1. Purpose
Every third party that touches the Spark platform or customer data is itself a piece of our security posture. This policy defines how SlashLogixx selects, contracts with, monitors, and offboards those parties.
2. Scope
Applies to any external service or company that processes, stores, transmits, hosts, or has logical access to customer data, production infrastructure, source code, or administrative tooling. The current public list is maintained on the Subprocessors page.
3. Onboarding Review
Before a new vendor is added to a production data path, Security completes a documented review covering:
- What data the vendor will access, at what classification.
- The vendor's published security posture (SOC 2, ISO 27001, pen test, trust center, etc.).
- The vendor's data-handling, retention, sub-processing, and breach-notification commitments.
- Geographic location of processing and storage.
- Material concentration risk relative to existing dependencies.
4. Contractual Posture
Vendors that process Confidential or Restricted customer data must be under contract that includes, at minimum:
- A confidentiality clause covering customer data.
- Data-processing terms aligned with the relevant DPA/BAA SlashLogixx has signed with its own customers.
- A breach-notification commitment compatible with our 24-hour customer-notification target.
- An audit or assurance pathway (right to request the vendor's most recent SOC 2 / ISO report / pen test).
5. Customer Notification of Subprocessor Changes
- The public Subprocessors list is updated when a vendor is added, removed, or materially repurposed.
- Customers under a signed Data Processing Addendum may subscribe to advance notification of new or removed subprocessors. Standard notification window is thirty (30) days unless contracted otherwise.
6. Monitoring
- Vendors handling Confidential or Restricted data are reviewed at least annually for continued fitness, including any reported security incidents.
- Status pages, security mailing lists, and CVE feeds for in-scope vendors are monitored on a continuous basis.
- Material vendor incidents are evaluated for customer impact under the Incident Response policy.
7. Concentration & Continuity
- Where reasonable, critical capabilities (compute, storage, identity, payments) maintain a documented secondary path or migration plan to mitigate single-vendor failure.
- Vendors that hold uniquely critical roles are explicitly tracked as key dependencies in the Business Continuity plan.
8. Offboarding
- When a vendor relationship ends, all SlashLogixx-issued credentials are revoked and the vendor is contractually required to return or destroy customer data within thirty (30) days.
- Confirmation of data destruction is requested in writing where the contract supports it.
- The subprocessor list is updated and, where applicable, customers under DPA are notified.
9. AI Subprocessors
External AI providers that process customer data are treated as Restricted-data subprocessors. SlashLogixx selects only providers with zero-retention, no-training contractual commitments for production traffic, and configures the integration accordingly. The current AI subprocessor set is shown on the Subprocessors page.