Vendor Risk And Third-Party Due Diligence Policy
Effective Date: January, 1, 2026
Purpose and Policy Objective
This Vendor Risk and Third-Party Due Diligence Policy establishes the framework used by Afintrix Advisory Analytics LLC (“Afintrix,” “we,” “us,” or “our”) to assess, manage, and monitor risks associated with third-party vendors, service providers, contractors, consultants, and other external parties.
Afintrix is an advisory, analytics, and governance firm providing structured oversight, compliance, and financial analysis support. The objective of this policy is to ensure that third-party relationships do not introduce unacceptable operational, compliance, security, or reputational risk.
Scope of Application
This policy applies to:
- All third-party entities engaged by Afintrix
- All stages of the vendor lifecycle, including selection, onboarding, engagement, monitoring, and termination
- All relationships involving access to Afintrix systems, data, facilities, or confidential information
- All personnel involved in vendor selection, approval, or oversight
This policy applies regardless of contract value or engagement duration.
Vendor Risk Principles
Afintrix applies the following principles to vendor risk management:
- Risk-based assessment proportionate to vendor role and access
- Due diligence prior to engagement
- Clear documentation of responsibilities and expectations
- Ongoing monitoring for changes in risk profile
- Timely escalation of identified issues
Third-party relationships are evaluated based on their potential impact on operations, data protection, compliance obligations, and governance integrity.
Vendor Risk Classification
Vendors are classified based on risk factors such as:
- Nature of services provided
- Access to confidential or sensitive information
- Access to systems or infrastructure
- Regulatory or compliance relevance
- Operational criticality
Risk classification informs the level of due diligence, contractual controls, and monitoring required.
Due Diligence Procedures
Prior to engagement, Afintrix performs due diligence appropriate to the vendor’s risk classification. Due diligence may include:
- Verification of legal existence and business registration
- Review of ownership and control structure
- Assessment of financial stability, where relevant
- Evaluation of data protection and information security practices
- Screening against applicable sanctions or restricted party lists
- Review of relevant policies, certifications, or compliance controls
Engagements may be declined where due diligence identifies unacceptable risk.
Contractual Controls
Vendor relationships are governed by written agreements that define, as applicable:
- Scope of services and responsibilities
- Confidentiality and data protection obligations
- Use and handling of information
- Compliance with applicable laws and policies
- Audit, review, or termination rights
- Incident reporting requirements
Contracts are reviewed to ensure alignment with Afintrix policies and risk tolerance.
Ongoing Monitoring
Afintrix monitors vendor relationships throughout the engagement lifecycle. Monitoring activities may include:
- Periodic review of performance and service delivery
- Review of changes in ownership, operations, or risk profile
- Assessment of continued compliance with contractual obligations
- Review of security or control incidents, where applicable
Monitoring intensity is adjusted based on vendor risk classification.
Information Security and Data Access
Vendors with access to Afintrix data or systems are required to maintain reasonable security controls appropriate to the nature of the access provided.
Access is limited to the minimum necessary and is removed promptly upon termination of the relationship or when no longer required.
Issue Identification and Escalation
Identified vendor-related issues, including security incidents, compliance concerns, or performance failures, are documented and escalated internally for review.
Afintrix may require remediation, restrict access, suspend services, or terminate the relationship where issues cannot be adequately addressed.
Termination of Vendor Relationships
Vendor relationships may be terminated where:
- Risk becomes unacceptable
- Contractual obligations are breached
- Compliance or security concerns are not remediated
- Services are no longer required
Termination procedures include revocation of access and confirmation of data return or destruction, where applicable.
Recordkeeping
Vendor due diligence records, contracts, and monitoring documentation are retained in accordance with the Record Retention and Document Management Policy.
Policy Review
This policy is reviewed periodically and updated as necessary to reflect changes in operational practices, regulatory expectations, or risk exposure.
