Canada Luggage Depot - Secure SDLC
Third‑Party and Supply Chain Expectations

23. Third‑Party and Supply Chain Expectations #

23.1 Purpose #

Set minimum, recurring obligations for vendors and their subprocessors so CLD can rely on independent assurance, timely remediation, and audit cooperation across the supply chain.

23.2 Annual assurance and attestations #

Vendors must provide, at least annually, independent assurance that their control environment remains effective:

  • SOC 2 Type 2 (or ISO 27001 certificate with Statement of Applicability) covering the services relevant to CLD’s environment, including security and availability; include bridge letters for gaps. If the report has material exceptions, provide a corrective action plan within 30 days.

  • External penetration test of the in‑scope environment, with an executive summary and a remediation plan for findings within 30 days; verify fixes for Critical/High.

  • Secure SDLC/code scanning evidence: summary of annual code scans, including coverage and remediation status.

    Subprocessors that store or access CLD data must provide equivalent reports through the vendor. PENDING: Whether CLD requires full reports under NDA vs executive summaries for pentests

23.3 Recurring security operations #

Vendors must maintain the following practices and furnish evidence upon request:

  • Continuous or frequent vulnerability scanning per Section 13, with POA&M tracking and SLA adherence.

  • SIEM operation (per contract), with periodic summaries of notable events and detections; provide quarterly overviews if requested. PENDING: Quarterly reporting cadence — Yes/No

  • Patch and configuration management processes, including emergency procedures for exploited issues.

  • Backup/restore operations and periodic restore tests aligned to tier; provide recent test evidence on request.

23.4 Change notification and roadmap #

Vendors must notify CLD in advance of material changes that could affect security, privacy, or service continuity, including:

  • New or changed subprocessors, changes in processing location, or new data categories.

  • Significant architectural changes (e.g., auth model, hosting region, critical dependency).

  • Decommissioning or major version upgrades that impact compatibility or controls.

    Provide reasonable lead time to assess impact and plan mitigations. PENDING: Notice lead time for material changes — __ days

23.5 Incident notification and cooperation #

Vendors must notify CLD promptly of any security or privacy incident that affects, or is reasonably likely to affect, CLD data or services, and must cooperate in investigation, containment, eradication, recovery, and root cause analysis. Provide initial notice immediately upon awareness, with a written summary within PENDING: __ hours , and periodic updates until closure. Share relevant indicators of compromise (IOCs) and corrective actions; coordinate subprocessor communications and evidence.

23.6 Audit and assessment rights #

Upon reasonable notice, CLD (or its designee under NDA) may request documentation or conduct risk‑based assessments to verify compliance with this policy and contractual obligations. Vendors must:

  • Provide policies/procedures extracts, architecture/data‑flow summaries, assurance reports, scan/pentest summaries, and POA&M status.

  • Facilitate virtual walk‑throughs or limited onsite inspections when proportional to risk.

  • Remediate findings within agreed timelines and provide evidence of closure.

    Where a client contract mandates more frequent or broader audit rights, those requirements prevail.

23.7 Data handling on termination or transition #

At termination or upon CLD request, vendors must:

  • Return CLD data in a mutually agreed, machine‑readable format within PENDING: __ days .

  • Securely delete all CLD data (including replicas and backups at the next cycle) and certify deletion in writing (signed by an authorized officer).

  • Cooperate in transition, including data migration support at agreed rates, while maintaining security controls during the transition period.

23.8 License, IP, and escrow (as applicable) #

For custom components critical to business continuity, CLD may require source code escrow with deposit cadence and release conditions (e.g., vendor insolvency, persistent SLA breach, refusal to remediate critical security defects). PENDING: Escrow requirement — Yes/No; scope and release conditions

23.9 Flow‑down of obligations #

Vendor contracts must flow down to subprocessors all obligations necessary to meet this policy and CLD’s contracts, including:

  • Security/privacy baselines (identity/MFA, logging/retention, encryption, residency), vulnerability SLAs, SIEM operation, annual assurance, incident notification/cooperation, deletion/return on exit, audit rights, and sub‑subprocessor controls.

  • Prohibition on using new subprocessors or new jurisdictions without CLD approval and required notice.

23.10 Contact and escalation #

Vendors must maintain a current security and privacy contact for CLD (email and 24×7 phone or paging for urgent matters), plus an escalation path for executive engagement. Update contact details within PENDING: __ business days of changes.

23.11 Exceptions #

Any deviation from these third‑party expectations requires a documented exception specifying scope, rationale, compensating controls, owner, ISO recommendation, Executive Sponsor approval, and expiry; privacy‑impacting deviations also require Legal/Privacy review.