Skip to content

Supplier & Third-Party Register

Document ID: REG-003 Document owner: Sebastian Windeck (DPO) Classification: Confidential Version: 1.0 Last updated: March 2026 Next review: March 2027 Frameworks: ISO 27001 (A.5.19, A.5.20, A.5.21, A.5.22) | SOC 2 (CC9.2)

Approved Supplier Register

Supplier Service Data Accessed DPA Certifications Review Date
Microsoft Azure Cloud infrastructure, Key Vault, Monitor All hosted data ✅ Signed ISO 27001, SOC 2 Type II, CSA STAR March 2027
GitHub (Microsoft) Source code, CI/CD, Actions Source code, secrets (via Actions) ✅ Signed ISO 27001, SOC 2 Type II March 2027
Google Workspace Email, docs, calendar, HR data Employee personal data ✅ Signed ISO 27001, SOC 2 Type II March 2027

Adding a New Supplier

Approval Required

No new supplier may be granted access to CTW Data Solutions systems or data without prior approval from the ISO and, where personal data is involved, a signed DPA.

Checklist before onboarding:

  • [ ] Supplier security questionnaire completed
  • [ ] DPA signed (if processing personal data)
  • [ ] Supplier's certifications reviewed (ISO 27001 / SOC 2 preferred)
  • [ ] Minimum necessary access defined
  • [ ] RBAC role created with least-privilege permissions
  • [ ] Added to this register

Annual Supplier Review

Each approved supplier is reviewed annually to confirm:

  1. DPA remains current and valid
  2. Supplier certifications are still active
  3. No significant security incidents at the supplier in the past year
  4. Access permissions remain appropriate (no scope creep)

Supplier Risk Assessment

Supplier Criticality Data Sensitivity Risk Level Mitigation
Microsoft Azure Critical 🔴 Top Secret 🟡 Medium DPA, ISO 27001, SOC 2, CSA STAR, contractual SLAs
GitHub High 🟡 Confidential 🟢 Low DPA, ISO 27001, SOC 2, MFA enforced, private repos
Google Workspace Medium 🟡 Confidential 🟢 Low DPA, ISO 27001, SOC 2, MFA enforced

Review Log

Date Reviewer Changes
March 2026 Sebastian Windeck (DPO) Initial supplier register — 3 suppliers