Skip to main content

Third-Party Management Plan

EventLinx works with third-party vendors and partners to support infrastructure, tools, and business operations. These include cloud providers, SaaS platforms, consultants, and hardware suppliers.

The goal of this program is to ensure that external providers do not negatively impact the security, privacy, availability, or integrity of EventLinx systems or data.

What we expect from vendors

All vendors must follow contractual requirements that typically include:

  • Protection of confidential information
  • Defined limits on data usage
  • Security breach notification within agreed timelines
  • Secure return or deletion of data when services end
  • Access restricted to the minimum required for their role

Access is always granted using the principle of least privilege.

Vendor classification

Vendors are grouped based on the level of risk and data access they require. This determines how much oversight they receive.

LevelTypical accessOversight approach
Tier 1 (Critical)Access to production systems or sensitive data (including PII)Strong review, annual security validation, ongoing monitoring
Tier 2 (Operational)Internal business data, no direct customer PIIPeriodic security reviews and questionnaires
Tier 3 (Low risk)No system or data access (e.g. physical goods or low-risk services)Minimal onboarding review

Vendor lifecycle

Every vendor follows a structured lifecycle from selection to termination to ensure risk is controlled at every stage.

During the relationship

Vendors are continuously reviewed based on their risk tier. This may include checking service performance, reviewing security posture updates, and monitoring any publicly reported incidents that could impact EventLinx.

If a vendor experiences a security issue, we evaluate potential impact and take action where necessary to protect systems and data.

Offboarding and termination

When a vendor relationship ends, EventLinx ensures:

  • All system access is revoked promptly
  • Any EventLinx data is returned or securely deleted
  • Any assigned assets are recovered if applicable

For higher-risk vendors, offboarding is performed quickly to reduce exposure.

Compliance alignment

This vendor management approach supports common security and privacy requirements, including PIPEDA obligations and widely used industry frameworks such as SOC 2, ISO 27001, and GDPR Article 28 (where applicable to data processing agreements).

These references guide structure and expectations but do not imply formal certification unless explicitly stated elsewhere.