Supplier Security Management Policy

1. Purpose

To ensure that information security risks associated with third-party suppliers are appropriately managed.

2. Scope

This policy applies to cloud and AI service suppliers (e.g., AWS, Anthropic).

3. Procedure

• Assess the supplier’s impact on information security.
• Verify that the supplier has relevant security certifications or published security policies.
• Review supplier risk on a regular basis.

4. AI-Specific Requirements

• Third-party AI services are used only for inference.
• Do not send sensitive personal data to AI suppliers for purposes other than approved inference.
• Do not use customer or company data for model training by third-party AI providers unless explicitly agreed under contract.

5. Records

• Supplier list – Maintain a list of in-scope suppliers.
• Supplier risk assessment – Maintain supplier risk assessment records.