This policy was last reviewed July 21 2023.
1. Purpose
This policy aims to establish standards and guidance relating to Peerceptiv’s management of its third-party relationships and the associated inherent and residual risks presented by those third-party relationships. These risks are present when Peerceptiv engages with third parties to provide products and services directly to Peerceptiv for the benefit of its internal operations, employees, investors, or customers. Furthermore, Peerceptiv documents the structure for; identifying, assessing, controlling, monitoring, and reporting on risks related to Peerceptiv’s use of third parties per applicable laws, safe and sound business practices, and related supervisory guidance.
2. Scope
The Third Party Management Policy applies to all business relationships between a third party and Peerceptiv by contract or otherwise. All Peerceptiv employees, independent contractors, and consultants are subject to this Policy. As are other entities, engaging third parties for the Company’s direct or indirect benefit, third parties with whom they contract.
2.1 Third Parties Not in Scope Under This Policy
- Relationships with Customers
- Relationships with Investors
- Relationships with Employees
- Relationships with public utility providers
- Relationships with emergency services such as police or fire departments
- Relationships with government agencies, taxing authorities, regulatory bodies, and courts
2.2 Pre-Existing Third-Party Relationships
It is the responsibility of Peerceptiv Senior Management to ensure compliance with this Policy regarding third-party relationships maintained by Peerceptiv. It is possible that certain existing third-party relationships (and contracts) do not comply with all policy aspects. However, Peerceptiv is obligated to renegotiate, to the extent possible, any contract terms and conditions to existing third-party contracts to comply with this policy and the related processes when reasonably possible.
3. Maintenance
This Policy will be reviewed annually or as deemed appropriate based on changes in technology or regulatory requirements.
4. Enforcement
Violations of this Policy may result in suspension or loss of the violator’s use privileges, with respect to Peerceptiv Information Systems. Additional administrative sanctions may apply up to and including termination of employment or contractor status with the Company. Civil, criminal and equitable remedies may apply.
5. Exceptions
Exceptions to this Policy must be approved by the Chief Technology Officer (“CTO”) and formally documented. Policy exceptions will be reviewed on a periodic basis for appropriateness with all exceptions reviewed at least annually.
6. Policy
6.1 Third-Party Risk Management Oversight
Senior Management and the Board are ultimately accountable for the TRPM policy, program, and processes’ oversight and effectiveness. Senior Management ensures that the TPRM program operates according to applicable federal and state laws, rules, regulations, internal policies, and procedures.
6.2 Review of Third Parties
Senior Management shall review all third parties and make a determination of necessity and the risk level posed by each third party. Management shall designate third parties that are crucial to Peerceptiv’s continuing operations as critical. Disruption to critical third party services can be expected to quickly degrade or disrupt Peerceptiv services.
6.3 Approval of Critical Third Parties
Senior Management is responsible for the decision to approve the addition or termination of third-party relationships considered critical to Peerceptiv. Such approvals are mandatory in advance of final contract execution with any critical third party. The use of critical third party service providers is to be minimized to the extent possible.
6.4 Periodic Review of Third Parties
Senior Management shall periodically review all third parties. Third parties considered critical to Peerceptiv’s operations as well as those considered to have a high exposure to Peerceptiv customer data shall be reviewed on a continual basis. All other third parties must be reviewed at least annually. Peerceptiv management will consider the related risk assessments monitoring, compliance, business continuity, financial health, and overall performance of those material third parties.
6.5 Risk Assessment and Minimization
Peerceptiv Senior Management will, prior to engaging a third party as well as on a periodic basis, asses the risk the third party poses to Peerceptiv service functionality and data confidentiality. Peerceptiv will ensure that risks posed by engagement with the third party will pose the minimum possible risk to Peerceptiv operations and that the minimum possible amount of Peerceptiv and Peerceptiv customer data is made available to the third party.
6.6 Contractual Standards
Third-party relationships shall be documented by written agreements that appropriately and adequately consider the contemplated relationship and provides Peerceptiv with appropriate protections and controls, consistent with prudent business practices. Third party contracts, will to the extent possible, include terms to ensure service performance, and data confidentiality meet minimum standards established by Peerceptiv Senior Management.
6.7 Termination
Peerceptiv may terminate third-party relationships for various reasons. Prior to termination of a relationship Peerceptiv management must ensure that critical functions provided by the third party will be replaced by internal functions or services provided by other third parties to avoid service disruption. Additionally, Peerceptiv management must ensure, to the extent possible, that terminated third parties do not retain data owned by Peerceptiv or Peerceptiv’s customers.