Vendor and Partner Risk Management Policy
1.0 PURPOSE
This policy establishes a comprehensive Vendor and Partner Risk Management Program for NEO Global Pty Ltd (“NEO”) in accordance with ISO 27001:2022 and SOC 2 Type II requirements. As a global employment marketplace platform, NEO’s business model relies on a network of Employment Partners, technology vendors, and service providers, making robust third-party risk management essential to our operations and our customers’ trust.
This policy ensures the safety and security of NEO system resources, customer data, and the overall confidentiality, integrity, and availability (CIA) of our platform and services.
2.0 SCOPE
This policy applies to:
2.1 Employment Partners (Marketplace Partners)
- Employer of Record (EOR) providers in the NEO marketplace
- Local employment partners and in-country providers
- Payroll providers and professional employer organizations (PEOs)
- Immigration and visa service providers
- Benefits and insurance partners
2.2 Technology Vendors
- Cloud service providers (AWS, infrastructure)
- SaaS platforms integrated with NEO
- Software and development tool vendors
- Security and compliance tool providers
2.3 Service Providers
- Professional services with access to NEO systems or data
- Sub-processors and sub-contractors
- Any external entity that processes, stores, or accesses NEO or customer data
2.4 Out of Scope
- One-time purchases without ongoing relationship or data access
- Public utilities without IT/data component
- Channel customers using NEO platform (covered under separate agreements)
3.0 PARTNER AND VENDOR CLASSIFICATION
NEO classifies all third parties based on risk level and business criticality to ensure appropriate oversight and assessment frequency.
3.1 Partner Tiers (Employment Partners)
| Tier | Criteria | Assessment Requirements |
| Tier 1 – Strategic | High volume (>50 workers), critical markets, strategic importance | Full assessment, quarterly reviews, annual on-site/virtual audit |
| Tier 2 – Standard | Medium volume (10-50 workers), established relationship | Full assessment, semi-annual reviews, annual certification review |
| Tier 3 – Limited | Low volume (<10 workers), non-critical markets | Standard assessment, annual reviews |
3.2 Vendor Criticality Levels
A vendor is classified as “Critical” if any of the following apply:
- Processes or stores PII (customer, employee, worker data)
- Has access to production systems or data
- Provides services essential to business operations (SLA-bound)
- Is a sub-processor under customer contracts or regulatory requirements
- Single point of failure for critical business function
4.0 EMPLOYMENT PARTNER MANAGEMENT
Given NEO’s marketplace model, Employment Partners require enhanced due diligence and ongoing monitoring beyond standard vendor management.
4.1 Partner Onboarding Requirements
All Employment Partners must complete the following before activation:
Legal and Compliance
- Valid business registration and operating licenses in applicable jurisdictions
- Proof of employment law compliance capabilities
- Professional liability and employment practices liability insurance (minimum coverage as specified in Partner Agreement)
- Signed Partner Agreement including data processing addendum
- Anti-bribery and anti-corruption attestation
Security and Data Protection
- Completed security questionnaire (based on SIG Lite or equivalent)
- SOC 2 Type II or ISO 27001 certification (or equivalent controls assessment)
- GDPR compliance documentation (where applicable)
- Data encryption standards (at rest and in transit)
- Incident response and breach notification procedures
Operational Capabilities
- Demonstrated payroll processing capabilities
- Statutory compliance track record
- Business continuity and disaster recovery plans
- Reference checks from existing clients
- Financial stability verification
4.2 Partner Performance Monitoring
NEO monitors Employment Partner performance through the following metrics and KPIs:
| Metric Category | Key Performance Indicators | Threshold |
| Payroll Accuracy | Error rate, on-time payment rate | >99% accuracy, 100% on-time |
| Compliance | Statutory filing accuracy, audit findings | Zero material findings |
| Responsiveness | Query response time, issue resolution | <24hr response, <5 day resolution |
| Security | Security incidents, vulnerability remediation | Zero breaches, <30 day remediation |
| Customer Satisfaction | NPS, escalation rate | >50 NPS, <5% escalation rate |
4.3 Partner Non-Compliance and Remediation
Non-compliance triggers the following escalation process:
- Level 1 – Warning: Written notification with 30-day remediation window
- Level 2 – Probation: Enhanced monitoring, restricted new worker placements
- Level 3 – Suspension: Removal from active marketplace, transition planning for existing workers
- Level 4 – Termination: Full offboarding per Partner Agreement terms
5.0 VENDOR RISK ASSESSMENT
5.1 Assessment Schedule
| Assessment Type | Frequency | Trigger | Scope |
| Initial Assessment | Before onboarding | New vendor relationship | Full security questionnaire, security policies review, insurance policy review |
| Annual Review | Annually | Contract anniversary | Security posture update, compliance verification |
| Critical Vendor Review | Quarterly | Vendors with PII access | Enhanced monitoring, access review |
| Re-assessment | Ad-hoc | Incident, scope change, renewal | Risk-based scope |
| Continuous Monitoring | Ongoing | Automated alerts | Security ratings, breach notifications |
5.2 Risk Categories
All vendors and partners are assessed against the following risk categories:
- Compliance Risk: Violations of applicable laws, regulations, or internal policies, including data protection (GDPR, local privacy laws), employment law, and tax compliance.
- Reputation Risk: Negative public perception, unethical practices, or data breaches affecting NEO’s brand.
- Operational Risk: Failure of internal controls, service disruptions, or inability to meet SLAs.
- Information Security Risk: Inadequate security controls, data breaches, unauthorized access, or system vulnerabilities.
- Financial/Credit Risk: Financial instability, going concern issues, or inability to meet obligations.
- Country Risk: Political, economic, or legal factors in operating jurisdictions affecting service delivery.
6.0 DUE DILIGENCE IN SELECTION
The selection process for new vendors and partners includes:
- Review of financial statements and financial health indicators
- Review of SOC 2 Type II, ISO 27001, or equivalent certifications
- Assessment of operational capacity and scalability
- Evaluation of sub-servicers and fourth-party dependencies
- Inquiry into past, present, or expected legal issues
- Assessment of business continuity and disaster recovery capabilities
- Insurance coverage verification
- Reference checks and reputation assessment
7.0 SUPPLY CHAIN SECURITY
In accordance with ISO 27001:2022 Annex A.5.19-5.23, NEO ensures all vendors and partners with access to sensitive or critical data are subject to supply chain security assessments. Contractual requirements for information security are included in all relevant agreements.
7.1 Fourth-Party Risk Management
NEO requires visibility into critical sub-processors and sub-contractors:
- Partners must disclose all sub-processors handling NEO or customer data
- Material changes to sub-processors require advance notification
- NEO reserves the right to assess critical fourth parties
- Contractual flow-down of security requirements to sub-processors
8.0 CONTRACTUAL REQUIREMENTS
All vendor and partner agreements must include:
- Clear definition of roles, responsibilities, and service levels
- Data processing terms and permitted use restrictions
- Security requirements and compliance obligations
- Incident notification requirements (within 24-72 hours)
- Audit rights and assessment cooperation
- Indemnification and liability provisions
- Termination and transition assistance provisions
- Insurance requirements
- Confidentiality and data return/destruction obligations
9.0 DOCUMENTATION AND RETENTION
- All assessments documented in Vendor/Partner Risk Register
- Assessment findings and remediation tracked in issue management system
- SOC 2/ISO 27001 reports: Retained for duration of relationship + 1 year
- Security questionnaire responses: Retained for duration of relationship + 1 year
- Destruction per Data Disposal and Destruction Policy; records maintained for audit
10.0 ROLES AND RESPONSIBILITIES
| Role | Responsibilities |
| CEO | Executive sponsor; approves critical vendor/partner relationships; escalation point for security issues; ensures policy compliance |
| Head of Operations / Partnerships | Partner relationship management; partner performance monitoring; partner onboarding coordination; escalation management |
| Security Lead | Policy owner; conducts risk assessments; reviews SOC 2/ISO reports; maintains Risk Register; quarterly critical reviews |
| Head of Engineering | Technical evaluation of vendor capabilities; integration oversight; performance monitoring |
| Legal Counsel | Contract review and approval; NDA management; ensures contractual security requirements; manages disputes |
| Finance | Vendor financial health assessment; payment processing; budget management |
11.0 CUSTOMER NOTIFICATION
NEO will notify customers promptly if NEO learns that a partner or sub-processor has processed customer’s Personal or Confidential data for any purpose other than the intended purpose, in accordance with contractual obligations and the Incident Response Policy.
12.0 POLICY REVIEW
This policy will be reviewed annually or upon significant changes to NEO’s business model, regulatory requirements, or risk landscape.
