Vendor Management Policy

Purpose and scope

This policy describes how Nexma selects, onboards, monitors, and terminates third-party vendors — particularly those that process customer data on Nexma's behalf as subprocessors.

It applies to all vendor relationships entered into by Nexma and is binding on personnel responsible for onboarding or managing vendors.

Vendor classification

Vendors are classified by the sensitivity of the data they handle and the criticality of the service they provide. Diligence depth scales with classification.

Onboarding due diligence

New vendors in the critical tier complete the following steps before any production data flows to them. Other tiers complete a proportional subset.

1. Security questionnaire — Documented questions about the vendor's security program — encryption, access control, incident history, certifications, data residency.
2. SOC 2 or equivalent review — Review of the vendor's most recent SOC 2 Type II report (or ISO 27001 / equivalent). Material qualifications are evaluated and risk-accepted or rejected.
3. Data Processing Agreement — A DPA is signed with any vendor that will process personal data on Nexma's behalf, with SCCs or equivalent transfer mechanisms where required.
4. Business justification — The owning team documents why the vendor is needed and what data flows to it, including the alternatives considered.
5. Approval — Critical vendors require approval from the Security Lead before onboarding. Vendor records are tracked in a central register.

Subprocessor list

Nexma maintains a public list of subprocessors used to deliver the Nexma platform, including the purpose of the engagement, the categories of data processed, and the processing location. The list is available at the subprocessors page.

The list is updated when subprocessors are added or removed and is the authoritative reference for customers performing their own vendor reviews.

Ongoing monitoring

Vendor relationships are monitored over time, not only at onboarding:

• Annual reassessment — Critical vendors are reassessed at least annually: refreshed SOC 2 report, updated security questionnaire, and review of any incidents during the year.
• Breach and advisory watch — Public security advisories and breach disclosures from current vendors are tracked. Material events trigger an out-of-cycle review and, where needed, customer notification.
• Renewal review — Vendor contracts are reviewed before renewal. Vendors that are no longer needed are decommissioned rather than renewed by default.
• Service health — For vendors that affect platform availability, status and incident history are tracked alongside Nexma's own platform health.

Termination procedures

When a vendor relationship ends, Nexma confirms that customer data has been returned or deleted in accordance with the contract and the Data Processing Agreement. Where the vendor's retention timelines differ from Nexma's, customers are informed.

Credentials, API keys, and integrations associated with the decommissioned vendor are revoked promptly. The vendor is removed from the subprocessors list if it was previously included.

Customer notification

Nexma provides at least 30 days' advance notice before adding a new critical subprocessor that will process customer data, except where a faster timeline is necessary to address a security or availability incident.

Notice is published on the subprocessors page and, where contractually required, communicated directly to affected customers, who may object on reasonable grounds.

Contact

Questions about Nexma's vendor program, or about a specific subprocessor, can be sent to the security team.

Email: legal@nexma.ai