SOP-OPS-vendor-review-v1.0¶
1. Purpose¶
Define the due diligence process before entering a new vendor relationship — covering security posture, data handling, contractual terms, and pricing. Ensures eco|monetize™ does not take on vendor risk without a documented evaluation.
Scope: Any new vendor who will receive payment, hold eco|monetize™ data, integrate with our systems, or provide services to our customers. Free-tier tools used by agents for internal use only are reviewed more lightly per Section 5.
2. Vendor Classification¶
| Class | Definition | Review depth |
|---|---|---|
| Class A — Data holding | Vendor stores eco | monetize or customer data (e.g., CRM, analytics, cloud hosting) |
| Class B — Integration | Vendor integrates with our systems but does not store data persistently (e.g., Make.com webhooks, enrichment APIs) | Security + commercial review |
| Class C — Tool / SaaS | Vendor provides a tool used by agents or Rick directly, no data persistence (e.g., Calendly, Wispr Flow) | Commercial review + basic security check |
| Class D — Free internal | Free-tier tool, internal use only, no customer data, no persistent integration | Lightweight acknowledgment only |
3. Review Procedure¶
Step 1 — Vendor intake (any agent or CEO)¶
When a new vendor is proposed, the proposing agent drops a note to COO session dir:
VENDOR INTAKE
──────────────────────────────
Vendor: {name + URL}
Proposed by: {agent}
Use case: {what it does for us}
Class estimate: {A / B / C / D}
Data involved: {what data will the vendor touch?}
Urgency: {why now?}
COO classifies within 24 hours and initiates the appropriate review path.
Step 2 — Security assessment (Class A and B)¶
COO routes to security.ops for the security component per SOP-OPS-security-review-v1.0: - Data residency (where does the vendor store data?) - SOC 2 Type II or equivalent (request; document gap if unavailable) - Data deletion policy on contract termination - Credential issuance plan (will live in 1Password per SOP-OPS-credential-management-v1.0) - Breach notification SLA (do they commit to notifying within X hours?)
Council review: Class A vendors holding customer data are HIGH sensitivity — invoke council review (Ollama local) on the vendor assessment before COO makes the approval decision.
Step 3 — Commercial review (Class A, B, C)¶
COO reviews: - Pricing model (per-seat, usage, flat) and the scaling curve (what does 10x usage cost?) - Contract term and cancellation clause (are we locked in? What's the exit cost?) - Data ownership clause (do we own our data, or does the vendor have license rights?) - Price benchmarking — is this competitive for the category?
Step 4 — Legal review (Class A, when vendor holds customer data)¶
COO routes to legal.exec for: - Data Processing Agreement (DPA) review if vendor is subject to GDPR/CCPA on our behalf - Liability cap and indemnification review - IP ownership clause (if vendor uses our data to train models — this must be prohibited) - SLA and uptime commitment
Step 5 — Vendor Review Report¶
COO files a Vendor Review Report at /Claude/operations/reports/security/vendor-review-{vendor}-{YYYY-MM-DD}.md:
VENDOR REVIEW REPORT
──────────────────────────────
Vendor: {name}
Class: {A / B / C / D}
Date: {YYYY-MM-DD}
Reviewer: coo
Security assessment: PASS | FAIL | WAIVED (Class C/D)
Commercial terms: ACCEPTABLE | CONDITIONS | REJECT
Legal review: PASS | FAIL | N/A
Council review: PASS | N/A — {sensitivity tier}
Overall recommendation: APPROVE | APPROVE WITH CONDITIONS | REJECT
Conditions (if any): {specific requirements before activation}
Expiry (if applicable): {when to re-evaluate}
Step 6 — Approval and activation¶
| Vendor class | Approval authority |
|---|---|
| Class A — customer data | CEO + COO |
| Class B — integration | COO |
| Class C — tool | COO autonomous |
| Class D — free internal | COO acknowledges; security.ops awareness |
Once approved: COO notifies the proposing agent, credentials issued to 1Password, Airtable Credential_Registry updated.
4. Annual Vendor Renewal Review¶
COO maintains a vendor renewal calendar at /Claude/operations/logs/vendor-renewal-calendar.md. Each vendor with an annual contract or a renewal date gets a review 60 days before renewal:
- Is the vendor still being used?
- Has pricing or terms changed?
- Has security posture changed (new breach? SOC 2 lapsed?)
- Is there a better alternative?
Renewal approved by COO. Cancellation decision escalated to CEO if the vendor cost exceeds $X/month or if switching costs are material. (Dollar threshold TBD — COO to propose at quarterly review.)
5. Lightweight Review (Class D)¶
Free-tier internal tools (Class D) do not require a full vendor review. COO acknowledges the tool in a one-line log at /Claude/operations/logs/vendor-acknowledgment-log.md:
{YYYY-MM-DD} | {tool name} | {use case} | {proposing agent} | Data involved: {none / internal only} | Acknowledged by: coo
If a Class D tool later receives payment or is used with customer data, it is immediately elevated to Class A/B/C and a full review is triggered.
Change Log¶
| Version | Date | Change |
|---|---|---|
| v1.0 | 2026-04-21 | Initial draft — sop.manager. |
Owner: coo (Morgan) Executive sponsor: coo Drafted by: sop.manager Status: Draft — pending COO review + approval Version: v1.0