Supplier Management Policy

1. Purpose

This policy sets out how CompleteFlow Ltd selects, conducts due diligence on, onboards, monitors, and offboards its suppliers and sub-processors, to maintain the security and data protection commitments it makes to customers.

2. Scope

This policy applies to:

• Sub-processors: third parties that process customer personal data on behalf of CompleteFlow (currently Microsoft Ireland Operations Ltd as listed in CF-DOC-001 section 9)
• Material suppliers: third parties whose services materially affect the security, availability, or integrity of CompleteFlow's services, even where they do not process customer personal data (for example, code-repository, CI/CD, monitoring, identity tooling)
• Non-material suppliers: third parties whose services do not touch customer data or production systems (for example, accounting, general office tooling). These are subject to a lighter-weight review

3. Supplier tiering

4. Selection and due diligence

Before engaging a supplier in the sub-processor or material tiers, CompleteFlow assesses:

4.1 Security posture

• Recognised certifications (ISO/IEC 27001, SOC 2 Type II, Cyber Essentials Plus) or a published equivalent
• Most recent independent audit report or summary (e.g. SOC 2 report)
• Published security overview, penetration-testing approach, and disclosure policy
• Support for MFA, SSO, audit logging, encryption at rest and in transit, and regional data handling
• Track record and public incident history

4.2 Data protection

• UK GDPR compliance posture, including lawful basis, data subject rights handling, and breach notification commitments
• Data residency, default, and options to restrict to UK or EEA
• Sub-sub-processor list, public, with change notification
• Whether the supplier's service terms preclude use of customer data for training AI models or unrelated product improvement
• International transfer posture and mechanisms (IDTA, adequacy)

4.3 Operational and commercial

• Service level and availability commitments
• Business continuity and disaster recovery posture
• Financial stability (ability to deliver over contract term)
• Geographic presence, relevant jurisdiction
• Customer portfolio (regulated-sector reference customers are a positive indicator)

4.4 Alignment with customer context

For sub-processors, CompleteFlow additionally considers whether the supplier's profile is acceptable to CompleteFlow's customers, particularly those in regulated sectors. Where a customer's own due diligence requirements are more stringent (for example, the SRA Code of Conduct, FCA outsourcing expectations), CompleteFlow's selection accommodates those requirements.

5. Contractual requirements

Sub-processor agreements must include, at minimum:

• Confidentiality obligations extending to all personnel handling customer data
• Flow-down of the data protection commitments CompleteFlow makes to its customers, including UK GDPR Article 28 processor terms
• Security requirements aligned with CF-POL-001 and this policy
• Breach notification obligations aligned with CompleteFlow's own customer commitments and UK GDPR Article 33 timelines; specific response windows agreed in the sub-processor agreement and in the customer's DPA (see CF-PLAN-001)
• Data subject rights cooperation (Article 28(3)(e))
• Audit and inspection rights, including rights to evidence of control operation
• Restrictions on further sub-processing without notice and consent
• Data location restrictions consistent with CF-DOC-001 section 3.2
• Return or deletion of customer data at termination per CF-POL-006
• Personnel background-check expectations consistent with CF-POL-001 section 7.5
• Indemnification and liability terms appropriate to the scope of the arrangement

Material supplier agreements must include security, availability, and breach-notification terms appropriate to the service provided.

6. Onboarding

• Prior to use, each supplier is added to the CompleteFlow supplier register with tier, scope, data categories handled, jurisdictions, and contract references
• For sub-processors, customers are notified with 30 days' advance notice (per CF-DOC-001 section 9.2), with the customer retaining the right to terminate the agreement on reasonable terms if it objects to the change. Existing standing sub-processors listed at contract signature do not require fresh notice.
• Technical controls for data flow restriction, access limitation, and monitoring are put in place before production use

7. Ongoing monitoring

For sub-processors and material suppliers, CompleteFlow performs ongoing monitoring:

• Annual review of security posture, audit reports, and any published changes to sub-processing, data location, or terms
• Incident monitoring: subscribing to supplier security advisories, service health channels, and breach notifications
• Performance review: availability, support responsiveness, and any material service degradation
• Contract changes: supplier-initiated changes (terms, DPAs, sub-sub-processor list) are reviewed on receipt and assessed for customer impact

Findings from monitoring feed into the risk register (CF-REG-001). Material changes trigger customer notification.

8. Specific sub-processors

8.1 Microsoft Ireland Operations Ltd

Microsoft is selected on the basis of its published audit reports (ISO/IEC 27001, SOC 1/2/3, CSA STAR, UK Cyber Essentials Plus), its contractual commitments (Microsoft Online Services Terms, Azure Data Protection Addendum), and its UK data residency support.

Monitoring uses the Microsoft Trust Center, Microsoft service health and security advisories, and the published Azure sub-processor list. Azure OpenAI Service is subject to Microsoft's Azure OpenAI Service data handling policy; the Limited Access Program is available to customers on request to eliminate abuse-monitoring retention.

8.2 Optional sub-processors (Sentry, PostHog)

Sentry and PostHog are offered only on an opt-in basis with explicit customer consent, as described in CF-DOC-001 section 9. Where enabled:

• Sentry error payloads are scrubbed of personal data at source; a documented allow-list of fields governs what may leave the customer's environment
• PostHog is deployed in a self-hosted or EU-hosted configuration per customer preference, with personal identifiers minimised

9. Incidents involving suppliers

Supplier-side incidents that may affect customer data or service availability are handled under CF-PLAN-001. Contractual breach notification timelines in supplier agreements are set to enable CompleteFlow to meet its own customer and UK GDPR Article 33 obligations.

10. Offboarding

At the end of a supplier relationship:

• Access to CompleteFlow systems and customer data is revoked immediately
• Data held by the supplier is returned or deleted per the contract, with written confirmation
• Secrets or credentials that the supplier had access to are rotated
• Customer notification is issued where the supplier was a sub-processor, with any transition plan attached
• The supplier register is updated and the change reflected in the next annual review

11. Supplier register

The CompleteFlow supplier register contains, for each supplier:

• Name, address, legal entity, and CompleteFlow point of contact
• Tier and service description
• Data categories handled and jurisdictions
• Contract references (MSA, DPA, order forms) and renewal dates
• Key terms on confidentiality, breach notification, audit rights, sub-sub-processing
• Dates of last due diligence and next scheduled review

The register is maintained by the Information Security Officer and reviewed at least annually.

12. Document control