Vendor Management Policy

Veridian Corp — Third-Party Vendor Risk, FDA Supplier Controls & Data Processing Standards

Document IDVM-001
Version3.1
Effective DateJanuary 15, 2026
OwnerVendor Risk Management Team
Approved ByChief Procurement Officer & CISO
Review CycleSemi-Annual
ClassificationInternal — Confidential
Applicable Regulations21 CFR 820.50, HIPAA §164.308(b), GDPR Art. 28, SOC 2 CC9.2
Related DocumentsPP-001, SOP-DH-001, FDA-COMP-001, 21 CFR 820.50
Canonical URL: /vendor-management-policy.html
Document ID: VM-001
Policy Category: VENDOR
Active Vendors: 47
Tier 1 Critical: 12
Vendor Directory: /vendors/index.html
Scope — Healthcare & FDA Context Veridian Corp is an FDA-regulated medical device manufacturer. Vendor management extends beyond IT suppliers to include component manufacturers, sterilization services, clinical research organizations, cloud PHI processors, and calibration laboratories — all subject to 21 CFR Part 820 purchasing controls and HIPAA business associate requirements where applicable.

1.0 — Purpose & Scope

This policy establishes Veridian Corp's requirements for identifying, assessing, onboarding, monitoring, and offboarding third-party vendors that provide products, services, or processing of Veridian data — including Protected Health Information (PHI), FDA-regulated manufacturing components, and confidential intellectual property.

All third-party relationships that involve access to Veridian data, systems, facilities, or FDA-regulated manufacturing processes must be governed by this policy without exception.

No vendor may be engaged for services affecting device safety, data security, or regulatory compliance without completion of the vendor risk assessment workflow defined in Section 4.0.

Procurement, Legal, IT Security, Regulatory Affairs, and the Data Protection Officer must collaborate on all Tier 1 and Tier 2 vendor engagements before contract signature.

2.0 — Definitions

TermDefinitionRegulatory Reference
Tier 1 VendorCritical vendor whose failure would materially impact patient safety, device quality, or business continuity21 CFR 820.50(a)
Tier 2 VendorHigh-risk vendor with access to Confidential data, PHI, or production systemsHIPAA §164.308(b)(1)
Tier 3 VendorModerate-risk vendor with limited Internal data accessSOC 2 CC9.2
Tier 4 VendorLow-risk vendor with no data access (e.g., office supplies)
Business AssociateVendor that creates, receives, maintains, or transmits PHI on Veridian's behalfHIPAA §160.103
Approved Vendor List (AVL)Master register of qualified suppliers maintained by Procurement and Quality Assurance21 CFR 820.50(a)(1)
Supplier Corrective Action Request (SCAR)Formal request for vendor remediation of quality or compliance nonconformance21 CFR 820.100
Data Processing Agreement (DPA)Contract governing personal data processing under GDPR Article 28GDPR Art. 28

3.0 — Vendor Risk Tier Classification Matrix

TierRisk LevelExamplesAssessment FrequencyRequired ArtifactsApproval Authority
Tier 1 Critical Cloud PHI platform, sterilization contractor, PCB manufacturer, clinical CRO, EHR integration partner Quarterly review + annual on-site audit SOC 2 Type II, ISO 13485 cert, BAA/DPA, FDA registration, quality agreement CPO + CISO + VP Regulatory
Tier 2 High Payroll processor, legal counsel, penetration testing firm, LMS provider, backup/DR vendor Semi-annual questionnaire + annual SOC 2 review SOC 2 Type II or ISO 27001, DPA/BAA as applicable, signed NDA CPO + CISO
Tier 3 Moderate Marketing agency, travel management, office IT peripherals, translation services Annual questionnaire NDA, basic security questionnaire, insurance certificate Procurement Manager
Tier 4 Low Office supplies, catering, furniture, non-data SaaS tools At onboarding only Standard purchase order terms Department Manager

Vendor tier classification must be documented in the Vendor Risk Register within 3 business days of initial assessment and re-evaluated upon any material change to the vendor's scope of services.

Tier 1 vendors must not be downgraded to a lower tier without written approval from the CISO and VP of Regulatory Affairs.

4.0 — Vendor Onboarding Requirements

All prospective vendors must complete a Veridian information security questionnaire (Form VM-SEC-001) before contract execution.

Vendors classified as High Risk (Tier 1 or Tier 2) must provide a current SOC 2 Type II report or equivalent third-party audit (ISO 27001, ISO 13485, HITRUST) before onboarding.

A signed Non-Disclosure Agreement (NDA) must be in place before any confidential information, trade secrets, or device design data is shared with a prospective vendor.

Any vendor that will process personal data on behalf of Veridian Corp must sign a Data Processing Agreement (DPA) before any data transfer occurs.

Any vendor that will create, receive, maintain, or transmit PHI must execute a HIPAA Business Associate Agreement (BAA) before any PHI access is granted.

All vendor contracts with a value exceeding $50,000 annually must receive prior review and approval from the Legal department.

Contracts exceeding $250,000 annually or involving Tier 1 classification require Board Risk Committee notification within 10 business days of signature.

FDA-regulated component suppliers must be added to the Approved Vendor List (AVL) per SOP-PUR-003 before any purchase order affecting device manufacturing is issued.

Background checks are required for all vendor personnel who will have unsupervised physical access to Veridian facilities or production areas.

Onboarding Workflow Steps

StepActionOwnerSLASystem Record
1Submit Vendor Intake Form (VM-INT-001)Requesting DepartmentDay 0ServiceNow VM module
2Initial risk tier classificationVendor Risk Team3 business daysVendor Risk Register
3Security questionnaire sentIT Security5 business daysOneTrust Vendor Risk
4Legal review (if >$50K or Tier 1/2)Legal10 business daysIronclad CLM
5DPA/BAA execution (if applicable)Legal + DPOBefore data transferIronclad CLM
6SOC 2 / ISO cert reviewIT Security10 business daysOneTrust Vendor Risk
7FDA supplier qualification (if manufacturing)Quality Assurance15 business daysQMS — MasterControl
8Final approval & AVL additionCPO or delegate2 business daysApproved Vendor List
9Provision system access (if needed)IT Operations1 business day post-approvalActive Directory / SSO

5.0 — Due Diligence Assessment Checklist

Control AreaAssessment QuestionTier 1Tier 2Tier 3Evidence Required
Information SecurityDoes the vendor maintain a documented ISMS?RequiredRequiredRecommendedISO 27001 cert or SOC 2 Type II
EncryptionIs data encrypted at rest (AES-256) and in transit (TLS 1.2+)?RequiredRequiredIf data accessedArchitecture diagram, pen test report
Access ControlIs MFA enforced for all users accessing Veridian data?RequiredRequiredIf data accessedSecurity questionnaire response
Incident ResponseWill vendor notify Veridian within 48 hours of a security incident?RequiredRequiredRequiredContract clause + IR plan summary
Business ContinuityDoes vendor maintain BCP/DR with RTO < 4 hours?RequiredRequiredRecommendedBCP documentation, last test date
Sub-processorsAre sub-processors disclosed and approved?RequiredRequiredIf applicableSub-processor list in DPA
Data ResidencyIs data stored exclusively in approved geographic regions?RequiredRequiredIf data accessedData flow diagram, hosting locations
FDA QualityIs vendor ISO 13485 certified (if supplying device components)?RequiredN/AN/AISO 13485 certificate, audit report
Financial StabilityHas vendor passed financial viability check?RequiredRequiredRecommendedD&B report or audited financials
InsuranceDoes vendor carry cyber liability insurance ≥ $5M?RequiredRequiredRecommendedCertificate of insurance
Right to AuditDoes contract include Veridian right-to-audit clause?RequiredRequiredRecommendedExecuted contract
Data Return/DeletionAre data return and certified deletion obligations defined?RequiredRequiredIf data accessedContract offboarding clause

6.0 — Approved Vendor Register (Excerpt)

Full vendor profiles with URL-embedded detail pages: Vendor Directory →

Vendor IDVendor NameTierService CategoryData AccessAnnual SpendSOC 2BAA/DPALast AssessmentStatusProfile
VND-001CloudHealth Data SystemsTier 1Cloud PHI PlatformPHI, PII$1,240,0002025BAA + DPAJan 2026Active View
VND-002MedDevice Components Inc.Tier 1PCB & Sensor ManufacturingDevice specs, IP$3,870,000N/A (ISO 13485)Quality AgreementFeb 2026Active View
VND-003SterilTech SolutionsTier 1EO Sterilization ServicesDevice DHR data$890,000N/A (ISO 13485)Quality AgreementDec 2025Active
VND-004ClinResearch PartnersTier 1Clinical Research OrganizationPHI, clinical data$2,100,0002025BAA + DPANov 2025Active
VND-005SecureAuth Identity PlatformTier 2SSO / Identity ManagementEmployee PII$185,0002025DPAJan 2026Active
VND-006DataVault Backup ServicesTier 2Disaster Recovery / BackupAll Confidential data$320,0002025BAA + DPAOct 2025Active
VND-007PenTest Security GroupTier 2Annual Penetration TestingProduction systems$95,0002024NDA onlySep 2025Reassessment Q2 2026
VND-008LegalEdge Compliance CounselTier 2Regulatory Legal ServicesConfidential legal$410,000N/ANDA + DPAJan 2026Active
VND-009CalibratePro LabsTier 1ISO 17025 CalibrationDevice test records$156,000N/A (ISO 17025)Quality AgreementMar 2026Active
VND-010ShipLogistics MedicalTier 2Cold Chain DistributionDevice shipment data$540,0002025DPAFeb 2026Active
VND-011LearnPro LMS PlatformTier 2Compliance Training LMSEmployee PII$78,0002025DPAJan 2026Active
VND-012AI Analytics CorpTier 2De-identified Data AnalyticsDe-identified PHI$220,0002025BAA + DPADec 2025Active

7.0 — FDA Supplier Controls (21 CFR 820.50)

Manufacturing and component suppliers for FDA-regulated devices are subject to additional quality system requirements beyond standard IT vendor due diligence.

All suppliers of components, materials, or services that affect device safety and performance must be evaluated and approved per 21 CFR 820.50 before use in production.

Supplier quality agreements must define specifications, inspection requirements, change notification obligations, and right-to-audit provisions for all Tier 1 manufacturing vendors.

Suppliers must notify Veridian within 10 business days of any change to manufacturing processes, facilities, or materials that could affect component quality.

Receiving inspection records must be maintained for all incoming components per 21 CFR 820.80; nonconforming material must be quarantined and dispositioned per SOP-QC-008.

Supplier Corrective Action Requests (SCARs) must be issued within 5 business days of identification of a supplier quality nonconformance affecting device safety.

FDA Manufacturing Supplier Map

SupplierComponent/ServiceDevice(s) Affected510(k)ISO 13485Last AuditCFR Reference
MedDevice Components Inc.ECG sensor PCB assembliesVPM-4000K240847Yes — valid to 2028Feb 2026§820.50, §820.80
MedDevice Components Inc.Glucose sensor electrodesVGP-200K231156Yes — valid to 2028Feb 2026§820.50, §820.80
SterilTech SolutionsEO sterilization — final deviceVID-100, VPM-4000K220893, K240847Yes — valid to 2027Dec 2025§820.50
CalibratePro LabsCalibration — test equipmentAll Class II devicesAllISO 17025Mar 2026§820.72

Related: FDA Compliance Program · 21 CFR 820.50 Reference · QSR Audit Checklist (PDF)

8.0 — Ongoing Monitoring

All High Risk vendors (Tier 1 and Tier 2) must undergo an annual information security reassessment; results must be documented and retained for 3 years.

Quarterly business reviews must be conducted with all Tier 1 (critical) vendors to review performance, incidents, SLA compliance, and regulatory status.

All vendor contracts must include a clause requiring the vendor to notify Veridian Corp within 48 hours of any security incident affecting Veridian data.

The Vendor Risk Register must be updated within 5 business days of any material change to a vendor's risk profile, ownership, or service scope.

Expired SOC 2 or ISO certification reports must trigger an immediate reassessment; vendors with expired reports exceeding 90 days must be suspended from AVL pending remediation.

Continuous monitoring alerts from OneTrust Vendor Risk must be triaged by IT Security within 2 business days of receipt.

2026 Monitoring Calendar — Tier 1 Vendors

QuarterVendorActivityOwnerStatus
Q1 2026CloudHealth Data SystemsSOC 2 review + on-site auditIT SecurityComplete
Q1 2026MedDevice Components Inc.ISO 13485 supplier auditQuality AssuranceComplete
Q2 2026SterilTech SolutionsQuality agreement review + process validationQuality AssuranceScheduled Apr 2026
Q2 2026ClinResearch PartnersClinical data security assessmentDPO + IT SecurityScheduled May 2026
Q3 2026CloudHealth Data SystemsQuarterly business reviewVendor Risk TeamPlanned
Q3 2026CalibratePro LabsCalibration certificate renewal auditQuality AssurancePlanned
Q4 2026All Tier 1 vendorsAnnual reassessment cycle completionVendor Risk TeamPlanned

9.0 — Contract & Agreement Requirements

Agreement TypeRequired WhenKey ClausesOwnerTemplate ID
Master Services Agreement (MSA)All Tier 1/2 engagementsSLA, liability, termination, governing lawLegalVM-MSA-001
Business Associate Agreement (BAA)Any PHI accessHIPAA safeguards, breach notification, subcontractor flow-downLegal + DPOVM-BAA-001
Data Processing Agreement (DPA)Any personal data processingGDPR Art. 28, sub-processors, data subject rights, SCCsLegal + DPOVM-DPA-001
Quality AgreementFDA manufacturing suppliersSpecifications, change control, audit rights, SCAR processQuality AssuranceVM-QA-001
Non-Disclosure Agreement (NDA)Before any confidential disclosureConfidentiality term 5 years, return/destructionLegalVM-NDA-001

Contract renewal for Tier 1 vendors must include updated SOC 2 or ISO certification and a refreshed security questionnaire no older than 12 months.

Auto-renewal clauses in vendor contracts exceeding $100,000 annually require explicit opt-in approval from the CPO; silent auto-renewal is prohibited.

10.0 — Vendor Offboarding

Upon contract termination, vendors must return or provide certified destruction of all Veridian Corp data within 30 calendar days.

All vendor access to Veridian systems, networks, VPN, and physical facilities must be revoked on the final day of the contract.

A signed offboarding checklist (Form VM-OFF-001) confirming data return/destruction and access revocation must be obtained before final payment is released.

Vendor offboarding for Tier 1 vendors requires a joint exit meeting with IT Security, Legal, and the business owner within 10 business days of contract end.

Certified destruction certificates for physical or electronic media containing Confidential or PHI data must be retained for 7 years.

Offboarding Checklist (Form VM-OFF-001)

#Checklist ItemResponsible PartyEvidenceDue
1Revoke all system and VPN accessIT OperationsAccess revocation logContract end date
2Revoke physical badge and facility accessFacilitiesBadge return recordContract end date
3Confirm data return or certified destructionVendor + DPODestruction certificate30 days post-termination
4Remove from Approved Vendor ListProcurementAVL update record5 business days
5Archive contract and assessment recordsLegalIronclad archive10 business days
6Notify affected business unitsVendor Risk TeamEmail notification logContract end date
7Update Vendor Risk Register status to "Terminated"Vendor Risk TeamRegister entry5 business days
8Conduct exit interview (Tier 1 only)CPO delegateMeeting minutes10 business days

11.0 — Vendor Security Incidents

Upon notification of a vendor security incident affecting Veridian data, the Vendor Risk Team must open an incident ticket within 2 hours and classify severity per the Incident Response Plan.

Vendor incidents involving PHI must be escalated to the Data Protection Officer within 4 hours for HIPAA breach assessment.

Vendor incidents affecting FDA-regulated manufacturing data must be reported to Regulatory Affairs within 24 hours for impact assessment on device quality records.

Historical Vendor Incidents (2024–2026)

DateVendorIncident TypeData AffectedSeverityResolutionRegulatory Impact
Oct 2025CloudHealth Data SystemsUnauthorized API access attemptNone — blockedS3Vendor patched API gateway; reassessment completeNone
Jun 2025DataVault Backup ServicesBackup encryption key rotation delayEncrypted backupsS3Keys rotated within 72 hours; SLA credit issuedNone
Mar 2025MedDevice Components Inc.Component lot nonconformanceProduction batch VPM-4000-2025-Q1-0847QualitySCAR issued; lot quarantined and reworkedCAPA-2025-047 opened
Nov 2024ClinResearch PartnersPhishing attack on CRO employeeNo PHI exfiltratedS3CRO retrained staff; MFA enforcedNone

12.0 — Revision History

VersionDateAuthorChanges
3.1Jan 15, 2026R. NakamuraAdded FDA supplier controls (§820.50), vendor register, monitoring calendar, offboarding checklist
3.0Jul 1, 2025R. NakamuraIntegrated OneTrust Vendor Risk platform; added Tier 1 on-site audit requirement
2.0Jan 8, 2025S. ChenAdded BAA requirements for PHI vendors; raised contract review threshold to $50K
1.0Mar 1, 2024R. NakamuraInitial release