Skip to Content
Nemu Inc.
Nth Party Management🤝 Selection, Due Diligence, and Management of Fourth–Nth Parties

🤝 Selection, Due Diligence, and Management of Fourth–Nth Parties

1. Purpose

This document defines how Nemu Inc. selects, evaluates, and manages third, fourth, and Nth party service providers that process, store, or transmit scoped data on our behalf.

2. Scope

This applies to all external entities that:

  • Provide production or security-relevant services (e.g., Supabase, Render, Google Workspace, Stripe), or
  • Have logical or physical access to customer or company confidential data.

3. Selection and Due Diligence Requirements

Nemu maintains standard contractual agreements, including Terms of Service, Master Service Agreements, and Data Processing Agreements (DPAs). All contracts involving the handling of customer or company data are reviewed by the Security/Privacy Lead and approved by executive leadership to ensure they incorporate required confidentiality, data protection, and security obligations. Contract templates are periodically reviewed to maintain alignment with legal, regulatory, and customer requirements. Nemu Inc. performs due diligence that includes:

  1. Business Fit

    • Clear definition of services to be provided
    • Alignment with Nemu Inc.’s product and security roadmap

  2. Security and Compliance Review

    • Review of public security documentation and compliance reports (e.g., SOC 2, ISO 27001, PCI where applicable)
    • Validation of encryption at rest and in transit
    • Review of data location, data residency, and subprocessors

  3. Privacy and Data Handling

    • Evaluation of the vendor’s privacy notice and data handling practices
    • Confirmation of data processing agreements (DPAs) where required
    • Assessment of data retention and deletion capabilities

  4. Availability and Resilience

    • Assessment of SLAs and uptime commitments
    • Understanding of backup, disaster recovery, and incident reporting practices

  5. Contractual Safeguards

    • Inclusion of confidentiality obligations
    • Data protection clauses and regulatory compliance commitments
    • Rights to receive security notifications and updated audit reports

4. Ongoing Monitoring and Management

After onboarding, Nemu Inc. maintains oversight via:

  • Annual or risk-based vendor reviews for critical CSPs (Supabase, Render, Google Workspace, payment processors).
  • Monitoring of security advisories and breach notifications issued by vendors.
  • Contract reviews at renewal time to ensure security, privacy, and availability requirements remain adequate.
  • Access and usage reviews to ensure the vendor’s scope is still appropriate.

5. Roles and Responsibilities

  • Vendor Owner (Business/Engineering Lead):
    • Owns the business relationship and validates ongoing need for the vendor.
  • Security/Privacy Lead:
    • Reviews security and privacy documentation for critical vendors.
  • Legal/Contract Owner (where applicable):
    • Reviews and approves contractual terms, including DPAs and SLAs.

6. Audit Evidence

Typical audit evidence that can be provided includes:

  • List of critical vendors and their services
  • Copies of SOC 2 / ISO certificates or security whitepapers
  • Signed DPAs or security addenda
  • Meeting notes or tickets showing vendor security reviews
  • Signed contractual agreements (MSA, Terms, DPAs) with relevant vendors.

7. Compliance Mapping

  • SOC 2: CC1.3, CC9.2
  • ISO 27001:2013: A.15.1, A.15.2

Contact: support@mynemu.com
© 2025 Nemu Inc.. All rights reserved.

Last updated on
Nth Party ManagementOperational Resilience