |
High |
Cloud providers (GCP/Shivaami, AWS/Acecloudhosting), Payment gateways (HDFC, PineLabs, Razorpay, Cashfree, CCAvenue) |
| High |
High |
KYC providers (CVL, CAMS, NSDL), Trading infra (Khambala/TechXL/Zybisys), Digital signing (Digio, Signzy) |
| Medium |
Medium |
SaaS tools (Figma, Freshdesk), Communication (Cloudflare), Market data (CMOTS) |
| Low |
Low |
Domain providers (GoDaddy), general SaaS with no data access |
3. Pre-Onboarding Assessment
3.1 Assessment Triggers
A vendor security assessment is mandatory before:
- Signing a new vendor contract
- Renewing an existing vendor contract (annual)
- Granting a vendor access to new systems or data
- Vendor undergoes significant changes (acquisition, breach disclosure)
3.2 Assessment Questionnaire
Template: Vendor Security Assessment — Checklist Template (Google Sheet, owned by security@wealthy.in, lives in the Security Drive folder). The Wealthy owner makes a copy per vendor, shares the copy with the vendor, and files the returned copy as assessment evidence.
All vendors in Critical and High categories must complete the Vendor Security Questionnaire covering:
A. Organization & Governance
- Information security policy and framework
- Security certifications (ISO 27001, SOC 2, PCI-DSS as applicable)
- Dedicated security team or CISO
- Security awareness training program
- Incident response plan
B. Data Protection
- Data classification and handling procedures
- Encryption standards (at rest and in transit)
- Data retention and disposal policies
- Data backup and recovery procedures
- Cross-border data transfer controls
- PII handling and privacy compliance
C. Access Control
- Identity and access management practices
- Multi-factor authentication implementation
- Privileged access management
- User access review frequency
- Third-party access to their own systems
D. Network & Infrastructure Security
- Network segmentation and firewall controls
- Intrusion detection/prevention systems
- Vulnerability management program
- Patch management SLA
- Physical security controls (for on-premise vendors)
E. Application Security
- Secure development lifecycle (SDLC)
- Code review and static analysis practices
- VAPT frequency and methodology
- API security controls
- Change management procedures
F. Business Continuity
- Disaster recovery plan and RTO/RPO
- Business continuity testing frequency
- Geographic redundancy
- Sub-processor and fourth-party risk management
G. Compliance & Legal
- Regulatory compliance (SEBI, RBI as applicable)
- Data breach notification commitments
- Right to audit clause
- Insurance coverage (cyber liability)
3.3 Assessment Scoring
| Score |
Rating |
Action |
| 90-100% |
Excellent |
Approved — standard review cycle |
| 75-89% |
Good |
Approved with minor recommendations |
| 60-74% |
Acceptable |
Approved with mandatory remediation plan (60-day deadline) |
| 40-59% |
Poor |
Conditional approval — CTO sign-off required, remediation in 30 days |
| Below 40% |
Unacceptable |
Rejected — vendor cannot be onboarded |
4. Contractual Security Requirements
All vendor contracts must include the following security clauses:
4.1 Mandatory Clauses
| Clause |
Requirement |
| Data Protection |
Vendor must encrypt all Wealthy data at rest (AES-256) and in transit (TLS 1.2+) |
| Access Control |
Vendor access limited to minimum necessary; MFA required |
| Incident Notification |
Vendor must notify Wealthy of security incidents within 24 hours |
| Right to Audit |
Wealthy reserves the right to audit vendor security controls annually |
| Data Return/Destruction |
Upon contract termination, vendor must return or certify destruction of all Wealthy data within 30 days |
| Sub-processor Disclosure |
Vendor must disclose all sub-processors handling Wealthy data |
| Compliance |
Vendor must comply with applicable Indian regulations (SEBI, IT Act, CERT-In) |
| Accessibility (Digital Platforms / SaaS only) |
Vendor confirms conformance with WCAG 2.1 / IS 17802 / GIGW accessibility guidelines per SEBI Circular 2025/111 and the Rights of Persons with Disabilities Act, 2016. IAAP-certified accessibility audit report available on request; accessibility remediation plan for any identified findings. Responsibility to ensure accessibility of the integrated platform sits with Wealthy, so vendor non-conformance becomes a Wealthy compliance issue. |
| SLA |
Defined uptime, response time, and support SLAs |
| Liability |
Vendor liability for data breaches caused by their negligence |
| Background Checks |
Vendor personnel with access to Wealthy systems must pass background verification |
4.2 Additional Clauses (for Critical/High vendors)
- Annual VAPT report sharing
- SOC 2 / ISO 27001 certification maintenance
- Dedicated point of contact for security issues
- Participation in Wealthy’s incident response exercises (if applicable)
- Data residency within India (for financial/PII data)
5. Ongoing Monitoring
5.1 Periodic Review Schedule
| Vendor Category |
Review Frequency |
Review Depth |
| Critical |
Every 6 months |
Full reassessment |
| High |
Annually |
Full reassessment |
| Medium |
Annually |
Abbreviated review |
| Low |
Biennial |
Self-attestation |
5.2 Continuous Monitoring Activities
| Activity |
Frequency |
Responsibility |
| Vendor security news/breach alerts |
Ongoing |
CTO / SRE |
| API integration health checks |
Daily (automated) |
SRE Team |
| Access log review (vendor accounts) |
Monthly |
SRE Team |
| Vendor compliance certificate validity |
Quarterly |
Compliance |
| SLA performance review |
Monthly |
Operations |
5.3 Re-Assessment Triggers
Immediate reassessment required when:
- Vendor discloses a data breach
- Vendor undergoes acquisition or merger
- Significant changes to vendor’s service offering
- Regulatory changes affecting vendor compliance
- Wealthy expands scope of data shared with vendor
- Vendor fails to meet SLA commitments repeatedly
6. Vendor Risk Register
Maintain a central Vendor Risk Register documenting:
| Field |
Description |
| Vendor Name |
Legal entity name |
| Category |
Critical / High / Medium / Low |
| Services Provided |
Description of services |
| Data Access |
What Wealthy data they access/process |
| Contract Dates |
Start, renewal, expiry |
| Last Assessment Date |
Date of most recent security assessment |
| Next Assessment Date |
Scheduled next reassessment (Critical: +6 months, High: +12 months, Medium/Low: +12–24 months self-attestation) — required for SEBI CSCRF Annexure-F |
| Assessment Score |
Current rating |
| Open Risks |
Any unresolved findings |
| Remediation Status |
Status of required fixes |
| Primary Contact |
Vendor security/compliance contact |
| Certifications |
ISO 27001, SOC 2, PCI-DSS etc. |
| Offboarding Status |
Active / Offboarding / Offboarded + date + link to Certificate of Destruction |
Location: Maintained in Google Drive (Compliance folder) and reviewed quarterly by CTO.
7. Current Vendor Inventory
7.1 Cloud Infrastructure (Critical)
| Vendor |
Service |
Data Access |
Review |
| Shivaami (GCP) |
GKE, Cloud SQL, Redis, Vertex AI, Load Balancer, Storage — primary hosting |
Application data, logs, compute |
Quarterly |
| Acecloudhosting (AWS) |
SES, SQS, Kinesis, Lambda, ECR, CodeBuild, CodeDeploy, Secrets Manager |
Messaging, secrets, build artifacts |
Quarterly |
| Cloudflare |
DNS management, traffic routing, DDoS protection |
Network traffic metadata |
Semi-Annual |
7.2 Payment & Digital Services (Critical)
| Vendor |
Service |
Data Access |
Review |
| HDFC |
Payment gateway services |
Transaction metadata |
Quarterly |
| PineLabs |
Payment processing |
Transaction metadata |
Quarterly |
| Razorpay |
Payment gateway and payouts |
Transaction metadata |
Quarterly |
| Cashfree |
Payment processing |
Transaction metadata |
Quarterly |
| CCAvenue |
Netbanking payment gateway |
Transaction metadata |
Quarterly |
| Digio |
Digital signature and verification |
Verification data |
Quarterly |
| Signzy |
Digital onboarding and verification |
Verification data |
Quarterly |
7.3 KYC Service Providers (Critical)
| Vendor |
Service |
Data Access |
Review |
| CVL |
KYC verification |
Customer identity data |
Quarterly |
| CAMS |
KYC and compliance |
Customer identity data |
Quarterly |
| NSDL |
KYC and depository services |
Customer identity + financial |
Quarterly |
7.4 Security Infrastructure (Critical / High)
| Vendor |
Service |
Data Access |
Review |
| AWS Secrets Manager |
Centralised secrets and credential management |
Application credentials, keys |
Quarterly |
| Pritunl VPN |
Secure remote access |
VPN authentication logs |
Quarterly |
| Wazuh |
SIEM, EDR, threat detection |
System logs, security events |
Quarterly |
7.5 Financial Services / Broking (High)
| Vendor |
Service |
Data Access |
Review |
| Khambala |
OMS / RMS software |
Trading data |
Quarterly |
| TechXL |
Broking backoffice software |
Trading + client data |
Quarterly |
| TrackWizz |
Trade monitoring and compliance |
Trading data |
Quarterly |
| Zybisys |
Hosting for OMS and backoffice systems |
Trading data |
Quarterly |
| CMOTS |
Market data and metadata services |
None (data provider) |
Annual |
7.6 Insurance API Integration Partners (High)
Integration via secure APIs — quote retrieval, policy issuance. No payments processed through platform.
| Vendor |
Service |
Data Access |
Review |
| HDFC Ergo |
Insurance integration |
Customer details for quotes / issuance |
Annual |
| Niva Bupa |
Insurance integration |
Customer details for quotes / issuance |
Annual |
| Care Health |
Insurance integration |
Customer details for quotes / issuance |
Annual |
| ICICI Lombard |
Insurance integration |
Customer details for quotes / issuance |
Annual |
| Manipal Cigna |
Insurance integration |
Customer details for quotes / issuance |
Annual |
| Bajaj Life |
Insurance integration |
Customer details for quotes / issuance |
Annual |
| HDFC Life |
Insurance integration |
Customer details for quotes / issuance |
Annual |
| ICICI Prudential Life |
Insurance integration |
Customer details for quotes / issuance |
Annual |
| Vendor |
Service |
Data Access |
Review |
| GitHub |
Source code management + CI/CD |
Source code |
Annual |
| GoDaddy |
Domain management |
DNS / domain configuration |
Annual |
| Figma |
Design collaboration |
Design assets |
Annual |
| Metabase |
Business intelligence / analytics |
Application data for reporting |
Annual |
7.8 Security Assessment & Audit (Engagement-based)
| Vendor |
Service |
Data Access |
Review |
| Ragshanet Technology Solutions |
Primary IT services + security audit |
Limited audit access |
Per engagement |
| Other CERT-In empaneled auditors |
VAPT, compliance, infrastructure assessments |
Limited audit access |
Per engagement |
Audit vendors operate under confidentiality obligations with temporary, limited access and are offboarded after completion.
7.9 Additional Services
Communication, analytics, notification, and engagement tools used on a business-requirement basis. All follow the same assessment and monitoring process.
Examples: SES (email delivery), Yellow (communication), Whistle (notifications), Netcore (email + engagement), Greylabs (communication analytics), Freshdesk / Freshchat (support).
Each is evaluated before integration, granted minimum-necessary access, and reviewed per the cadence defined in §5.1.
8. Vendor Offboarding
When a vendor relationship ends:
- Access Revocation: All vendor access to Wealthy systems revoked within 24 hours
- API Key Rotation: Any shared API keys or credentials rotated immediately
- Data Return: Request formal data return/destruction certificate within 30 days
- Firewall Rules: Remove any vendor-specific IP allowlists
- Documentation: Update Vendor Risk Register to mark vendor as inactive
- Lessons Learned: Document any security issues encountered during the relationship
9. Roles & Responsibilities
| Role |
Responsibility |
| CTO |
Overall vendor security strategy, final approval for Critical vendors |
| Compliance Team |
Manage assessments, maintain risk register, track certifications |
| SRE Team |
Technical assessment, access monitoring, integration health |
| Engineering Teams |
Report vendor integration issues, support technical assessments |
| Operations |
SLA monitoring, vendor relationship management |
| Legal |
Contract review, security clause enforcement |
10. Compliance Mapping
| Requirement |
How This Standard Addresses It |
| SEBI third-party risk |
Vendor categorization, assessment, ongoing monitoring |
| IRDAI 2024 CSP controls |
Data protection + data elimination + sub-processor + MeitY requirements in §4 |
| Data protection regulations |
Contractual data protection clauses, encryption requirements |
| CERT-In compliance |
Vendor incident notification requirements (24-hour) |
| Audit readiness |
Right to audit clause, documented assessments, risk register |
Version History
| Version |
Date |
Author |
Changes |
| 1.0 |
April 2026 |
CTO / Compliance |
Initial version |
Next Review: April 2027
Contact: security@wealthy.in