SOP owner: Operations / Legal — Last reviewed: [Date] — ID: SOP-OPS-002
Overview
This SOP covers the full lifecycle of third-party vendor relationships at Blevins Holdings — from evaluating a new vendor through active management and eventual offboarding. All vendors must go through this process before receiving payment or access to company data or systems. Why this matters: Vendors are an extension of our operations. A vendor’s security failure, compliance gap, or service disruption can directly impact Blevins and our clients. Structured vendor management reduces that risk. Key stakeholders:| Role | Responsibility |
|---|---|
| Business owner | Identifies the need, champions the vendor relationship |
| IT Security | Reviews vendor security posture and data handling |
| Legal | Reviews and executes contracts |
| Finance | Handles payment, tracks contracts in vendor register |
| Operations | Oversees the process and maintains the vendor register |
Vendor register
All active vendors are tracked in the Vendor Register, maintained by Operations/Finance at [link to vendor register — e.g., in Notion, Airtable, Google Sheets]. The register includes: vendor name, category, contract value, contract end date, renewal date, business owner, risk tier, last review date.Vendor risk tiers
Vendors are assigned a risk tier based on their access to company data and systems:| Tier | Description | Examples |
|---|---|---|
| Tier 1 — Critical | Access to production systems, sensitive data, or critical infrastructure | Cloud providers, payroll, HRMS, security tools |
| Tier 2 — Significant | Access to internal systems or non-public data, or significant operational dependency | Accounting software, CRM, project management |
| Tier 3 — Standard | No access to data systems; administrative or one-time purchases | Office supplies, event venues, marketing agencies |
Process steps
Submit a vendor request
Who: Business ownerBefore engaging any new vendor, the business owner submits a Vendor Request using [IT/Operations intake form — link to be added]. The request must include:
- Vendor name, website, and contact
- What they’ll provide and why this vendor (vs. an existing contract)
- Estimated contract value and duration
- Whether the vendor will have access to company or client data (and if so, what kind)
- Whether the vendor will be given access to any company systems or network
- Budget code and approval from department head (for contracts over $[X])
Initial review and risk tier assignment
Who: OperationsOperations reviews the request and assigns the vendor a risk tier (Tier 1, 2, or 3). The tier determines the remaining review steps.
Operations notifies the business owner of the tier and routes the request to the appropriate reviewers.
| Tier | Required review |
|---|---|
| Tier 1 — Critical | IT security review + Legal review + Finance approval |
| Tier 2 — Significant | IT security review (abbreviated) + Legal review |
| Tier 3 — Standard | Business owner certification + Finance approval |
IT security review
Who: IT SecurityRequired for Tier 1 and Tier 2 vendors. IT Security evaluates the vendor’s security posture and data handling practices. The review covers:
- Data handling: What data will the vendor access, store, or process? Where? For how long?
- Certifications: Does the vendor hold SOC 2 Type II, ISO 27001, or equivalent?
- Encryption: Is data encrypted at rest and in transit?
- Access controls: Does the vendor have strong authentication and least-privilege access controls?
- Incident history: Any known data breaches or security incidents?
- Sub-processors: Does the vendor use sub-processors? If so, are they disclosed?
- Business continuity: Does the vendor have a documented BCP?
Legal review and contract execution
Who: LegalAll vendors must have a signed agreement before any work begins or data is shared. Legal reviews vendor contracts for:
- Data Processing Agreement (DPA): Required for any vendor that processes personal data or company data
- Liability and indemnification clauses
- Intellectual property ownership — ensure Blevins retains rights to its data and work product
- Termination and exit provisions — how data is returned or deleted upon contract end
- SLAs and remedies
- Compliance certifications and representations
Add to vendor register and provision access
Who: Operations (register); IT (access)Once all approvals are complete and the contract is signed:
- Operations adds the vendor to the Vendor Register with all relevant details
- IT provisions any required system access with least-privilege principles — only the access the vendor needs, nothing more
- The business owner receives confirmation that the vendor is active
Ongoing vendor management
Performance monitoring
Business owners are responsible for monitoring vendor performance against contracted SLAs and deliverables. Significant performance issues should be documented and escalated to Operations and Legal if they may affect the contract. Track vendor performance notes in the Vendor Register.Annual vendor review
All active vendors are reviewed annually. The review includes:| Item | Details |
|---|---|
| Performance assessment | Business owner evaluates whether the vendor is meeting expectations |
| Security review update | Tier 1 and 2 vendors: IT requests updated security documentation |
| Contract review | Is the contract still fit for purpose? Is the price competitive? |
| Risk re-assessment | Has the vendor’s risk tier changed? |
| Renewal decision | Renew, renegotiate, or offboard? |
Dealing with vendor incidents
If a vendor experiences a data breach, security incident, or significant service disruption that affects Blevins:- Notify IT Security immediately at security@blevinsholdings.com
- Notify Legal if personal data may have been involved
- Invoke the vendor’s SLA and incident response obligations under the contract
- Document the incident in the Vendor Register
- If appropriate, initiate a review of the vendor relationship
Offboarding a vendor
When a vendor relationship ends (contract not renewed, vendor replaced, or terminated for cause):Notify IT and Operations
The business owner notifies IT and Operations at least 30 days before the end date (or immediately if the termination is for cause).
Data return and deletion
IT confirms that all company or client data held by the vendor is returned or destroyed per the contract terms. The vendor provides written confirmation of data deletion.
Revoke access
IT revokes all system access and API credentials on or before the contract end date. Access revocation is confirmed and logged.
Final payment and close-out
Finance processes any final invoices and marks the contract as closed in the vendor register.
Vendor due diligence checklist
Use this checklist for Tier 1 and Tier 2 vendor evaluations: Security & compliance- Obtained and reviewed SOC 2 Type II report (or equivalent) from last 12 months
- Confirmed data is encrypted at rest and in transit
- Confirmed vendor has documented incident response and breach notification procedures
- Reviewed vendor’s sub-processor list
- Confirmed MFA is required for vendor employee access to systems that hold our data
- DPA signed (if vendor processes personal data)
- SLAs documented and acceptable
- Data deletion/return provision included
- IP ownership and work product rights clearly defined
- Termination for convenience provision included
- Vendor financials or stability confirmed (for critical vendors)
- BCP/DR capabilities confirmed
- References checked (for significant new relationships)
Related documents
- Procurement Policy
- Acceptable Use Policy
- Data Privacy Policy
- Incident Response SOP
- [Vendor Register — link to internal system]
Last updated: [Date] — SOP owner: Operations / Legal