Third-Party & Outsourcing Risk Policy¶
| Code | DT-008 |
| Domain | Data & Technology |
| Owner | Chief Technology Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: CPS 230 Operational Risk Management · DTA Outsourcing Standard¶
Purpose¶
Govern the platform's obligations in relation to cloud infrastructure, including provider risk assessment, data residency, and shared responsibility model compliance.
Scope¶
All cloud-hosted infrastructure, platforms, and services used by the platform in NZ and AU, including IaaS, PaaS, and SaaS components.
Policy statements¶
All cloud service providers used by the platform SHALL be subject to a risk assessment before onboarding. The assessment SHALL cover: security certifications held by the provider, data residency capabilities, incident response SLAs, subprocessor arrangements, and contractual protections for data sovereignty. Providers that cannot satisfy the platform's minimum security and residency requirements SHALL NOT be onboarded.
Customer data and regulated data SHALL be stored in data centres located in NZ, AU, or jurisdictions explicitly approved by the Board. Data residency requirements SHALL be documented for each cloud service and verified at least annually. Any change in a provider's data residency posture SHALL be notified to the CTO within 48 hours of the platform becoming aware and shall trigger a reassessment.
The shared responsibility model for each cloud provider SHALL be documented and reviewed at least annually. The platform SHALL implement all of its responsibilities under the shared responsibility model, including: identity and access management, encryption of data at rest and in transit, network security controls, and security monitoring of the platform's cloud workloads.
Cloud environments SHALL be monitored continuously for security events. Automated alerts for anomalous access patterns, data exfiltration attempts, and configuration changes to security controls SHALL be routed to the security operations function with defined response SLAs. Security monitoring coverage SHALL be reviewed quarterly.
The platform SHALL maintain the ability to recover cloud-hosted systems within the RTOs and RPOs defined in the business continuity and disaster recovery plans. Recovery capability SHALL be tested at least annually through documented exercises. Test results and any identified gaps SHALL be reported to the Board Risk Committee.
Cloud costs and usage SHALL be reviewed monthly by the CTO to identify shadow IT, unused resources, and services that have not been through the technology risk assessment process. Services identified as shadow IT SHALL be either formally onboarded through the risk assessment process or decommissioned within 30 days.
Changes to cloud architecture that affect data residency, security boundaries, or regulated data flows SHALL require CTO approval and SHALL be notified to the Board Risk Committee. Architecture decisions that materially alter the platform's cloud posture SHALL be recorded as Architecture Decision Records.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-150 | Risk management platform | AUTO |
All designated critical third-party services are continuously monitored for health and SLA compliance; contract expiry dates trigger review reminders. |
Part of Data & Technology · Governance overview
Compiled 2026-05-22 from source/entities/policies/DT-008.yaml