# Vendor Risk Register — Vigilant Entities

> ISO 27001 A.15 / SOC 2 CC9.2 / GDPR Art. 28 compliant.
> One row per third party we share data with. Reviewed annually,
> or whenever a vendor changes status.

## Risk-tier definitions

| Tier | Definition                                                       | Approval needed                 |
|------|------------------------------------------------------------------|---------------------------------|
| T1   | Receives plaintext PII OR processes payments                     | Legal + Security + CEO          |
| T2   | Receives derived PII (hashes, redacted) OR business data         | Legal + Security                |
| T3   | Operational tooling — no customer data                            | Security                        |

## Active vendors

### Stripe (T1 — Payment processing)
| Attribute            | Value                                                |
|----------------------|------------------------------------------------------|
| Data shared          | Customer email, name, tenant_id, billing address, payment method (tokenised by Stripe) |
| Legal basis          | Contract (GDPR Art. 6(1)(b))                         |
| DPA                  | https://stripe.com/legal/dpa (signed 2025-01-15)     |
| Sub-processors       | https://stripe.com/sub-processors                    |
| SOC 2                | Type II — current                                    |
| PCI DSS              | Level 1 attestation                                  |
| Data residency       | US (with EU replicas)                                |
| Webhook security     | HMAC signature verified (`stripe.Webhook.construct_event`) |
| API key rotation     | 90 days (calendar reminder in Ops)                   |
| Incident playbook    | See `INCIDENT_RESPONSE.md` §3 "API key leak"        |

### Resend (T2 — Transactional email)
| Attribute            | Value                                                |
|----------------------|------------------------------------------------------|
| Data shared          | Recipient email + body of magic-link / alert / receipt emails |
| Legal basis          | Contract                                             |
| DPA                  | https://resend.com/legal/dpa (signed 2025-09-10)     |
| SOC 2                | Type II                                              |
| Data residency       | US-east                                              |
| Domain verification  | DKIM + SPF + DMARC on vigilantentities.com           |
| Sender authentication| Verified domain @ resend.com/domains                 |
| API key scope        | Send-only (no inbox / list management)               |
| API key rotation     | 90 days                                              |

### AWS (T1 — Bedrock inference + S3 backups + STS)
| Attribute            | Value                                                |
|----------------------|------------------------------------------------------|
| Data shared          | Prompts (redacted), embeddings, encrypted backups   |
| Legal basis          | Contract + customer-controlled tenancy               |
| Access pattern       | STS AssumeRole with external_id per tenant           |
| Data residency       | Customer's chosen region (default `me-central-1` for QA tenants) |
| SOC 2                | Type II                                              |
| ISO 27001 / 27017 / 27018 | All current                                     |
| Bedrock data policy  | Customer-owned, NOT used for training                |
| Encryption           | KMS at rest, TLS 1.3 in transit                      |
| Key custody          | Customer (tenant's own AWS KMS)                      |

### Cloudflare (T3 — CDN / WAF)
| Attribute            | Value                                                |
|----------------------|------------------------------------------------------|
| Data shared          | HTTP request metadata, TLS termination               |
| Legal basis          | Legitimate interest (security)                       |
| DPA                  | https://www.cloudflare.com/cloudflare-customer-dpa/  |
| SOC 2 / ISO 27001    | All current                                          |
| Data residency       | Global edge                                          |
| WAF ruleset          | OWASP Core Rule Set + custom rules                   |

### MaxMind / IP3Country (T3 — IP-to-country lookup)
| Attribute            | Value                                                |
|----------------------|------------------------------------------------------|
| Data shared          | NONE — `ip3country` ships an embedded DB, no API calls |
| Why it's listed here | Supply-chain (PyPI) — covered by SBOM                |

## De-provisioning a vendor

1. Identify the data sent (grep ↑ in this register).
2. Rotate credentials at vendor.
3. Remove from `.env` + deploy.
4. Issue deletion request to vendor (GDPR Art. 17 / DPA clause).
5. Get written confirmation of deletion (≤30d).
6. Update this register — move to "Retired vendors" section below.

## Retired vendors

(none currently)

## Onboarding checklist (new vendor)

- [ ] DPA signed (or N/A documented)
- [ ] SOC 2 / ISO 27001 status verified
- [ ] Data classification confirmed (which fields cross the boundary)
- [ ] Sub-processor list reviewed
- [ ] Webhook / API signature verification implemented
- [ ] API key rotation schedule set
- [ ] Removal procedure tested
- [ ] Added to this register
- [ ] Added to `THREAT_MODEL.md` §3.4

## Last reviewed: 2026-02-12 · Next: 2027-02-12 (annual)
