Imperial Eminence Cyberguard Corporation · The Ivory Index

Vendor Management Policy

Tier V — Security Program · Ref: IECC-T5-004 · Version 1.0 · Effective 14 June 2026

Document: IECC-T5-004 Version: 1.0 Effective: 14 June 2026 Governing Law: Cayman Islands Intended Jurisdiction: Cayman Islands (upon incorporation)

Article I — Purpose

This Vendor Management Policy ("Policy") governs how IECC selects, onboards, reviews, and offboards third-party vendors and service providers. It ensures that vendors meeting IECC's security, legal, and operational standards are engaged, and that vendor relationships do not introduce unacceptable risk to IECC or its Customers.

Article II — Vendor Categories

Category	Definition	Examples	Review Level
Critical	Processes Customer personal data or has access to production systems	Cloud infrastructure, email/support platform	Full due diligence + DPA + annual review
Significant	Integrated into product delivery but no direct Customer data access	Build tools, CDN, font delivery	Security assessment + contractual terms + annual review
Standard	Business operations; no Customer data access	Accounting software, project management	Standard vetting + terms review
Low-risk	Minimal integration; public services only	Public APIs used for non-sensitive data	Lightweight review

Article III — Vendor Selection

Before engaging any Critical or Significant vendor, IECC shall:

Complete a Vendor Risk Assessment covering: data handling practices; security certifications (ISO 27001, SOC 2, or equivalent); incident history; financial stability; regulatory compliance posture
Review the vendor's privacy policy, terms of service, and security documentation
Obtain Security Owner approval for Critical vendors
Execute a Data Processing Agreement (for vendors processing personal data) or equivalent data protection agreement
Confirm the vendor maintains appropriate insurance (cyber liability, professional indemnity) where applicable

Article IV — Vendor Onboarding

Vendor is added to the Subprocessor Register (IECC-T4-002) where applicable
Access credentials provisioned on a least-privilege basis; no shared accounts
Vendor briefed on IECC's confidentiality obligations and data handling requirements
Integration documented in asset inventory
Customer notification issued where required under DPA (30 days' advance notice for new subprocessors)

Article V — Ongoing Vendor Review

Vendor Category	Review Frequency	Review Scope
Critical	Annual	Security posture, certifications, incidents, DPA compliance, access review
Significant	Annual	Security posture, contract terms, access review
Standard	Biennial	Terms review, continued business need
Low-risk	Ad hoc (on material change)	Continued suitability

Triggers for immediate out-of-cycle review: vendor data breach; material change in vendor ownership, control, or jurisdiction; regulatory action against vendor; significant change in vendor terms or security posture.

Article VI — Vendor Offboarding

All IECC access credentials and permissions revoked within 1 business day of termination decision
Vendor instructed to return or securely delete IECC and Customer data within 30 days
Deletion certificate requested from Critical vendors
Subprocessor Register updated; Customer notification issued where required
Integration removed from asset inventory and system documentation

Article VII — Vendor Incidents

Where a vendor notifies IECC of a security incident affecting IECC or Customer data, IECC will: (i) immediately assess the impact; (ii) invoke the Incident Response Policy (IECC-T4-003); (iii) notify affected Customers in accordance with legal obligations; and (iv) review whether to continue the vendor relationship.

Article VIII — Contact

Vendor management enquiries: legal@imperialecc.com.

Drafted with the assistance of

Voidlex

Imperial Legal Intelligence · IECC Suite · v2.6

This document was prepared with the assistance of Voidlex, a legal document drafting tool developed by Imperial Eminence Cyberguard Corporation (IECC). Voidlex is a drafting aid only. It does not constitute legal advice, does not practice law, and does not guarantee the legal enforceability of this document in any jurisdiction. Users are strongly encouraged to seek independent legal counsel before relying on this document for commercial, regulatory, or enforcement purposes.

Governing Law — All Disputes Cayman Islands · Grand Court of the Cayman Islands

IECC Registered Operations Planned Cayman Islands registration · pre-incorporation stage

Drafting System Voidlex v2.6 · Imperial Eminence Cyberguard Corporation

TRIBUNEH · IECC Legal Division