Contract Management

This message was posted by a user wishing to remain anonymous

Good afternoon!

Here are a couple of sample clauses I have on file.

Sub-Vendors:

Prior to engaging any Sub-Vendor, Vendor shall identify the Sub-Vendor, describe the services to be provided by the Sub-Vendor, and identify any access the Sub-Vendor will have to Client's   information systems, data, or Confidential Information.

Vendor shall cause Sub-Vendor to adhere to the requirements for Availability, Confidential Information, Data Integrity, Data Security, and Safeguards no less stringent than those provided in this Agreement.   Vendor shall provide Client with Independent Assessments of Sub-Vendors.

Client has the right, at any time, to request replacement of any Sub-Vendor by providing written notice to Vendor.  Vendor will replace a Sub-Vendor, subject to Client's review and approval, with another Sub-Vendor(s) with the same or greater skill set within fourteen (14) calendar days after having received written notice of request to replace

Vendor shall be liable for Sub-Vendor's performance, acts, and omissions under this Agreement.

Use of Third-Party Subcontractors:

Vendor represents and covenants that, during the term, each Subcontractor shall take reasonable measures designed to: (i) ensure the security and confidentiality of the Client Confidential Information; (ii) protect against any anticipated threats or hazards to the security or integrity of the Client Confidential Information; and (iii) protect against unauthorized access to or use of Client Confidential Information. 

Vendor agrees to provide a list of primary Subcontractors any requested due diligence documents upon request. Vendor agrees to provide to Client written notice of any change in Subcontracts. 

Vendor shall be fully responsible for the performance obligation, acts, and omissions of each Subcontractor related to this Agreement and for their compliance with this Agreement, and all acts and omissions of Subcontractors related to this Agreement shall be imputed to Vendor.  Any breach of this Agreement by a Subcontractor shall constitute a breach by Vendor.

Subcontracting

Prior to the Effective Date, Vendor will, at its expense, conduct or certify that the following certifications or reviews have been performed for itself and any subcontractor used to provide hosting services:

• A SOC 2 audit of Vendor's security policies, procedures and controls.
• A vulnerability scan, performed by an independent third party, of Vendor's systems and facilities that are used in any way to deliver Services.

• A formal penetration test, performed by process and qualified personnel, of Vendor's systems and facilities in use in any way to deliver Services.
• Client may, at its expense and on reasonable grounds, require Vendor to perform additional audits and tests, the results of which will be provided to Client within seven (7) business days of Vendor's receipt of such results.
• To the extent Vendor stores of controls Client Confidential Information, Vendor shall protect Client's Confidential Information against deterioration or degradation of quality and authenticity, including, but not limited to, annual third-party data integrity audits performed by an independent, external organization to determine whether or not Vendor complies with the standard.

Vendor will, at its expense, conduct or have conducted, for itself and any subcontractor used to provide hosting services, such audits and certifications as defined above at least annually, and promptly after any actual or reasonably suspected Security Incident. Vendor will provide Client the results of any such audits and reviews described above, along with Vendor's plan for addressing or resolving any shortcomings identified by such audits and reviews, within seven (7) business days of Vendor's receipt of such results. Vendor will, if the results so require, within thirty (30) calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement and provide Client with written evidence of remediation.

I hope these are helpful and would love to see some other provisions the community uses with regard to subcontractors/fourth parties.

Kind regards.

Original Message:
Sent: 07-06-2022 08:41 AM
From: Anonymous Member
Subject: TPRMO (Third Party Risk Mgt Office) Contract provisions to be added to your contracts with your vendors

This message was posted by a user wishing to remain anonymous

I have posted before and have received valuable data and insights and hoping someone can assist re this challenge. 

Does anyone have contract, industry type, provisions that you can share (or point me to another resource) re:

what we expect our TP's to implement, monitor and report on their TP's (material subcontractors)

Like implementing and maintaining a TPRMO according to industry best practice, assessing their material suppliers at least annually and to provide assessment results if we ask for them,  etc..

Goal: looking to use contact provisions to reduce the risk presented by 4th parties...nth parties that are material in providing a service to us thru our vendor

Regards

This message was posted by a user wishing to remain anonymous

thanks so much Heather 

perfect. very helpful

cheers
Original Message:
Sent: 07-12-2022 01:32 PM
From: heather garnett
Subject: TPRMO (Third Party Risk Mgt Office) Contract provisions to be added to your contracts with your vendors

Good afternoon!

Here are a couple of sample clauses I have on file.

Sub-Vendors:

Prior to engaging any Sub-Vendor, Vendor shall identify the Sub-Vendor, describe the services to be provided by the Sub-Vendor, and identify any access the Sub-Vendor will have to Client's   information systems, data, or Confidential Information.

Vendor shall cause Sub-Vendor to adhere to the requirements for Availability, Confidential Information, Data Integrity, Data Security, and Safeguards no less stringent than those provided in this Agreement.   Vendor shall provide Client with Independent Assessments of Sub-Vendors.

Client has the right, at any time, to request replacement of any Sub-Vendor by providing written notice to Vendor.  Vendor will replace a Sub-Vendor, subject to Client's review and approval, with another Sub-Vendor(s) with the same or greater skill set within fourteen (14) calendar days after having received written notice of request to replace

Vendor shall be liable for Sub-Vendor's performance, acts, and omissions under this Agreement.

Use of Third-Party Subcontractors:

Vendor represents and covenants that, during the term, each Subcontractor shall take reasonable measures designed to: (i) ensure the security and confidentiality of the Client Confidential Information; (ii) protect against any anticipated threats or hazards to the security or integrity of the Client Confidential Information; and (iii) protect against unauthorized access to or use of Client Confidential Information. 

Vendor agrees to provide a list of primary Subcontractors any requested due diligence documents upon request. Vendor agrees to provide to Client written notice of any change in Subcontracts. 

Vendor shall be fully responsible for the performance obligation, acts, and omissions of each Subcontractor related to this Agreement and for their compliance with this Agreement, and all acts and omissions of Subcontractors related to this Agreement shall be imputed to Vendor.  Any breach of this Agreement by a Subcontractor shall constitute a breach by Vendor.

Subcontracting

Prior to the Effective Date, Vendor will, at its expense, conduct or certify that the following certifications or reviews have been performed for itself and any subcontractor used to provide hosting services:

• A SOC 2 audit of Vendor's security policies, procedures and controls.
• A vulnerability scan, performed by an independent third party, of Vendor's systems and facilities that are used in any way to deliver Services.

• A formal penetration test, performed by process and qualified personnel, of Vendor's systems and facilities in use in any way to deliver Services.
• Client may, at its expense and on reasonable grounds, require Vendor to perform additional audits and tests, the results of which will be provided to Client within seven (7) business days of Vendor's receipt of such results.
• To the extent Vendor stores of controls Client Confidential Information, Vendor shall protect Client's Confidential Information against deterioration or degradation of quality and authenticity, including, but not limited to, annual third-party data integrity audits performed by an independent, external organization to determine whether or not Vendor complies with the standard.

Vendor will, at its expense, conduct or have conducted, for itself and any subcontractor used to provide hosting services, such audits and certifications as defined above at least annually, and promptly after any actual or reasonably suspected Security Incident. Vendor will provide Client the results of any such audits and reviews described above, along with Vendor's plan for addressing or resolving any shortcomings identified by such audits and reviews, within seven (7) business days of Vendor's receipt of such results. Vendor will, if the results so require, within thirty (30) calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement and provide Client with written evidence of remediation.

I hope these are helpful and would love to see some other provisions the community uses with regard to subcontractors/fourth parties.

Kind regards.

Original Message:
Sent: 07-06-2022 08:41 AM
From: Anonymous Member
Subject: TPRMO (Third Party Risk Mgt Office) Contract provisions to be added to your contracts with your vendors

This message was posted by a user wishing to remain anonymous

I have posted before and have received valuable data and insights and hoping someone can assist re this challenge. 

Does anyone have contract, industry type, provisions that you can share (or point me to another resource) re:

what we expect our TP's to implement, monitor and report on their TP's (material subcontractors)

Like implementing and maintaining a TPRMO according to industry best practice, assessing their material suppliers at least annually and to provide assessment results if we ask for them,  etc..

Goal: looking to use contact provisions to reduce the risk presented by 4th parties...nth parties that are material in providing a service to us thru our vendor

Regards

Principally, managing the 4th Party risk... 
I want the vendor to disclose any and all subcontractors prior to the use of the subcontractor performing any of the "services" under the contract.
I want the ability to object to the use of the subcontractor if there's a reasonable objection (what if they are also a competitor or there's pending or previous litigation; or they just announced a data breach, etc.).   
I want to know if the vendor has their own TPRM program; and I want to review the vendors TPRM program. I can reasonably rely on its performance? 

Good Luck

------------------------------
Bradley Martin
------------------------------

Original Message:
Sent: 07-06-2022 08:41 AM
From: Anonymous Member
Subject: TPRMO (Third Party Risk Mgt Office) Contract provisions to be added to your contracts with your vendors

This message was posted by a user wishing to remain anonymous

I have posted before and have received valuable data and insights and hoping someone can assist re this challenge. 

Does anyone have contract, industry type, provisions that you can share (or point me to another resource) re:

what we expect our TP's to implement, monitor and report on their TP's (material subcontractors)

Like implementing and maintaining a TPRMO according to industry best practice, assessing their material suppliers at least annually and to provide assessment results if we ask for them,  etc..

Goal: looking to use contact provisions to reduce the risk presented by 4th parties...nth parties that are material in providing a service to us thru our vendor

Regards