Vendor Risk Management Policy
Effective Date: February 2026
Document Version: 1.0
1. Purpose & Scope
This Vendor Risk Management Policy (“Policy”) establishes the procedures by which Rymeda, Inc. (“Rymeda,” “we,” “us”) assesses, selects, monitors, and terminates third-party vendors and subprocessors that access, process, store, or transmit Protected Health Information (PHI), personally identifiable information (PII), or that provide services critical to Rymeda's infrastructure and operations. This Policy applies to all third-party vendors, subprocessors, service providers, and partners engaged by Rymeda and covers the entire vendor lifecycle from initial assessment through ongoing monitoring to termination and offboarding.
This Policy satisfies the requirements of HIPAA (45 CFR Parts 160 and 164), NIST Cybersecurity Framework (CSF) 2.0, SOC 2 trust service criteria, GDPR Article 28, and the California Confidentiality of Medical Information Act (CMIA).
2. Definitions
- Vendor: Any third-party entity that provides products, services, or technology to Rymeda, including cloud infrastructure providers, SaaS platforms, API services, and professional service firms.
- Subprocessor: A vendor that processes personal data or PHI on behalf of Rymeda in connection with the delivery of services to Rymeda's customers, as defined in the Data Processing Agreement and Business Associate Agreement.
- Critical Vendor: A vendor whose failure or compromise would cause immediate and material disruption to Rymeda's ability to deliver healthcare services or would directly expose PHI.
- Business Associate: A vendor that creates, receives, maintains, or transmits PHI on behalf of Rymeda, as defined under HIPAA (45 CFR §160.103).
- Risk Tier: A classification level (Critical, High, Medium, or Low) assigned to each vendor based on data sensitivity, infrastructure criticality, and regulatory exposure, as defined in Section 3.
3. Vendor Risk Classification
All vendors are classified into risk tiers based on the type and sensitivity of data they access, the criticality of services they provide, and their proximity to Rymeda's production infrastructure:
| Risk Tier | Criteria | Current Vendors |
|---|---|---|
| Critical | Processes, stores, or transmits PHI/ePHI; core infrastructure provider; single point of failure for platform operations | AWS, MongoDB Atlas, OpenAI, Google Gemini, 100ms |
| High | Processes PII (no PHI); payment or financial data; development tools with code access | Stripe (Connect) |
| Medium | Operational services with PII access (email addresses, names) but no PHI; communication tools | Twilio SendGrid |
| Low | No access to customer data, PHI, or PII; public data services; privacy-friendly analytics | Plausible Analytics, CMS NPPES Registry |
4. Vendor Assessment Process
Before engaging any new vendor, Rymeda conducts a pre-engagement risk assessment scaled to the vendor's risk tier, covering security posture, compliance certifications, data handling practices, and contractual readiness.
- Security Questionnaire: Critical and High-tier vendors must complete Rymeda's CAIQ-based security questionnaire covering information security policies, access controls, encryption, incident response, and business continuity.
- SOC 2 / ISO 27001 Review: Critical-tier vendors must provide a SOC 2 Type II report or ISO 27001 certification. High-tier vendors must provide at least a SOC 2 Type I report.
- HIPAA Compliance Verification: Vendors processing PHI must demonstrate HIPAA compliance, including technical safeguards aligned with 45 CFR §164.312.
- Penetration Test Results: Critical-tier vendors must provide recent penetration test results or an attestation of annual testing with documented remediation plans.
Assessment requirements by tier:
| Requirement | Critical | High | Medium | Low |
|---|---|---|---|---|
| Security Questionnaire | Required | Required | Recommended | Optional |
| SOC 2 / ISO 27001 | Type II Required | Type I Required | Recommended | N/A |
| HIPAA Verification | Required | If PHI access | N/A | N/A |
| Penetration Test | Required | Recommended | N/A | N/A |
| Data Flow Analysis | Required | Required | Required | Recommended |
5. Contractual Requirements
All vendor agreements include contractual protections scaled according to risk tier:
- Business Associate Agreement (BAA): Required for all vendors that process, store, or transmit PHI, pursuant to HIPAA (45 CFR §164.502(e), §164.504(e)). See the BAA.
- Data Processing Agreement (DPA): Required for all vendors that process personal data of EU/EEA data subjects, compliant with GDPR Article 28. See the DPA.
- Standard Contractual Clauses (SCCs): Required for vendors that transfer personal data outside the EU/EEA, in accordance with the European Commission's approved SCCs (2021/914).
- Service Level Agreements (SLAs): Critical and High-tier vendors must commit to contractual uptime, response time, and support availability targets.
- Insurance Requirements: Critical and High-tier vendors must maintain cyber liability insurance with minimum coverage of $5,000,000 per occurrence and $10,000,000 aggregate.
- Breach Notification: Vendors must notify Rymeda of any security incident or data breach without undue delay and within seventy-two (72) hours of discovery. Critical-tier vendors must notify within twenty-four (24) hours.
- Right to Audit: Rymeda retains the right to audit vendor compliance, either directly or through an independent third-party auditor, upon reasonable notice.
6. Ongoing Monitoring
Vendor risk is continuously monitored throughout the engagement lifecycle. The reassessment frequency is determined by risk tier:
| Risk Tier | Reassessment Frequency | SOC 2 Refresh | Performance Review |
|---|---|---|---|
| Critical | Annual | Annual | Quarterly |
| High | Annual | Annual | Semi-annually |
| Medium | Biennial | On request | Annually |
| Low | Periodic (risk-adjusted) | N/A | As needed |
Continuous monitoring activities include:
- Tracking vendor security advisories and CVE disclosures relevant to services used by Rymeda.
- Monitoring vendor breach disclosures and public security incident reports.
- Reviewing changes to vendor compliance certifications (SOC 2, ISO 27001, HIPAA, PCI DSS).
- Tracking vendor SLA adherence, uptime, and service reliability metrics.
- Reviewing vendor subprocessor changes that may affect Rymeda's data processing chain.
7. Vendor Inventory
The following vendors have been assessed, approved, and are currently engaged by Rymeda:
| Vendor | Category | Risk Tier | BAA | Data Access | Last Assessed |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure | Critical | Yes | PHI, PII, all platform data | Feb 2026 |
| MongoDB Atlas | Database | Critical | Yes | PHI, PII, clinical records | Feb 2026 |
| OpenAI, Inc. | AI Processing | Critical | Yes | PHI (ZDR), clinical audio | Feb 2026 |
| Google LLC (Gemini) | AI Processing | Critical | Yes | PHI, clinical note content | Feb 2026 |
| 100ms, Inc. | Telehealth Video | Critical | Yes | PHI (video/audio streams) | Feb 2026 |
| Stripe, Inc. (Connect) | Payment Processing | High | N/A | PII, payment data (no PHI) | Feb 2026 |
| Twilio SendGrid | Email Delivery | Medium | N/A | PII (email, name; no PHI) | Feb 2026 |
| Plausible Analytics | Website Analytics | Low | N/A | No personal data | Feb 2026 |
| CMS NPPES Registry | NPI Verification | Low | Gov API | Public provider data only | Feb 2026 |
For detailed data processing descriptions, data flow information, and geographic locations, see the Subprocessor List. ZDR = Zero Data Retention agreement in place.
8. Incident Response for Vendor Breaches
When a vendor reports a security incident, breach, or unauthorized access, Rymeda follows the vendor-specific track of the Incident Response Plan:
8.1 Notification Requirements
Vendors must notify Rymeda of any security incident, data breach, or unauthorized access to Rymeda data. Critical-tier vendors must notify within twenty-four (24) hours; all other vendors within seventy-two (72) hours of discovery. Notification must include the nature of the incident, data categories affected, estimated scope, and initial containment actions taken.
8.2 Containment & Impact Assessment
Upon receiving vendor breach notification, Rymeda's security team assesses the scope and impact, including which data was affected, which customers are impacted, and whether PHI was exposed. Rymeda may require the vendor to immediately isolate affected systems, revoke compromised credentials, and preserve forensic evidence.
8.3 Coordination with Vendor
Rymeda coordinates remediation with the vendor, including root cause analysis, implementation of preventive measures, and documentation of lessons learned. The vendor's risk tier may be escalated based on the severity and recurrence of incidents.
8.4 Regulatory Reporting
If PHI is involved, Rymeda initiates HIPAA breach notification procedures per 45 CFR §§164.400–414, including notification to affected individuals, HHS/OCR, and media (for breaches affecting 500+ individuals). See the Breach Notification Policy.
9. Vendor Termination & Offboarding
When a vendor relationship is terminated, Rymeda follows a structured offboarding process:
- Data Return / Destruction: Vendor must return or permanently delete all Rymeda data, customer data, and PHI within thirty (30) days of termination per NIST SP 800-88 media sanitization guidelines. No copies, backups, or derivatives may be retained.
- Access Revocation: All vendor access to Rymeda systems, APIs, and data stores is revoked immediately upon termination. Shared credentials and encryption keys are rotated within twenty-four (24) hours via AWS Secrets Manager.
- Transition Planning: For Critical and High-tier vendors, Rymeda develops a transition plan including replacement vendor identification, data migration procedures, and service continuity measures.
- Certification of Destruction: Vendor must provide a signed Certificate of Destruction confirming permanent deletion of all Rymeda data from all systems, backups, and storage media, specifying the deletion method and date.
10. AI Vendor-Specific Controls
AI and machine learning vendors are subject to additional requirements given the sensitivity of clinical data processed. These controls apply to OpenAI (GPT, Whisper) and Google (Gemini via LiteLLM):
10.1 Zero Data Retention (ZDR)
AI vendors processing PHI must contractually commit to Zero Data Retention — no input data, output data, or intermediate processing data is retained after the API response is returned. OpenAI operates under a ZDR agreement for all Whisper and GPT API calls. This applies to voice transcriptions, SOAP notes, clinical summaries, and all clinical content.
10.2 No Model Training on Customer Data
AI vendors are contractually prohibited from using Rymeda customer data, PHI, or any clinical content for training, fine-tuning, improving, or evaluating AI models. This prohibition extends to anonymized or aggregated forms of customer data. Both OpenAI and Google have executed no-training agreements.
10.3 Model Card & Versioning Review
AI vendors must provide model cards or equivalent documentation describing model capabilities, limitations, and known biases. Advance notice is required for material model version changes (e.g., GPT-4 to GPT-5, Gemini version updates). Rymeda validates new model versions against clinical benchmarks before enabling them in production.
10.4 Bias Testing & Safety Evaluation
AI vendor models used for clinical documentation undergo Rymeda's internal bias and safety evaluation before deployment. Testing includes clinical accuracy benchmarks, demographic fairness assessment, and safety boundary verification. See the AI Transparency & Ethics Policy for full details.
Current AI Vendors: OpenAI, Inc. (Whisper, GPT models — ZDR + BAA), Google LLC (Gemini models via LiteLLM — BAA). See the Subprocessor List for complete details.
11. Roles & Responsibilities
The following roles are responsible for the execution and oversight of this Policy:
| Role | Responsibilities |
|---|---|
| CISO | Owns the Vendor Risk Management Program. Approves Critical and High-tier vendor engagements. Oversees vendor security assessments, incident response coordination, and annual policy review. |
| Privacy Officer | Ensures vendor data processing agreements comply with HIPAA, GDPR, and applicable privacy laws. Reviews BAAs and DPAs. Oversees vendor breach notification and regulatory reporting. |
| Procurement | Initiates vendor onboarding requests and coordinates the pre-engagement assessment process. Ensures all contractual requirements are met before vendor engagement. Manages vendor contract renewals and terminations. |
| Engineering Leads | Perform technical assessment of vendor security posture and architecture. Implement and maintain secure integrations with vendor APIs and services. Monitor vendor performance and service reliability. |
12. Contact
For questions about vendor risk management, subprocessor assessments, or vendor compliance: