Backpack Works logo
All policies
Version: 1.0Last updated: December 2025Owner: Security Lead

Vendor & Third-Party Risk Management Policy

1. Purpose

To manage the security and privacy risks introduced by vendors and sub-processors.

2. Scope

Any third party that processes, stores, or has access to company or client data.

3. Evaluation

Before engaging a vendor that handles data, we review:

  • Their security posture (certifications such as SOC 2 / ISO 27001 where applicable).
  • Their privacy practices and data handling.
  • Contractual protections, including a data processing agreement where personal data is involved.

4. Sub-processors

We maintain a current list of sub-processors at /legal/subprocessors and review key vendors on an ongoing basis.

5. Review

This policy is reviewed at least annually.