Vendor Management Policy — Trust Centre — Compass IoT
Resilience

Trust Centre

Vendor Management Policy

How Compass IoT evaluates, onboards, monitors, and offboards third-party vendors — ensuring that every supplier relationship meets our standards for security, privacy, ethics, and performance.

Last updated May 2026 · Compass IoT Pty Ltd

Our commitment

Third-party vendors extend our capability — and our risk surface. We manage both with the same rigour we apply to our own operations.

Compass IoT relies on a limited number of third-party vendors to deliver infrastructure, software, and services. Each vendor relationship introduces potential risks across security, data privacy, compliance, and business continuity. This policy sets out how we identify, assess, and manage those risks across the full vendor lifecycle — from initial selection through to offboarding.

This policy applies to all employees, contractors, and team members involved in procuring, managing, or working with third-party vendors on behalf of Compass IoT.

Scope

What this policy covers

Policy in place

This policy applies to all vendors, subprocessors, suppliers, and third-party service providers engaged by Compass IoT, including but not limited to:

  • Cloud and infrastructure providers — platforms on which Compass IoT hosts its services and data.
  • Software and SaaS vendors — tools used in internal operations, customer delivery, or data processing.
  • Data partners and OEM providers — organisations that supply connected vehicle or third-party data ingested by the platform.
  • Professional services — legal, accounting, consulting, and other firms engaged on a project or retainer basis.
  • Subprocessors — any third party that processes personal data on Compass IoT's behalf.

Risk-tiering

Not all vendors carry the same level of risk. Compass IoT applies a risk-tiered approach — vendors that access, store, or process customer or personal data are subject to heightened due diligence and ongoing monitoring. Vendors with no data access are subject to a lighter-touch assessment proportionate to their risk profile.

Vendor lifecycle

How we manage vendors end to end

Stage 01

Selection and due diligence
  • Security posture reviewed — including certifications (e.g. SOC 2, ISO 27001), published security practices, and penetration testing cadence.
  • Privacy and data handling assessed against our requirements under AU Privacy Act, UK GDPR, and CCPA.
  • Financial stability and business continuity capability considered for critical vendors.
  • Ethical and sustainability criteria reviewed, including modern slavery and anti-bribery commitments.
  • Reference checks or market reputation reviewed where appropriate.

Stage 02

Contracting and onboarding
  • All vendors must enter into a written agreement before any services commence.
  • Agreements include confidentiality obligations, data protection terms, and — where applicable — a Data Processing Addendum (DPA).
  • Security and compliance requirements are set out explicitly in contractual terms.
  • Subprocessors who handle personal data are listed on our published subprocessor register.
  • Vendors are informed of our relevant policies at onboarding, including our Anti-Bribery and Modern Slavery commitments.

Stage 03

Ongoing monitoring
  • Critical vendors are reviewed annually for continued compliance with contractual and security requirements.
  • Material changes to a vendor's security posture, ownership, or data handling practices are assessed as they arise.
  • Vendor incidents or breaches are treated as potential Compass IoT incidents and assessed under our Incident Response Plan.
  • Performance against agreed service levels is tracked and escalated where deficiencies arise.
  • We monitor for adverse media or regulatory action affecting key vendors.

Stage 04

Offboarding and termination
  • Access to Compass IoT systems and data is revoked promptly on termination of the vendor relationship.
  • Vendors are required to return or securely destroy Compass IoT data in accordance with contractual terms.
  • Data deletion is confirmed in writing where the vendor held personal or confidential data.
  • Any outstanding obligations — such as ongoing confidentiality — are confirmed and documented at offboarding.

Security requirements

What we require from vendors

All vendors that access, store, or process Compass IoT data are expected to maintain security controls commensurate with the sensitivity of the data they handle. Minimum expectations include:

  • Encryption of Compass IoT data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Access controls that follow the principle of least privilege and require multi-factor authentication for systems holding Compass IoT data.
  • A documented incident response process and obligation to notify Compass IoT of any incident affecting our data within 72 hours of becoming aware.
  • Compliance with applicable data protection law in the jurisdictions they operate in.
  • Willingness to provide evidence of security posture — including certifications, audit reports, or completed security questionnaires — on reasonable request.

Subprocessors

Vendors who act as subprocessors — handling personal data on Compass IoT's behalf — are subject to additional requirements under our Data Processing Addendum. Compass IoT maintains a current list of approved subprocessors, available on request.

Risk and exceptions

Managing risk and exceptions

Where a vendor cannot fully meet Compass IoT's requirements, a risk assessment is conducted to determine whether an exception can be accepted. Exceptions must be:

  • Documented with a clear description of the gap and the compensating controls in place.
  • Approved by the Compass IoT leadership team.
  • Time-limited and subject to review at a defined date.
  • Accompanied by a remediation plan where the gap is material.

Compass IoT reserves the right to terminate a vendor relationship where a risk cannot be acceptably mitigated, or where a vendor fails to remediate a material gap within an agreed timeframe.

Policy review

Policy review

This Vendor Management Policy is owned by the Compass IoT leadership team and will be reviewed annually, or sooner if material changes occur to our vendor relationships, regulatory environment, or risk profile.

Questions

Get in touch

Questions about this policy, vendor assessments, or our subprocessor list.