Vendor and Third-Party Management Policy

This Vendor and Third-Party Management Policy outlines procedures for selecting, engaging, and managing vendors and service providers who process personal information on behalf of the organization. This policy ensures compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) by safeguarding consumer data and protecting their rights.

• Scope: Covers all vendors handling consumer personal information (PI) and sensitive personal information (SPI).
• Vendor Management: Includes due diligence, risk assessments, contractual agreements, and restrictions on data sharing.
• Monitoring and Compliance: Establishes processes for regular audits, incident reporting, and continuous monitoring of vendor practices.
• Consumer Rights: Ensures consumers can exercise rights such as opting out of data sharing and limiting SPI use.
• Termination Procedures: Details secure data return or destruction upon contract termination for non-compliance.

This policy ensures that third-party activities align with CCPA/CPRA requirements, reducing risks and promoting accountability.