Skip to content

Vendor Management

Statement

ClaimGuard's third-party-service footprint is intentionally small: one cloud provider (Google Cloud Platform), one LLM vendor (Google's Gemini API), and a handful of build / scanning tools that don't touch production data. Every production-data-handling vendor is enumerated on this page and on Subprocessors, and any new addition is treated as a security review item — not just a purchasing decision.

The vendor-management control is partial because the list is small and verifiably accurate, but the process (formal vendor review checklist, annual re-assessment cadence, written contracts file) is still being formalized.

Implementation

Production-data-handling vendors

These vendors see production user data, claim content, or operational secrets:

Vendor What we use it for Data exposure Where documented
Google Cloud Platform (project train-cvit2) Compute, storage, secrets, audit logs Full production data at rest and in compute Cloud provider
Google Gemini API (gemini-2.5-pro) Claim narrative + evidence-summary analysis (master_tool) Claim text and evidence summaries are sent to the API for analysis AI transparency

That is the complete list of production-data-handling vendors today.

Build / scan / development-only vendors

These vendors do not see production data. They are listed for completeness so an auditor isn't surprised by a transitive reference in package.json or in CI logs:

Vendor What we use it for Data exposure
Snyk SCA + SAST scanning of source manifests and code Source code path lists in scan output; no runtime data
GitHub Source-code hosting and PR review Source code
npm registry / PyPI Dependency hosting None — pull-only

How a vendor enters the stack

The current process for adding a new vendor, kept light by team size:

  1. Triage: Is the vendor strictly necessary, or can the work be done in-house at acceptable cost? "We'll just use vendor X" is not a free decision.
  2. Data-exposure assessment: Will production data leave the ClaimGuard environment? If yes, the vendor moves to the "production-data-handling" tier and requires items 4–6 below.
  3. Security posture review: SOC 2 / ISO 27001 attestation, public security page, breach history. For LLM vendors, the data-retention and training-use clauses on the API plan.
  4. Contractual coverage: Is a DPA or equivalent in place? Recorded alongside Subprocessors.
  5. Disclosure: The vendor is added to the Subprocessors page before going live in production.
  6. Customer notification: For existing customers, material new subprocessors trigger advance notice per the customer's contract (today, no customer is at material scale; this becomes operational at first regulated-customer onboarding).

Periodic review

Today there is no scheduled annual review of vendor security posture. The list is small enough that the founder pair tracks it by inspection. As the list grows beyond five production-data-handling vendors, an annual review with sign-off becomes the right control.

Vendor changes since 2026-04 (the security remediation pass)

  • Snyk has been the SCA / SAST tool throughout; not a new addition.
  • GCP is the cloud since project inception.
  • Gemini API is the LLM in tools/master_tool/; in place at the start of the remediation pass.

No production-data-handling vendors were added or removed in the remediation pass.

Status

partial — verified 2026-04-29.

What's in place:

  • A complete and current list of production-data-handling vendors (2) and development-only vendors (3 more).
  • A documented process for adding a new vendor, even if it has not been exercised on a new addition recently.
  • Cross-references to the Subprocessors page for the contractual / customer-disclosure side.

Known gaps

  • No annual vendor review is scheduled or recorded.
  • No central vendor-contract repository. Contracts and DPAs live in scattered legal storage; consolidating them is a follow-up.
  • No internal "vendor-add" checklist as a written artifact — the items above are the de facto process but are not yet a signed internal SOP.
  • No vendor-level risk rating captured anywhere. Auditors typically expect a high/medium/low rating per production-data vendor.

Roadmap

  • Annual vendor review (start with the 2 production-data vendors). First review scheduled before SOC 2 fieldwork.
  • Vendor risk-rating column on a maintained vendor inventory (CSV or single doc page).
  • Central contract repository — a single index linking each production-data-handling vendor to its DPA / SOC 2 attestation PDF.
  • Customer notification workflow for material new subprocessors, formalized at first regulated-customer onboarding.