Third Party Risk Management
1. Introduction
Aspose Pty Ltd (Aspose) is a market-leading software development company that offers APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, and CAD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, and Android.
Aspose is trusted by thousands of companies for its commitment to secure, reliable, and high-performing products. Through effective third-party risk management, Aspose ensures that its partnerships and vendor relationships uphold the highest standards of security, compliance, and operational integrity.
2. Purpose
Aspose Pty Ltd recognizes the critical role third-party relationships play in the development, delivery, and support of its self-hosted software products. This Third Party Risk Management (TPRM) policy establishes a structured approach to managing risks associated with these relationships, ensuring product security, operational resilience, and scalability.
3. Scope
This policy applies to all third-party relationships and service providers that interact with Aspose’s products, development processes, or infrastructure. It includes vendors, contractors, and suppliers whose services may impact Aspose’s data, applications, operational continuity, or regulatory compliance.
4. Roles and Responsibilities
To ensure effective third-party risk management across Aspose’s operations, clear roles and responsibilities are assigned to various stakeholders:
4.1 Risk Management Team
- Lead the implementation and maintenance of the TPRM framework.
- Conduct regular risk assessments of third-party vendors and service providers.
- Develop and update vendor risk classification criteria.
- Coordinate with other teams to ensure comprehensive risk evaluation.
4.2 Procurement Team
- Oversee vendor selection and onboarding processes.
- Ensure vendors meet security and compliance requirements before engagement.
- Maintain documentation of vendor assessments and approvals.
- Coordinate contract reviews with Legal and Compliance teams.
4.3 Legal and Compliance Team
- Review vendor contracts and agreements for compliance with regulatory requirements.
- Advise on legal implications of vendor relationships.
- Monitor changes in regulations affecting third-party relationships.
- Ensure vendor agreements include appropriate security and privacy clauses.
4.4 Product Management Team
- Evaluate technical compatibility of third-party components.
- Assess impact of vendor solutions on product security and performance.
- Monitor vendor performance against service level agreements.
- Coordinate with Development teams on vendor integration requirements.
4.5 IT Infrastructure and Security Team
- Conduct security assessments of vendor systems and processes.
- Monitor vendor security incidents and vulnerabilities.
- Review vendor security practices and compliance.
- Provide input on security requirements for vendor selection.
4.6 Executive Management
- Approve policies and ensure alignment with business objectives and regulatory requirements where appropriate.
- Allocate resources for implementing and maintaining robust risk management measures.
5. Core TPRM Framework
The following framework defines Aspose’s approach to managing third-party risks:
5.1 Critical Relationships
Identify all third-party components, including libraries, platforms, tools, and integrations, that directly or indirectly impact Aspose’s software lifecycle.
5.2 Risk-Based Classification
Classify vendors into tiers based on their impact on product security, compliance, and performance:
- High Risk: Vendors supplying core components essential to Aspose’s operations or customer-facing products.
- Medium Risk: Vendors with significant but not critical roles in the software lifecycle.
- Low Risk: Vendors with minimal involvement in Aspose’s core activities.
5.3 Contractual Requirements
Where possible and practical, require third-party providers to:
- Adhere to security, continuity, and quality standards.
- Commit to periodic reporting and compliance checks.
- Notify Aspose of any security incidents or operational disruptions promptly.
6. Risk Assessment and Due Diligence
6.1 Evaluation Process
Aspose conducts initial and periodic risk assessments for all vendors, considering:
- Security and Privacy Risks: Evaluate cybersecurity practices, data protection protocols, and compliance with relevant laws.
- Operational Risks: Assess reliability, scalability, and potential disruptions in service.
- Regulatory and Legal Risks: Verify compliance with applicable regulations.
6.2 Due Diligence Tools
Where possible, and where available, Aspose will use standardized templates to gather and document:
- Vendor policies and security frameworks.
- Financial stability and historical performance data.
- Incident response and business continuity plans.
- Penetration Test Report: For vendors handling sensitive data or infrastructure, Aspose may request the results of recent penetration tests conducted by independent auditors. These reports will be reviewed by Aspose’s IT Security Team to identify potential vulnerabilities and confirm that reasonable controls are in place.
- Vendors are required to demonstrate remediation of identified vulnerabilities, with follow-up testing where necessary.
- Failure to address critical vulnerabilities may result in suspension or termination of the vendor relationship.
6.3 Risk Categorization
Classify vendors into high, medium, or low risk based on their potential impact on Aspose’s operations.
6.4 Approval and Documentation
Findings are reviewed by the Aspose Business Team and approved by the Board of Directors before vendor engagement. All assessments are archived for future reference.
7. Vendor Selection Criteria
Aspose assesses vendors against the following criteria:
- Security Practices: Ability to safeguard sensitive data and systems.
- Operational Reliability: Consistent uptime and performance.
- Technical Compatibility: Integration with Aspose’s platforms (e.g., .NET, Java, Python).
- Incident Response: Reasonable response plans for addressing disruptions.
- Business Continuity: Strategies to minimize uninterrupted services.
- Regulatory Compliance: Efforts to meet relevant data protection and operational standards.
- Environmental and Social Responsibility: Preference for vendors demonstrating a positive track record in ethical and sustainable practices.
- Certification Requirements: Aspose may request evidence of compliance with recognized industry certifications, such as ISO 27001, SOC 2, or equivalent standards.
- Aspose will take a practical approach based on the vendor’s size and role, smaller vendors may not be expected to meet the same standards as larger providers.
- Certifications will be considered as part of the overall vendor evaluation but are not necessarily required for all engagements.
8. 4th Party Assessment Schedule
Where possible, Aspose will maintain a structured schedule for assessing 4th party risks (i.e., the suppliers of Aspose’s direct suppliers):
- Annual Reviews – Where possible, conduct an annual assessment of critical 4th party suppliers to identify vulnerabilities and dependencies.
- Event-Driven Reviews – Initiate reviews after security incidents, product failures, or significant operational changes involving 4th party components.
- Contractual Compliance – Where possible, ensure that direct suppliers impose equivalent security and compliance requirements on their own suppliers where practical.
9. Ethical Sourcing
Aspose is committed to maintaining high ethical standards throughout its supply chain. Suppliers are asked to adhere to the following requirements:
- Labor Practices – Prohibit forced labor, child labor, and discrimination in hiring and employment.
- Human Rights – Respect workers’ rights to collective bargaining, fair wages, and safe working conditions.
- Environmental Impact – Minimize environmental harm through responsible resource use, waste management, and pollution control.
- Compliance – Suppliers should comply with all applicable labor laws and environmental regulations in their operating countries.
10. C-SCRM Integration
Aspose’s Third Party Risk Management (TPRM) strategy is integrated into broader corporate supply chain processes:
- Unified Risk Reporting – Supply chain risk reports are integrated into enterprise-level risk management.
- Procurement Integration – Supplier evaluation criteria include supply chain security, performance, and resilience.
- Cross-Functional Collaboration – Security, legal, and procurement teams coordinate supply chain reviews and remediation.
11. Monitoring and Reporting
- Ongoing Monitoring: Continuous monitoring of security, performance, and compliance for third-party vendors, including periodic reviews and automated scans where practical.
- Vulnerability Audits: Periodic audits, using tools like SonarQube, are performed on Aspose products, especially after significant updates or changes.
- Performance Reviews: Reviews based on uptime and support quality to ensure service consistency.
- Annual Risk Reports: Management receives annual reports summarizing monitoring outcomes, vulnerabilities, and incidents.
- Compliance Checkpoints: Regular checks are performed for compliance with specific regulations, with re-evaluation when regulations are updated.
- Internal Audit Program Documentation: Aspose integrates third-party risk management findings into its internal audit program.
- Audit results, including vendor compliance issues or contract violations, are documented and reviewed during contract renewal discussions.
- Corrective actions are identified and tracked to resolution where practical.
- Performance trends, security incidents, and compliance issues from third-party engagements are shared with Aspose’s Risk Management Team and Executive Management to guide future decisions.
12. Incident Response and Escalation
12.1 Incident Response Process
- Detection: Automated systems alert stakeholders to potential incidents.
- Containment: Collaborate with vendors to isolate the issue and mitigate its impact.
- Root Cause Analysis: Conduct a detailed investigation to identify causes and recommend preventive measures.
- Recovery: Implement fixes and restore functionality promptly
12.2 Post-Incident Activities
- Review incidents to improve internal and vendor processes.
- Update risk assessments and TPRM policies to reflect lessons learned.
13. Operational Resilience and Business Continuity
13.1 Vendor Dependency Management
- Identify critical vendor dependencies and develop contingency plans, including:
- Backup vendors.
- Redundancy measures for high-risk services.
13.2 Continuity Measures
Ensure vendors conduct regular testing of their continuity strategies and provide documentation.
13.3 Resilience Testing
Periodically test fallback solutions to confirm operational readiness.
14. Documentation and Centralized Records
Maintain a secure repository for all TPRM-related documentation, including:
- Vendor risk assessments.
- Contracts and performance reviews.
- Incident reports and mitigation actions.
15. Legal and Regulatory Compliance
Aspose is committed to complying with all applicable legal, regulatory, and industry requirements related to this policy. Where specific regulations or standards apply, Aspose will ensure alignment to protect customer data, meet business obligations, and maintain operational integrity.
15.1. Compliance Principles
- Adherence: Aspose follows all relevant legal and regulatory requirements applicable to its operations and systems.
- Alignment with Standards: While Aspose may not hold formal certifications, it aligns its practices with recognized industry frameworks and best practices to ensure compliance.
15.2. Ongoing Compliance Monitoring
Aspose regularly reviews its internal processes, policies, and product offerings to ensure ongoing compliance with relevant laws and industry standards.
Compliance audits and reviews are conducted periodically to ensure the effectiveness of security and privacy controls.
16. Employee Training and Security Awareness
Aspose places a strong emphasis on ensuring that all employees understand their roles and responsibilities in managing third-party risks. Through continuous training and awareness programs, employees are equipped to evaluate, monitor, and mitigate risks associated with third-party relationships.
16.1. TPRM Training Programs
- Onboarding Training: All new employees receive training on the fundamentals of third-party risk management, including vendor classification, risk assessment processes, and reporting procedures.
- Ongoing Security Awareness: Regular training sessions and updates are conducted to ensure employees remain informed about changes in third-party risk processes, regulatory requirements, and emerging vendor-related threats.
16.2. Role-Specific Training
Employees with roles directly involved in third-party risk management receive tailored training, including:
- Risk Specialists: Training on risk assessment methodologies, vendor due diligence, and monitoring tools.
- Procurement and Product Teams: Training on vendor selection criteria, contract requirements, and risk-based vendor classification.
- Compliance and Legal Teams: Guidance on regulatory obligations, data protection requirements, and contractual risk management.
16.3. TPRM Aware Culture
Aspose fosters a culture of accountability and risk awareness by:
- Regular communications and updates from senior management on the importance of managing third-party risks.
- Encouraging employees to report third-party concerns or incidents through established, confidential reporting channels.
- Sharing periodic briefings and updates on vendor risks, best practices, and lessons learned from incidents or assessments.
16.4. Continuous Improvement
Aspose actively seeks feedback on training and awareness programs to ensure they remain relevant and effective.
Post-Incident Debriefing: Following third-party-related incidents, teams participate in debriefing sessions to analyze root causes, evaluate vendor management processes, and identify improvements to employee training or procedures.
17. Policy Compliance and Enforcement
To ensure the integrity and effectiveness of third-party risk management, compliance with this policy is mandatory for all employees, teams, and stakeholders involved in vendor selection, onboarding, and monitoring.
17.1. TPRM Policy Compliance
Mandatory Adherence: All personnel must adhere to the Third Party Risk Management Policy, including risk assessments, due diligence, and ongoing monitoring requirements.
Policy Acknowledgment: Employees must acknowledge their responsibilities regarding third-party risk management during onboarding and whenever significant updates to the policy occur.
Periodic Reviews and Updates: This policy will be reviewed periodically to align with evolving risks, regulatory changes, and business needs. Updates will be communicated to relevant stakeholders.
17.2. Monitoring and Auditing
Vendor Audits: Periodic audits and assessments will verify vendor compliance with contractual obligations and security requirements.
Automated Monitoring: Automated and manual monitoring processes ensure vendor performance, security, and compliance remain consistent throughout the relationship.
Risk Reviews: Teams are encouraged to conduct self-assessments to identify and address gaps in vendor risk management processes.
17.3. Non-Compliance Consequences
Violation of Policy: Non-compliance with the TPRM Policy or failure to follow risk management procedures will result in disciplinary action, including but not limited to:
- Corrective Actions: Retraining, formal warnings, or enhanced oversight of vendor processes.
- Vendor Review: Re-evaluation of third-party relationships, including termination of vendor agreements where necessary.
- Access Restrictions: Restrictions on vendor access to Aspose’s systems, data, or products where risks are identified.
- Termination: Repeated or significant non-compliance may lead to employee termination or vendor disengagement.
17.4. Accountability and Enforcement
Incident Management: Third-party-related incidents will be managed in line with Aspose’s incident response processes, including containment, root cause analysis, and corrective measures.
Disciplinary Process: The enforcement process will be overseen by HR, Compliance, and Risk Management teams to ensure appropriate actions are taken.
Escalation Procedures: Serious non-compliance or incidents may be escalated to senior management or external authorities, depending on the severity and impact of the breach.
17.5. Continuous Improvement
Feedback Loop: Aspose encourages feedback from employees, stakeholders, and vendor evaluations to continuously enhance the Third Party Risk Management Policy. Regular reviews help identify gaps, improve processes, and address emerging risks related to third-party relationships.
Training and Awareness: Non-compliance due to a lack of understanding or awareness will be addressed through targeted training programs and updated communication channels. This ensures all employees and relevant stakeholders are fully aware of their responsibilities in managing third-party risks.
18. Periodic Review and Policy Updates
Periodic Review: This Information Security Policy will be reviewed periodically or as required to adapt to new security standards, emerging threats, and Aspose’s evolving business needs.
Policy Updates: Any updates to the policy will be communicated to all employees and relevant stakeholders to ensure continuous alignment with best practices in information security.
19. Policy Management
Aspose is a privately held company. Our policies are reviewed and maintained by the leadership team to keep them aligned with our business goals and industry standards.
This policy is live and effective as of the Last Updated date at the top of this document. Updates reflect changes in our business practices, customer feedback, and compliance requirements.