Vendor Management Policy – eChallan.app
Purpose
The purpose of this policy is to ensure that all third-party vendors engaged by eChallan.app (Vahanfin Solutions Pvt. Ltd.) are evaluated, contracted, and monitored in a manner that safeguards company data, ensures compliance with applicable regulations, and upholds service quality and security standards.
1. Scope
This policy applies to all vendors, partners, contractors, and service providers who provide products, software, APIs, data services, hosting infrastructure, or any operational support to eChallan.app.
2. Objectives
- To ensure vendors meet eChallan.app’s information security, privacy, and compliance standards.
- To minimize operational, financial, legal, and reputational risks arising from third-party relationships.
- To establish consistent guidelines for onboarding, monitoring, and terminating vendor relationships.
3. Vendor Assessment & Due Diligence
Before engagement, each vendor must undergo a due diligence assessment covering:
- Legal Verification: Valid business registration, GST, and PAN verification.
- Financial Stability: Review of financial health and service sustainability.
- Security Compliance: Evaluation of data protection measures, encryption standards, and access control policies.
- Operational Capacity: Ability to deliver consistent uptime, performance, and scalability.
- Regulatory Compliance: Adherence to IT Act 2000, GDPR (if applicable), and government data handling norms.
4. Contractual Requirements
All vendor agreements must include:
- Confidentiality & NDA Clauses to protect sensitive data.
- Service Level Agreements (SLAs) defining uptime, response, and resolution times.
- Data Protection Clauses outlining data handling, storage, and retention policies.
- Right to Audit clause permitting eChallan.app to assess compliance as required.
- Termination Clauses in case of non-compliance, data breach, or service failure.
5. Risk Categorization
Vendors are classified based on the sensitivity and criticality of their services:
- High-Risk Vendors: Handle sensitive user/vehicle data, payments, or integrations (e.g., payment gateways, hosting providers).
- Medium-Risk Vendors: Provide API or operational support with limited data access.
- Low-Risk Vendors: Provide non-critical tools (e.g., design, marketing, or office utilities).
Risk category determines the depth of due diligence and frequency of audits.
6. Ongoing Monitoring & Review
- Annual Vendor Review: Evaluate performance, compliance, and incident history.
- Security Audits: Periodic verification of security posture for high-risk vendors.
- Performance Metrics: Uptime, response time, and issue resolution tracking.
- Incident Reporting: Immediate notification to eChallan.app in case of data breaches or system failures.
7. Vendor Access & Data Handling
- Vendors may access eChallan.app data only through approved, secure channels.
- Access is restricted based on “least privilege” principle.
- Any data shared must be encrypted in transit and at rest.
- No vendor is allowed to store or replicate eChallan.app user data outside approved systems.
8. Termination of Vendor Relationship
- Upon termination: All data must be securely deleted and confirmed via written acknowledgment.
- Access credentials must be revoked immediately.
- A final performance and compliance review is conducted.
9. Roles and Responsibilities
| Role | Responsibility |
|---|
| Vendor Manager / Procurement Team | Conduct due diligence, maintain vendor records, and manage contracts. |
| Information Security Team | Assess technical controls, monitor vendor security, and perform audits. |
| Legal & Compliance | Ensure adherence to applicable laws and contractual terms. |
| Operations Team | Evaluate vendor performance and service quality. |
10. Policy Review
This policy shall be reviewed annually or upon major regulatory or business changes. Updates will be approved by the Compliance Officer and Security Committee.
11. Compliance and Enforcement
Non-compliance by vendors or internal teams managing vendors may result in suspension, contract termination, or blacklisting from future engagements.
Approved by:
eChallan.app Security & Compliance Division
Vahanfin Solutions Pvt. Ltd.