Skip to main content
The Supplier Management Policy governs how botBrains selects, contracts with, and reviews the third parties that host our infrastructure, process customer data, or support our product. Because botBrains runs entirely on managed cloud services, suppliers carry a large share of our security posture, and this policy keeps that risk under control.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy applies to every supplier that can access, store, process, or transmit botBrains confidential data, or that provides infrastructure or tooling our production environment depends on. The current set of data-processing suppliers and the data each one handles appears in the Subprocessor list; this policy sets the rules behind that list rather than restating it.

Selection criteria

Before botBrains engages a supplier for anything touching customer data or production, the CISO performs due diligence against the criteria below and records the outcome.
CriterionWhat we require
Security assuranceA current ISO/IEC 27001 certificate or SOC 2 Type II report. Where neither exists, a completed security questionnaire and documented compensating controls.
Data residencyEU hosting and processing, with no transfer to a third country.
Contractual basisA signed Data Processing Agreement under GDPR Article 28 where the supplier processes personal data, with the required confidentiality and security commitments.
CriticalityA risk rating based on business impact, customer-data access, and how hard the supplier would be to replace, assessed using the risk methodology.

Model subprocessor rules

Suppliers that run model inference must follow three additional, non-negotiable rules. Every model subprocessor must guarantee:
  1. EU data residency. The supplier stores customer data only in the EU.
  2. EU inference residency. Model inference runs only in EU regions.
  3. No training on our data. The supplier must not use botBrains or customer data to train or improve its models.
A model provider that can’t meet all three isn’t eligible, regardless of other merits.

Agreements

Every supplier with access to confidential data or production operates under a written agreement that sets out their security responsibilities, confidentiality obligations, and the commitments they manage on our behalf. For personal data this is the Article 28 DPA. We review material changes a supplier makes to its services, location, or controls for new risk, and update our agreements where needed.

Ongoing review

The CISO reviews each in-scope supplier at least annually, and sooner if the supplier suffers an incident, changes ownership or location, or materially changes its service. A review re-checks the current ISO 27001 certificate or SOC 2 report for scope, validity, and any exceptions, confirms the DPA and data residency still hold, and re-rates the supplier’s risk. The CISO records the outcome and date of each review in the supplier register (Employees Only: Supplier / Subprocessor). The CISO remediates, replaces, or escalates suppliers that no longer meet the criteria as a risk under the Risk Management Policy.

Review

The CISO owns this policy and reviews it at least annually and on material change.

ISO 27001 mapping

This policy supports ISO/IEC 27001:2022 Annex A controls 5.19 (information security in supplier relationships), 5.20 (addressing security within supplier agreements), 5.21 (managing security in the ICT supply chain), 5.22 (monitoring, review, and change management of supplier services), and 5.23 (information security for use of cloud services).