Vendor Management Policy
Status: ACTIVE Owner: Daan ([email protected]) Effective: 2026-04-20 Last reviewed: 2026-04-20 Next review: 2026-10-20
Purpose
Define how rotor.sh evaluates, onboards, monitors, and offboards third-party vendors (sub-processors) who handle customer data or provide critical infrastructure.
Scope
All third-party services that (a) store or process customer data, or (b) are in the critical path of rotor.sh production availability.
Current Sub-processors
| Vendor | Purpose | Data Processed | Region | SOC 2 / Compliance |
|---|---|---|---|---|
| Supabase | Auth, Postgres | PII, audit_event, team_member | us-east-1 | SOC 2 Type II |
| Railway | Redis, app hosting | transient queue state | us-west2 / us-east-1 | SOC 2 (in progress) |
| Fly.io | Managed workers (Enterprise) | customer compute | multi-region | SOC 2 Type II (Compliance package) |
| Stripe | Billing | customer_id, invoice | US | PCI DSS Level 1, SOC 2 |
| Anthropic | Brand-tone LLM judge | outbound payload samples | US | Trust & Safety policy |
| Slack | Approval callbacks | approval metadata | US | SOC 2 Type II |
| AWS | S3 staging (audit export) | Parquet exports | us-east-1 | SOC 2 Type II, ISO 27001 |
| Sentry | Error tracking | stack traces, user_id | US | SOC 2 Type II |
Vendor Evaluation Criteria
New sub-processors must be evaluated against:
- Security posture: SOC 2 Type II report (or equivalent ISO 27001 / HIPAA BAA if applicable)
- Data residency: Does the vendor support US-only data residency where required by Enterprise customers?
- Incident response SLA: Does the vendor commit to notification within 72 hours of a data breach?
- Business continuity: What is the vendor's documented uptime SLA and DR capability?
- Data deletion: Does the vendor support deletion within 30 days of contract termination?
Vendor Monitoring
Vanta-Integrated Vendors (automated evidence collection)
The following vendors have active Vanta integrations and are continuously monitored:
- Supabase (OAuth integration)
- Fly.io (Compliance package + Vanta OAuth)
- AWS (native Vanta integration)
- GitHub (native Vanta integration)
- Slack (native Vanta integration)
Manual Evidence Cadence (Railway)
Railway does not have a Vanta integration. Manual evidence is collected monthly per docs/compliance/vanta-manual-evidence.md:
- Railway Team Members list screenshot
- Railway Project/Environment configuration screenshot
- Railway Billing invoice screenshot
Annual Review
All sub-processors are reviewed annually for:
- Updated SOC 2 / compliance reports
- Changes to data processing terms (DPA updates)
- Service changes that affect data handling
Sub-processor Change Process
Adding or removing a sub-processor requires:
- Evaluation against the criteria above.
- PR updating this document and
docs/security/index.mdx. - If the vendor processes customer PII: update the customer-facing Data Processing Agreement (DPA) and notify Enterprise customers with 30 days notice.
Vendor Offboarding
On contract termination:
- Revoke all credentials and API tokens within 24 hours.
- Request data deletion confirmation within 30 days.
- Update
docs/compliance/vendor-management-policy.mdanddocs/security/index.mdx.
Review Cadence
Reviewed annually. Next review: 2026-10-20.