HeuristicworksHeuristicworks Trust Center

Supply Chain Risk Policy

Version 1.0Effective 2026-07-01Heuristicworks LLC

Supply Chain Risk Management Policy — Spexsure

Organisation: Heuristicworks LLC
Product: Spexsure (spexsure.com)
Owner: Parimal Mohile
Version: 1.0
Effective Date: 2026-07-01
Classification: Internal
Review Cycle: Annual


1. Purpose

This policy defines how Spexsure identifies, assesses, and manages risks introduced by third-party suppliers and sub-processors throughout the software supply chain, from source code dependencies to cloud infrastructure.


2. Scope

This policy applies to:

  • All npm package dependencies in the Spexsure codebase
  • All cloud infrastructure providers (sub-processors)
  • All GitHub Actions workflows and CI/CD tooling
  • All third-party OAuth and API integrations

3. Shared Security Responsibility Model (SSRM)

Spexsure operates as a Cloud Service Provider (CSP) in relation to its customers, and as a Cloud Service Customer (CSC) in relation to its infrastructure sub-processors.

3.1 Responsibility Allocation

Layer Controlled By Evidence
Physical infrastructure (datacentre, hardware) Sub-processor (AWS via Vercel/Supabase) SOC 2 Type II / ISO 27001
Virtualisation and OS Sub-processor (AWS) SOC 2 Type II
Network and perimeter Shared: Cloudflare (WAF/DDoS) + Spexsure (rate limiting, auth) Cloudflare SOC 2; ISP §8
Application layer Spexsure This CAIQ; ISP; STRIDE model
Data in transit Shared: sub-processor (TLS infrastructure) + Spexsure (enforcement) ISP §4; Cloudflare Full Strict SSL
Data at rest Shared: sub-processor (volume encryption) + Spexsure (field-level AES-256-GCM) ISP §4; encryption key rotation plan
Identity and access Spexsure ISP §5; access review
Customer data security Spexsure ISP; DPIA; CAIQ

3.2 SSRM Documentation

The SSRM is documented in this policy (§3.1), the Information Security Policy (ISP §2, §3, §11), and the DPIA (legal/DPIA/spexsure-dpia-2026-07.md §2). Customers receive the SSRM summary via this CAIQ and the sub-processors page at https://spexsure.com/legal/subprocessors.


4. Sub-Processor Risk Assessment

4.1 Approved Sub-Processors

All 9 sub-processors have been reviewed and approved. DPAs are executed with each. Certifications verified annually.

Sub-processor Role Certifications Last Reviewed
Vercel Application hosting (AWS Lambda) SOC 2 Type II 2026-07-01
Supabase PostgreSQL database (AWS RDS) SOC 2 Type II 2026-07-01
Cloudflare WAF, CDN, DDoS protection, DNS SOC 2 Type II, ISO 27001 2026-07-01
Anthropic AI API (Claude) SOC 2 Type II 2026-07-01
Stripe Payment processing PCI DSS Level 1, SOC 2 2026-07-01
Resend Transactional email SOC 2 Type II 2026-07-01
PostHog Product analytics SOC 2 Type II 2026-07-01
Upstash Redis rate limiting SOC 2 Type II 2026-07-01
Atlassian Jira integration target SOC 2 Type II, ISO 27001 2026-07-01

4.2 Sub-Processor Change Process

Before adding a new sub-processor that will process customer data:

  1. Confirm SOC 2 Type II or equivalent certification
  2. Execute DPA before any data transfer
  3. Update https://spexsure.com/legal/subprocessors (30-day advance notice to customers per ToS)
  4. Add to ISP §11 sub-processor table
  5. Assess impact on DPIA and update if processing purpose changes

5. Software Supply Chain Controls

5.1 Dependency Management

  • All npm dependencies are pinned to exact versions in package-lock.json
  • GitHub Dependabot monitors all dependencies weekly for known vulnerabilities
  • Dependabot opens automated PRs for vulnerable packages
  • npm audit --audit-level=critical runs in CI on every push (ci.yml); build fails on critical CVEs
  • Deferred vulnerabilities (e.g. transitive CVEs with no exploit path) documented in SECURITY.md with justification
  • Remediation SLAs: Critical 24h / High 7 days / Medium 30 days (ISP §6.3)

5.2 CI/CD Pipeline Security

  • All GitHub Actions workflows pin to commit SHAs (not @v3/@v4 tags): prevents supply chain compromise via tag hijacking
  • GitHub Dependabot monitors GitHub Actions for vulnerable versions
  • SECURITY.md and public/.well-known/security.txt define responsible disclosure contact
  • No third-party Actions have write access to the repository or secrets

5.3 Container and Infrastructure Security

Spexsure is serverless and does not build or manage containers. Infrastructure supply chain risk is delegated to:

  • Vercel: AWS Lambda runtime managed and patched by Vercel; Next.js runtime updated via standard npm upgrade process
  • Supabase: PostgreSQL version managed by Supabase; patched without customer action required
  • Cloudflare: Edge network managed and patched by Cloudflare

6. Supply Chain Incident Response

If a supply chain compromise is detected (e.g. compromised npm package, rogue GitHub Action, sub-processor breach notification):

  1. Isolate: Remove or revert the compromised dependency immediately; block the CI/CD pipeline if needed
  2. Assess: Determine if the compromised component had access to customer data or cryptographic keys
  3. Notify: If customer data was exposed, follow Incident Response Plan (public/security/incident-response.md) — 72h ICO notification clock starts
  4. Replace: Deploy patched or substitute dependency; re-run full E2E Playwright suite before re-enabling production
  5. Review: Update STRIDE threat model and this policy if a new attack vector was identified

7. Review Schedule

Review Cadence Next Due
Sub-processor certification verification Annual 2027-07-01
Policy content review Annual 2027-07-01
Dependabot alert review Weekly (continuous) Ongoing
npm audit CI gate Every push (continuous) Ongoing

Related: ISP §8 and §11 (apps/web/public/security/infosec-policy.md), Sub-processors page (public/legal/subprocessors), DPIA (legal/DPIA/spexsure-dpia-2026-07.md), Encryption Key Rotation Plan (legal/security/spexsure-encryption-key-rotation.md).