1. Purpose

The purpose of this policy is to establish a structured and secure framework for managing relationships with third-party vendors, suppliers, and service providers that have access to GoPerfect systems, data, or services. This policy ensures that all third parties comply with our security, data privacy, and business continuity requirements.

2. Scope

This policy applies to all third-party entities that process, store, or have access to GoPerfect’s systems, infrastructure, customer data, and other confidential information. It includes:

• Cloud service providers
• Data vendors
• Software providers
• Consultants and contractors
• Business partners
• Any other external entity accessing GoPerfect data or services

3. Third-Party Selection & Due Diligence

Before onboarding a third-party supplier, GoPerfect conducts a due diligence process to assess security, compliance, and operational risks. This includes:

1. Security Assessment:
   • Evaluation of the vendor's security policies, certifications (e.g., ISO 27001, SOC 2), and compliance with industry standards (GDPR, CCPA, OWASP, etc.)​.
   • Assessment of security controls such as data encryption, authentication mechanisms, and vulnerability management​.
2. Legal & Compliance Review:
   • Verification that the supplier adheres to relevant **data protection laws (GDPR, CCPA, Israeli Privacy Law, etc.)**​.
   • Execution of Data Protection Agreements (DPAs) and review of privacy notices to ensure compliance with personal data protection requirements​.
3. Operational & Financial Risk Assessment:
   • Evaluation of financial stability and operational risks of the supplier.
   • Review of service-level agreements (SLAs) ensuring minimal service disruption in case of failures.
4. Incident Response & Business Continuity:
   • Vendors must demonstrate incident response and disaster recovery plans with defined **Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)**​.
5. Contractual Safeguards:
   • All vendors must sign agreements that explicitly outline their data processing, confidentiality, and security responsibilities​.
   • Clauses regarding termination, data deletion, and liability in case of breaches are mandatory.

4. Data Security and Access Controls

GoPerfect enforces strict access controls for third-party suppliers based on the principle of least privilege (PoLP):

1. User & Access Management:
   • Vendors are assigned role-based access controls (RBAC), ensuring minimal data exposure​.
   • Multi-factor authentication (MFA) is required for accessing GoPerfect systems​.