Vendor Management Policy
Veridian Corp — Third-Party Vendor Risk, FDA Supplier Controls & Data Processing Standards
| Document ID | VM-001 |
| Version | 3.1 |
| Effective Date | January 15, 2026 |
| Owner | Vendor Risk Management Team |
| Approved By | Chief Procurement Officer & CISO |
| Review Cycle | Semi-Annual |
| Classification | Internal — Confidential |
| Applicable Regulations | 21 CFR 820.50, HIPAA §164.308(b), GDPR Art. 28, SOC 2 CC9.2 |
| Related Documents | PP-001, SOP-DH-001, FDA-COMP-001, 21 CFR 820.50 |
1.0 — Purpose & Scope
This policy establishes Veridian Corp's requirements for identifying, assessing, onboarding, monitoring, and offboarding third-party vendors that provide products, services, or processing of Veridian data — including Protected Health Information (PHI), FDA-regulated manufacturing components, and confidential intellectual property.
All third-party relationships that involve access to Veridian data, systems, facilities, or FDA-regulated manufacturing processes must be governed by this policy without exception.
No vendor may be engaged for services affecting device safety, data security, or regulatory compliance without completion of the vendor risk assessment workflow defined in Section 4.0.
Procurement, Legal, IT Security, Regulatory Affairs, and the Data Protection Officer must collaborate on all Tier 1 and Tier 2 vendor engagements before contract signature.
2.0 — Definitions
| Term | Definition | Regulatory Reference |
|---|---|---|
| Tier 1 Vendor | Critical vendor whose failure would materially impact patient safety, device quality, or business continuity | 21 CFR 820.50(a) |
| Tier 2 Vendor | High-risk vendor with access to Confidential data, PHI, or production systems | HIPAA §164.308(b)(1) |
| Tier 3 Vendor | Moderate-risk vendor with limited Internal data access | SOC 2 CC9.2 |
| Tier 4 Vendor | Low-risk vendor with no data access (e.g., office supplies) | — |
| Business Associate | Vendor that creates, receives, maintains, or transmits PHI on Veridian's behalf | HIPAA §160.103 |
| Approved Vendor List (AVL) | Master register of qualified suppliers maintained by Procurement and Quality Assurance | 21 CFR 820.50(a)(1) |
| Supplier Corrective Action Request (SCAR) | Formal request for vendor remediation of quality or compliance nonconformance | 21 CFR 820.100 |
| Data Processing Agreement (DPA) | Contract governing personal data processing under GDPR Article 28 | GDPR Art. 28 |
3.0 — Vendor Risk Tier Classification Matrix
| Tier | Risk Level | Examples | Assessment Frequency | Required Artifacts | Approval Authority |
|---|---|---|---|---|---|
| Tier 1 | Critical | Cloud PHI platform, sterilization contractor, PCB manufacturer, clinical CRO, EHR integration partner | Quarterly review + annual on-site audit | SOC 2 Type II, ISO 13485 cert, BAA/DPA, FDA registration, quality agreement | CPO + CISO + VP Regulatory |
| Tier 2 | High | Payroll processor, legal counsel, penetration testing firm, LMS provider, backup/DR vendor | Semi-annual questionnaire + annual SOC 2 review | SOC 2 Type II or ISO 27001, DPA/BAA as applicable, signed NDA | CPO + CISO |
| Tier 3 | Moderate | Marketing agency, travel management, office IT peripherals, translation services | Annual questionnaire | NDA, basic security questionnaire, insurance certificate | Procurement Manager |
| Tier 4 | Low | Office supplies, catering, furniture, non-data SaaS tools | At onboarding only | Standard purchase order terms | Department Manager |
Vendor tier classification must be documented in the Vendor Risk Register within 3 business days of initial assessment and re-evaluated upon any material change to the vendor's scope of services.
Tier 1 vendors must not be downgraded to a lower tier without written approval from the CISO and VP of Regulatory Affairs.
4.0 — Vendor Onboarding Requirements
All prospective vendors must complete a Veridian information security questionnaire (Form VM-SEC-001) before contract execution.
Vendors classified as High Risk (Tier 1 or Tier 2) must provide a current SOC 2 Type II report or equivalent third-party audit (ISO 27001, ISO 13485, HITRUST) before onboarding.
A signed Non-Disclosure Agreement (NDA) must be in place before any confidential information, trade secrets, or device design data is shared with a prospective vendor.
Any vendor that will process personal data on behalf of Veridian Corp must sign a Data Processing Agreement (DPA) before any data transfer occurs.
Any vendor that will create, receive, maintain, or transmit PHI must execute a HIPAA Business Associate Agreement (BAA) before any PHI access is granted.
All vendor contracts with a value exceeding $50,000 annually must receive prior review and approval from the Legal department.
Contracts exceeding $250,000 annually or involving Tier 1 classification require Board Risk Committee notification within 10 business days of signature.
FDA-regulated component suppliers must be added to the Approved Vendor List (AVL) per SOP-PUR-003 before any purchase order affecting device manufacturing is issued.
Background checks are required for all vendor personnel who will have unsupervised physical access to Veridian facilities or production areas.
Onboarding Workflow Steps
| Step | Action | Owner | SLA | System Record |
|---|---|---|---|---|
| 1 | Submit Vendor Intake Form (VM-INT-001) | Requesting Department | Day 0 | ServiceNow VM module |
| 2 | Initial risk tier classification | Vendor Risk Team | 3 business days | Vendor Risk Register |
| 3 | Security questionnaire sent | IT Security | 5 business days | OneTrust Vendor Risk |
| 4 | Legal review (if >$50K or Tier 1/2) | Legal | 10 business days | Ironclad CLM |
| 5 | DPA/BAA execution (if applicable) | Legal + DPO | Before data transfer | Ironclad CLM |
| 6 | SOC 2 / ISO cert review | IT Security | 10 business days | OneTrust Vendor Risk |
| 7 | FDA supplier qualification (if manufacturing) | Quality Assurance | 15 business days | QMS — MasterControl |
| 8 | Final approval & AVL addition | CPO or delegate | 2 business days | Approved Vendor List |
| 9 | Provision system access (if needed) | IT Operations | 1 business day post-approval | Active Directory / SSO |
5.0 — Due Diligence Assessment Checklist
| Control Area | Assessment Question | Tier 1 | Tier 2 | Tier 3 | Evidence Required |
|---|---|---|---|---|---|
| Information Security | Does the vendor maintain a documented ISMS? | Required | Required | Recommended | ISO 27001 cert or SOC 2 Type II |
| Encryption | Is data encrypted at rest (AES-256) and in transit (TLS 1.2+)? | Required | Required | If data accessed | Architecture diagram, pen test report |
| Access Control | Is MFA enforced for all users accessing Veridian data? | Required | Required | If data accessed | Security questionnaire response |
| Incident Response | Will vendor notify Veridian within 48 hours of a security incident? | Required | Required | Required | Contract clause + IR plan summary |
| Business Continuity | Does vendor maintain BCP/DR with RTO < 4 hours? | Required | Required | Recommended | BCP documentation, last test date |
| Sub-processors | Are sub-processors disclosed and approved? | Required | Required | If applicable | Sub-processor list in DPA |
| Data Residency | Is data stored exclusively in approved geographic regions? | Required | Required | If data accessed | Data flow diagram, hosting locations |
| FDA Quality | Is vendor ISO 13485 certified (if supplying device components)? | Required | N/A | N/A | ISO 13485 certificate, audit report |
| Financial Stability | Has vendor passed financial viability check? | Required | Required | Recommended | D&B report or audited financials |
| Insurance | Does vendor carry cyber liability insurance ≥ $5M? | Required | Required | Recommended | Certificate of insurance |
| Right to Audit | Does contract include Veridian right-to-audit clause? | Required | Required | Recommended | Executed contract |
| Data Return/Deletion | Are data return and certified deletion obligations defined? | Required | Required | If data accessed | Contract offboarding clause |
6.0 — Approved Vendor Register (Excerpt)
Full vendor profiles with URL-embedded detail pages: Vendor Directory →
| Vendor ID | Vendor Name | Tier | Service Category | Data Access | Annual Spend | SOC 2 | BAA/DPA | Last Assessment | Status | Profile |
|---|---|---|---|---|---|---|---|---|---|---|
| VND-001 | CloudHealth Data Systems | Tier 1 | Cloud PHI Platform | PHI, PII | $1,240,000 | 2025 | BAA + DPA | Jan 2026 | Active | View |
| VND-002 | MedDevice Components Inc. | Tier 1 | PCB & Sensor Manufacturing | Device specs, IP | $3,870,000 | N/A (ISO 13485) | Quality Agreement | Feb 2026 | Active | View |
| VND-003 | SterilTech Solutions | Tier 1 | EO Sterilization Services | Device DHR data | $890,000 | N/A (ISO 13485) | Quality Agreement | Dec 2025 | Active | — |
| VND-004 | ClinResearch Partners | Tier 1 | Clinical Research Organization | PHI, clinical data | $2,100,000 | 2025 | BAA + DPA | Nov 2025 | Active | — |
| VND-005 | SecureAuth Identity Platform | Tier 2 | SSO / Identity Management | Employee PII | $185,000 | 2025 | DPA | Jan 2026 | Active | — |
| VND-006 | DataVault Backup Services | Tier 2 | Disaster Recovery / Backup | All Confidential data | $320,000 | 2025 | BAA + DPA | Oct 2025 | Active | — |
| VND-007 | PenTest Security Group | Tier 2 | Annual Penetration Testing | Production systems | $95,000 | 2024 | NDA only | Sep 2025 | Reassessment Q2 2026 | — |
| VND-008 | LegalEdge Compliance Counsel | Tier 2 | Regulatory Legal Services | Confidential legal | $410,000 | N/A | NDA + DPA | Jan 2026 | Active | — |
| VND-009 | CalibratePro Labs | Tier 1 | ISO 17025 Calibration | Device test records | $156,000 | N/A (ISO 17025) | Quality Agreement | Mar 2026 | Active | — |
| VND-010 | ShipLogistics Medical | Tier 2 | Cold Chain Distribution | Device shipment data | $540,000 | 2025 | DPA | Feb 2026 | Active | — |
| VND-011 | LearnPro LMS Platform | Tier 2 | Compliance Training LMS | Employee PII | $78,000 | 2025 | DPA | Jan 2026 | Active | — |
| VND-012 | AI Analytics Corp | Tier 2 | De-identified Data Analytics | De-identified PHI | $220,000 | 2025 | BAA + DPA | Dec 2025 | Active | — |
7.0 — FDA Supplier Controls (21 CFR 820.50)
Manufacturing and component suppliers for FDA-regulated devices are subject to additional quality system requirements beyond standard IT vendor due diligence.
All suppliers of components, materials, or services that affect device safety and performance must be evaluated and approved per 21 CFR 820.50 before use in production.
Supplier quality agreements must define specifications, inspection requirements, change notification obligations, and right-to-audit provisions for all Tier 1 manufacturing vendors.
Suppliers must notify Veridian within 10 business days of any change to manufacturing processes, facilities, or materials that could affect component quality.
Receiving inspection records must be maintained for all incoming components per 21 CFR 820.80; nonconforming material must be quarantined and dispositioned per SOP-QC-008.
Supplier Corrective Action Requests (SCARs) must be issued within 5 business days of identification of a supplier quality nonconformance affecting device safety.
FDA Manufacturing Supplier Map
| Supplier | Component/Service | Device(s) Affected | 510(k) | ISO 13485 | Last Audit | CFR Reference |
|---|---|---|---|---|---|---|
| MedDevice Components Inc. | ECG sensor PCB assemblies | VPM-4000 | K240847 | Yes — valid to 2028 | Feb 2026 | §820.50, §820.80 |
| MedDevice Components Inc. | Glucose sensor electrodes | VGP-200 | K231156 | Yes — valid to 2028 | Feb 2026 | §820.50, §820.80 |
| SterilTech Solutions | EO sterilization — final device | VID-100, VPM-4000 | K220893, K240847 | Yes — valid to 2027 | Dec 2025 | §820.50 |
| CalibratePro Labs | Calibration — test equipment | All Class II devices | All | ISO 17025 | Mar 2026 | §820.72 |
Related: FDA Compliance Program · 21 CFR 820.50 Reference · QSR Audit Checklist (PDF)
8.0 — Ongoing Monitoring
All High Risk vendors (Tier 1 and Tier 2) must undergo an annual information security reassessment; results must be documented and retained for 3 years.
Quarterly business reviews must be conducted with all Tier 1 (critical) vendors to review performance, incidents, SLA compliance, and regulatory status.
All vendor contracts must include a clause requiring the vendor to notify Veridian Corp within 48 hours of any security incident affecting Veridian data.
The Vendor Risk Register must be updated within 5 business days of any material change to a vendor's risk profile, ownership, or service scope.
Expired SOC 2 or ISO certification reports must trigger an immediate reassessment; vendors with expired reports exceeding 90 days must be suspended from AVL pending remediation.
Continuous monitoring alerts from OneTrust Vendor Risk must be triaged by IT Security within 2 business days of receipt.
2026 Monitoring Calendar — Tier 1 Vendors
| Quarter | Vendor | Activity | Owner | Status |
|---|---|---|---|---|
| Q1 2026 | CloudHealth Data Systems | SOC 2 review + on-site audit | IT Security | Complete |
| Q1 2026 | MedDevice Components Inc. | ISO 13485 supplier audit | Quality Assurance | Complete |
| Q2 2026 | SterilTech Solutions | Quality agreement review + process validation | Quality Assurance | Scheduled Apr 2026 |
| Q2 2026 | ClinResearch Partners | Clinical data security assessment | DPO + IT Security | Scheduled May 2026 |
| Q3 2026 | CloudHealth Data Systems | Quarterly business review | Vendor Risk Team | Planned |
| Q3 2026 | CalibratePro Labs | Calibration certificate renewal audit | Quality Assurance | Planned |
| Q4 2026 | All Tier 1 vendors | Annual reassessment cycle completion | Vendor Risk Team | Planned |
9.0 — Contract & Agreement Requirements
| Agreement Type | Required When | Key Clauses | Owner | Template ID |
|---|---|---|---|---|
| Master Services Agreement (MSA) | All Tier 1/2 engagements | SLA, liability, termination, governing law | Legal | VM-MSA-001 |
| Business Associate Agreement (BAA) | Any PHI access | HIPAA safeguards, breach notification, subcontractor flow-down | Legal + DPO | VM-BAA-001 |
| Data Processing Agreement (DPA) | Any personal data processing | GDPR Art. 28, sub-processors, data subject rights, SCCs | Legal + DPO | VM-DPA-001 |
| Quality Agreement | FDA manufacturing suppliers | Specifications, change control, audit rights, SCAR process | Quality Assurance | VM-QA-001 |
| Non-Disclosure Agreement (NDA) | Before any confidential disclosure | Confidentiality term 5 years, return/destruction | Legal | VM-NDA-001 |
Contract renewal for Tier 1 vendors must include updated SOC 2 or ISO certification and a refreshed security questionnaire no older than 12 months.
Auto-renewal clauses in vendor contracts exceeding $100,000 annually require explicit opt-in approval from the CPO; silent auto-renewal is prohibited.
10.0 — Vendor Offboarding
Upon contract termination, vendors must return or provide certified destruction of all Veridian Corp data within 30 calendar days.
All vendor access to Veridian systems, networks, VPN, and physical facilities must be revoked on the final day of the contract.
A signed offboarding checklist (Form VM-OFF-001) confirming data return/destruction and access revocation must be obtained before final payment is released.
Vendor offboarding for Tier 1 vendors requires a joint exit meeting with IT Security, Legal, and the business owner within 10 business days of contract end.
Certified destruction certificates for physical or electronic media containing Confidential or PHI data must be retained for 7 years.
Offboarding Checklist (Form VM-OFF-001)
| # | Checklist Item | Responsible Party | Evidence | Due |
|---|---|---|---|---|
| 1 | Revoke all system and VPN access | IT Operations | Access revocation log | Contract end date |
| 2 | Revoke physical badge and facility access | Facilities | Badge return record | Contract end date |
| 3 | Confirm data return or certified destruction | Vendor + DPO | Destruction certificate | 30 days post-termination |
| 4 | Remove from Approved Vendor List | Procurement | AVL update record | 5 business days |
| 5 | Archive contract and assessment records | Legal | Ironclad archive | 10 business days |
| 6 | Notify affected business units | Vendor Risk Team | Email notification log | Contract end date |
| 7 | Update Vendor Risk Register status to "Terminated" | Vendor Risk Team | Register entry | 5 business days |
| 8 | Conduct exit interview (Tier 1 only) | CPO delegate | Meeting minutes | 10 business days |
11.0 — Vendor Security Incidents
Upon notification of a vendor security incident affecting Veridian data, the Vendor Risk Team must open an incident ticket within 2 hours and classify severity per the Incident Response Plan.
Vendor incidents involving PHI must be escalated to the Data Protection Officer within 4 hours for HIPAA breach assessment.
Vendor incidents affecting FDA-regulated manufacturing data must be reported to Regulatory Affairs within 24 hours for impact assessment on device quality records.
Historical Vendor Incidents (2024–2026)
| Date | Vendor | Incident Type | Data Affected | Severity | Resolution | Regulatory Impact |
|---|---|---|---|---|---|---|
| Oct 2025 | CloudHealth Data Systems | Unauthorized API access attempt | None — blocked | S3 | Vendor patched API gateway; reassessment complete | None |
| Jun 2025 | DataVault Backup Services | Backup encryption key rotation delay | Encrypted backups | S3 | Keys rotated within 72 hours; SLA credit issued | None |
| Mar 2025 | MedDevice Components Inc. | Component lot nonconformance | Production batch VPM-4000-2025-Q1-0847 | Quality | SCAR issued; lot quarantined and reworked | CAPA-2025-047 opened |
| Nov 2024 | ClinResearch Partners | Phishing attack on CRO employee | No PHI exfiltrated | S3 | CRO retrained staff; MFA enforced | None |
12.0 — Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 3.1 | Jan 15, 2026 | R. Nakamura | Added FDA supplier controls (§820.50), vendor register, monitoring calendar, offboarding checklist |
| 3.0 | Jul 1, 2025 | R. Nakamura | Integrated OneTrust Vendor Risk platform; added Tier 1 on-site audit requirement |
| 2.0 | Jan 8, 2025 | S. Chen | Added BAA requirements for PHI vendors; raised contract review threshold to $50K |
| 1.0 | Mar 1, 2024 | R. Nakamura | Initial release |