Third Party Security, Vendor Risk Management and Systems/Services Acquisition

2025.8

Matrak makes every effort to assure all third party organizations are compliant and do not compromise the integrity, security, and privacy of Matrak or Matrak Customer data. Third Parties include Vendors, Customers, Partners, Subcontractors, and Contracted Developers.

Policy Statements

Matrak policy requires that:

(a) A list of approved vendors/partners must be maintained and reviewed annually.

(b) Approval from the CTO must be in place prior to onboarding any new vendor or contractor. Additionally, all changes to existing contract agreements must be reviewed and approved prior to implementation.

(c) For any technology solution that needs to be integrated with Matrak production environment or operations, a review must be performed by the engineering team and approved by the CTO to understand and approve the risk.

(d) Matrak Customers or Partners should not be allowed access outside of their own environment, meaning they cannot access, modify, or delete any data belonging to other 3rd parties.

Controls and Procedures

Vendor Technology Risk Review

Matrak policy requires a review of vendor technology prior to any technology being integrated to Matrak operations and/or infrastructure. Employees are required to engage the engineering team to conduct such review.

The engineering team is responsible to conduct the reviews to ensure the vendor follows security best practices to minimize risk to an acceptable level. The CTO provides final approval based on the engineering team's assessment.

A list of approved vendors/contractors is maintained by the engineering team.

Software and Systems Acquisition Process

The engineering team maintains a list of approved vendors/contractors.

If additional commercial software, hardware system, or cloud services is needed, a request should be submitted to the engineering team for review and CTO approval.