1.0 Purpose

The purpose of this policy is to set forth the guidelines that should be followed to maintain the security of the organization’s information systems and data when Roboto Studio enters into any arrangement with a third-party supplier or vendor or Cloud Service Provider (CSP), as well as to identify elements of managing vendors, due diligence, risk assessments, and contract management.

2.0 Scope

The scope of this policy covers Roboto Studio’s relationship with business partners, suppliers or third-party vendors, including CSPs (collectively referred to as “vendors” or “third parties”), including any third-party access to information, IT assets, IT infrastructure, and facilities of Roboto Studio and/or its client information. The policy also covers all third-party related activities associated with providing security for cloud services (i.e., SaaS, PaaS, IaaS) and Artificial Intelligence (i.e., generative AI and Large Language Models).

3.0 Policy

3.1 Managing Outsourcing Risks

Roboto Studio shall develop an organization-wide strategy for managing risks associated with supply-chain management. Risks involved must be identified, documented, and vetted by Roboto Studio’s management before outsourcing any processes or services to a third party/vendor or allowing third-party access to the organization’s information or systems.

3.2 Contracts

Contracts that include the exchange of confidential data must require confidentiality agreements to be executed by the vendor and shall identify applicable security and privacy policies and procedures to which the vendor is subject. Contracts must clearly identify the roles and responsibilities of the vendor and the security and privacy reporting requirements.

3.3 Oversight and Monitoring

Management shall designate staff responsible for monitoring the performance and compliance of each outsourced program/vendor/cloud service. The duties should include regular review of the third party’s performance to determine compliance with expectations and contracts. All third-party vendors shall be evaluated for security risks to the organization periodically through a formal risk assessment process.

3.4 Termination of Service

Upon termination of vendor services, contracts must require the return or destruction of all Roboto Studio’s data. Roboto Studio’s management shall immediately ensure the termination of the vendor’s access to Roboto Studio systems. Exit strategies must be developed for the use of any vendor services and exit reviews shall be performed on vendors to ensure compliance with termination clauses.