JoveWhizzs third-party risk management framework governs vendor selection, due diligence, contracting, and ongoing monitoring to ensure that every research partner meets our security and quality standards.
Our TPRM program is built on the ISO 27001 and SOC 2 control frameworks and applies a risk-based tiering model to all vendors. Each third party is classified as critical, high, medium, or low risk based on data access, system integration depth, and operational impact. Tier classification determines the frequency and depth of assessments.
A cross-functional TPRM committee comprising security, legal, procurement, and research operations stakeholders governs the program. The committee approves vendor onboarding, reviews assessment findings, and enforces remediation deadlines. Policy exceptions require documented rationale and approval from the Chief Information Security Officer.
Before engagement, every prospective vendor undergoes a structured risk assessment that includes security questionnaire review, SOC 2 or equivalent audit report evaluation, financial health screening, and reference checks. For critical vendors, we conduct onsite or virtual assessments of their security posture and operational practices.
Due diligence extends to data processing agreements, sub-processor arrangements, and jurisdiction-specific legal compliance. Contracts incorporate minimum security requirements, breach notification timelines, audit rights, and data return or destruction clauses. All findings are documented in a vendor risk register that tracks assessment scores and residual risks.
Continuous monitoring tools scan vendor environments for security posture changes, data breaches, and compliance drift. Critical vendors are monitored in real-time for anomalies, while lower-tier vendors are reviewed through annual reassessments and automated control testing.
Trigger-based reassessments occur upon material changes such as ownership shifts, significant infrastructure updates, data breach incidents, or new sub-processor engagements. Vendor performance scorecards track service delivery metrics, compliance findings, and remediation response times, feeding into quarterly business reviews.
Research-specific vendors including panel providers, survey platform operators, transcription services, and data analytics partners are subject to enhanced due diligence. We verify their respondent validation methods, data privacy practices, quality assurance processes, and compliance with ESOMAR and MRS standards.
Regular supplier meetings and performance audits ensure continued alignment with JoveWhizzs quality and compliance requirements. Non-performing or non-compliant vendors are placed on improvement plans with defined milestones. Repeated failures or critical control gaps result in contract termination and orderly transition to an alternative supplier.
Vendors are classified into four tiers based on data sensitivity, system access, regulatory impact, and service criticality. Classification determines assessment frequency and monitoring depth.
Vendors must submit SOC 2 or ISO 27001 reports, completed security questionnaires, data processing agreements, and evidence of cyber liability insurance meeting minimum coverage thresholds.
Critical vendors are reassessed annually with quarterly monitoring reviews. Medium-risk vendors are reassessed every 18 months, and low-risk vendors every 24 months.
Findings are documented with required remediation actions and deadlines. Critical findings require immediate remediation within 30 days. Failure to remediate may result in suspension or termination.
Yes. Vendors must disclose all sub-processors, and each sub-processor is subject to the same risk assessment criteria. Changes require advance notice and approval through our change management process.
Panel providers undergo rigorous validation including respondent source verification, fraud detection methodology review, sample quality metrics analysis, and compliance with ISO 20252 standards.
Yes. Clients with appropriate NDAs may receive summary assessment reports for vendors supporting their research programs. Detailed findings are available during onsite audits.
Vendors must notify JoveWhizz within 24 hours of confirming a breach involving our data. Our incident response team then coordinates investigation, client notifications, and remediation in line with contractual and regulatory obligations.
Contact us to learn more about our TPRM program, review our vendor management policies, or request a third-party assurance pack.
Contact Us