Vendor Management Policy
Effective March 23, 2026. This policy defines how Oceum evaluates, onboards, monitors, and manages third-party vendors that process or have access to customer data.
1. Vendor Requirements
All third-party vendors that process, store, or have access to customer data must meet the following requirements before onboarding:
- SOC 2 Type II report (or equivalent certification such as ISO 27001) must be current and available for review.
- Data Processing Agreement (DPA) must be executed before the vendor receives any customer data. The DPA must specify data handling obligations, breach notification requirements, and data deletion procedures.
- Encryption in transit and at rest. Vendors must encrypt all customer data using industry-standard encryption (TLS 1.2+ in transit, AES-256 or equivalent at rest).
- Access controls. Vendors must implement role-based access controls and the principle of least privilege for any personnel who may access customer data.
2. Subprocessor List
The current list of subprocessors is maintained at /subprocessors. Customers are notified at least 30 days before any new subprocessor is added that will process customer data. Customers may object to a new subprocessor by contacting hello@oceum.ai.
3. Current Vendor Assessments
| Vendor | SOC 2 | DPA | Last Reviewed | Risk Level |
|---|---|---|---|---|
| Supabase | Type II | Yes | March 2026 | Low |
| Vercel | Type II | Yes | March 2026 | Low |
| Stripe | Type I + II | Yes | March 2026 | Low |
| Anthropic | In Progress | Yes (terms) | March 2026 | Medium |
| Sentry | Type II | Yes | March 2026 | Low |
| Meta | N/A | Yes (terms) | March 2026 | Medium |
Note on Meta: Meta is used exclusively by the Drift Engine for social media publishing to Facebook and Instagram. Meta does not process or store Oceum customer data. The Medium risk rating reflects the lack of SOC 2 certification and the 60-day token expiry limitation.
4. Annual Review
All vendor security postures are reviewed annually. The review evaluates:
- Current SOC 2 or equivalent certification status
- Any security incidents reported by the vendor in the past year
- Changes to the vendor's data handling practices or terms of service
- Whether the vendor's services are still necessary for platform operations
- Whether alternative vendors with stronger security postures are available
5. Incident Notification
All vendors are contractually required to notify Oceum within 72 hours of discovering a security incident that affects or may affect customer data. Upon receiving such notification, Oceum will:
- Assess the scope and impact of the incident
- Notify affected customers in accordance with applicable laws and our Privacy Policy
- Coordinate remediation with the vendor
- Document the incident and update the Risk Register as appropriate
6. Vendor Offboarding
When a vendor relationship is terminated, Oceum ensures:
- All customer data held by the vendor is deleted or returned within 30 days
- All API keys, tokens, and credentials used to access the vendor are revoked
- The subprocessor list is updated and customers are notified
- The vendor is removed from the next annual review cycle
7. Contact
Questions about vendor management can be directed to hello@oceum.ai.