1. Scope
All vendors, sub-processors and service providers with access to Vortex IQ systems, customer data or personal data, including cloud infrastructure (AWS, Google Cloud) and AI providers (Anthropic, Google).
2. Principles Risk Tiring
- Tier 1 (high): processes customer or personal data, or is critical to availability (e.g. cloud hosting, LLM provider).
- Tier 2 (medium): limited access to business data.
- Tier 3 (low): no access to customer or personal data.
Diligence depth scales with tier.
3. Due diligence before onboarding
.For Tier 1 and 2 vendors, before engagement we review:
- Vortex IQ's reasoning runs primarily on Claude, provided by Anthropic, and also uses Gemini, provided by Google, and Vortex IQ's own proprietary models, selected according to the task. Third-party models are accessed over secure APIs and listed in our sub-processor register.
- Data-protection terms (a DPA where personal data is processed; transfer mechanism such as SCCs or the UK IDTA).
- Data location and residency.
- Breach notification commitments.
4. Contractual requirements
Tier 1 and 2 vendors must be bound by contractual confidentiality and, where personal data is processed, a DPA with obligations no less protective than those Vortex IQ owes its customers. AI and LLM providers must contractually confirm that customer data is not used to train their models.
5. Sub-processor management
Sub-processors that process customer personal data are listed publicly at vortexiq.ai/trust/sub-processors. Customers receive at least 30 days' notice of additions or replacements and may object on reasonable data-protection grounds, as set out in the Data Protection Addendum.
6. Ongoing monitoring and offboarding
Tier 1 vendors are reviewed for continued compliance, certification currency and any reported incidents. Material issues are escalated to the policy owner. On termination, vendor access is revoked promptly and, where they hold Vortex IQ or customer data, return or secure deletion is confirmed.
Last updated: 15 June 2026