Go to this link - https://app.hubspot.com/contacts/9494133/objects/2-36072243/views/42536099/list
You will see list of vendors assigned to you:
Every field in here can be edited directly for ease of use.
Please use the guide below to update the information for every field displayed in this view:
| Field | Description | Examples |
| What does the vendor do for Companjon? | Provide a short summary of the services rendered by the vendor to Companjon | - PSP used for sending money to end customers for accepted claims and policy cancellations - Consultant company hired to do the Hubspot CRM setup and Sales portal build |
| Vendor Category/Service Criticality Level | Select the criticality level which is the outcome of the criticality assessment Note: For existing vendors who are already added to Hubspot, do not change the value set already. If you disagree with the provided classification, please contact the relevant EMT sponsor |
- Peak 3 -> Cat 1 as it is classed as a critical service provider essential for business continuity - Building maintenance/utility services -> Cat 4 |
| What is the reason for the chosen service criticality level? | Short summary of the reasoning behind the above classification | Same as above |
| Does vendor have access to Companjon employees'/customers' personal data? | Confirm if vendor stores our employees'/customers' data Note: This is to be considered Yes only if the vendor actually processes the data |
- Hubspot -> Yes as it has contact data for all our customers - Wise -> Yes as it stores account details of customers who get a payout - Nostra -> No as they do not store any employee sensitive data (though they know employees names/emails), or access actual customer data from Graphene/Hubspot or other systems |
| Explain what data is available to the vendor and why | If answer is 'yes' to above question, detail what information is available to the vendor and why they need access to that information | - Wise stores bank account details submitted by our customers to process payments. It also does Fraud checks based on the personal details submitted. - Peak3 have access to customer personal data in Production environment as they support us with technical investigation in case of any issues (i.e. Prod support) |
| Where does the vendor store our data? (Country name(s)) | If vendor does store our data, please list the countries where data is stored. For cloud providers, please mention where the cloud is located. | - Hubspot -> US - Peak 3 -> Ireland, Germany |
| From where does the vendor access our data? (Country name(s)) | If vendor can access our data for processing, please list the countries/regions where the vendor can access our data | - Peak 3 -> China (as the MAS team are located in China for supporting our production issues though the data as such is stored in an EU cloud) |
| Is data processing done outside the EEA? | Confirm if Companjon data is 'processed' outside EEA Note: Data processing means any work done with the data, like storing, updating, or using it for a specific task. |
- Hubspot - Yes, data is processed outside EEA as our data center is in the US - Milliman - No, as they do not 'process' any data, and simply have our legal team's official contact data (not personal data) for working with us |
| Does vendor store data in cloud? | Select as Yes or No if vendor does store our data for processing | |
| What type of cloud is used for storing data? | If Yes to above question, select the cloud type applicable | AWS is a private cloud used by Peak 3 Hubspot uses a public cloud |
| How long is our data retained by the vendor post termination? | If our data is stored by the vendor, confirm how long the data would be retained by the vendor if we choose to terminate the relationship. This is helpful to decide if we need to transfer/migrate the data for regulatory reasons before its lost forever, and also ensure that data is not held for any longer than it needs to be. | ThinkOwl -> 30 days |
| Partnership approved by | Select who approved the partnership. This could be the Board/CEO for some (rare) strategic partnerships or the EMT Sponsor in most cases | |
| What is the governing Law of the Outsourcing arrangement? | Confirm the law under which the contact is signed by the vendor. Please refer the master agreement on Ironclad to confirm this info. | Irish law, Swiss law, etc |
| Estimated annual budget | Provide the estimated budget set for this vendor per year (approx.) | |
| Does the vendor support business operations that are time critical? | Confirm whether the vendor provides services that are essential to business activities that must be completed within a specific time frame or will result in business disruption/significant losses | Hubspot -> Yes as it provides immediate access to policy documents and claims records for customer servicing without having to refer multiple systems to get a consolidated view Peak 3 -> Yes as it ensures real-time binding and confirmation of policies with insurers Building maintenance services -> No as we can continue working remotely without any impact to business continuity |
| Is there a BCP in place? | Confirm whether there is a Business Continuity Plan in place for critical application providers in such a way that business can continue without disruption. This can be a BCP set up by Companjon (e.g. DR site) or the vendor (e.g. backups on a regular basis) Note: This is applicable mainly to Category 1 and 2 applications/tools and might not be relevant to professional services/utilities. |
Peak 3 -> Yes, a DR site has been set up to route traffic in case the primary server is down |
| When was BCP test done? | Provide date of latest BCP testing by Companjon/vendor | |
| Is there an exit strategy defined? | Confirm whether there is an exit strategy defined i.e. what would we do if the vendor terminates the agreement Note: This is applicable mainly to Category 1 and 2 vendors who provide critical services. But, good to have for all vendors if possible. |
Hubspot -> Yes, exit strategy is to move to a different CRM tool like Salesforce with migration of data Telus -> Yes, exit strategy is to bring the services in-house or outsource to a different vendor with knowledge transfer of the applications/processes, followed by access revocation for existing Telus users |
| When was exit strategy reviewed? | Provide date when the exit strategy was reviewed last | |
| Link to latest/master contract | Add a link to the master contract on Ironclad. If there is no contract in place and the vendor services are offered through a simple sign up/subscription model, please mention Subscription start and end dates | Figma -> Subscription from 01 Jan 2024 to 01 Jan 2025 |