1. Overview

The Rundoo Third-Party Risk Management Program (“Program”) outlines the procedures for assessing and managing the risks associated with third-party vendors that provide critical services to Rundoo. This Program ensures that third-party service providers are vetted and monitored to mitigate potential security, operational, and financial risks. These guidelines are subject to change at Rundoo’s discretion and do not guarantee specific risk mitigation outcomes.

2. Scope

This Program applies to all third-party vendors and service providers with access to or involvement in Rundoo’s operations, systems, or data. Specifically, Rundoo relies on the following key third-party providers:

• Google Cloud Platform (GCP): Rundoo’s infrastructure is hosted on GCP, including servers, databases, and storage. GCP provides secure, scalable infrastructure, and Rundoo leverages GCP’s built-in security features to safeguard our operations.
• Stytch: Rundoo uses Stytch for user authentication, ensuring secure and reliable access control for our systems.
• Stripe: Rundoo processes payments through Stripe, relying on their robust payment security features for handling sensitive financial transactions.

3. Vendor Risk Assessment

• Initial Evaluation: Before engaging any third-party service provider, Rundoo conducts a thorough risk assessment. This includes evaluating the provider’s security protocols, regulatory compliance, and financial stability. Specific attention is paid to data security, uptime guarantees, and incident response capabilities.
• Ongoing Monitoring: Rundoo conducts periodic reviews of third-party vendors to ensure they continue to meet security, operational, and performance standards. These reviews include assessments of any new risks that may emerge over time. Rundoo retains the flexibility to modify vendor relationships as needed, without any guarantees or specific timetables.

4. Data Backup and Recovery

Rundoo maintains point-in-time backups of all critical databases, hosted on GCP, to ensure data recovery in the event of an incident or system failure. These backups enable the recovery of databases to any specific point in time. However, no guarantees are made regarding recovery timeframes or data loss prevention in every scenario.

5. Incident Response and Escalation

In the event of a security or operational issue involving a third-party vendor, Rundoo follows its incident management procedures (outlined separately) to promptly assess and mitigate the impact. Should a vendor fail to meet service expectations, Rundoo has the ability to switch vendors or roll back changes where feasible, though no guarantees are made about incident resolution or vendor replacement timelines.

6. Compliance and Data Protection

Each third-party provider is responsible for complying with applicable data protection regulations, including GDPR and CCPA, where relevant. Rundoo monitors vendors for compliance but does not guarantee that all risks are mitigated or that all third-party providers will meet every regulatory requirement at all times.

7. Program Modifications

Rundoo reserves the right to update or amend this Program at any time, based on evolving third-party risks, changes in vendors, or new legal requirements. No specific outcomes are guaranteed as part of this Program.

8. Disclaimer

This Program is provided as a general guideline for managing third-party risks. It does not create any legal obligations or warranties regarding the security, performance, or reliability of third-party services. Rundoo disclaims liability for any damages or losses resulting from third-party failures or service disruptions.