Supply Chain Risk Policy
Supply Chain Risk Management Policy — Spexsure
Organisation: Heuristicworks LLC
Product: Spexsure (spexsure.com)
Owner: Parimal Mohile
Version: 1.0
Effective Date: 2026-07-01
Classification: Internal
Review Cycle: Annual
1. Purpose
This policy defines how Spexsure identifies, assesses, and manages risks introduced by third-party suppliers and sub-processors throughout the software supply chain, from source code dependencies to cloud infrastructure.
2. Scope
This policy applies to:
- All npm package dependencies in the Spexsure codebase
- All cloud infrastructure providers (sub-processors)
- All GitHub Actions workflows and CI/CD tooling
- All third-party OAuth and API integrations
3. Shared Security Responsibility Model (SSRM)
Spexsure operates as a Cloud Service Provider (CSP) in relation to its customers, and as a Cloud Service Customer (CSC) in relation to its infrastructure sub-processors.
3.1 Responsibility Allocation
| Layer | Controlled By | Evidence |
|---|---|---|
| Physical infrastructure (datacentre, hardware) | Sub-processor (AWS via Vercel/Supabase) | SOC 2 Type II / ISO 27001 |
| Virtualisation and OS | Sub-processor (AWS) | SOC 2 Type II |
| Network and perimeter | Shared: Cloudflare (WAF/DDoS) + Spexsure (rate limiting, auth) | Cloudflare SOC 2; ISP §8 |
| Application layer | Spexsure | This CAIQ; ISP; STRIDE model |
| Data in transit | Shared: sub-processor (TLS infrastructure) + Spexsure (enforcement) | ISP §4; Cloudflare Full Strict SSL |
| Data at rest | Shared: sub-processor (volume encryption) + Spexsure (field-level AES-256-GCM) | ISP §4; encryption key rotation plan |
| Identity and access | Spexsure | ISP §5; access review |
| Customer data security | Spexsure | ISP; DPIA; CAIQ |
3.2 SSRM Documentation
The SSRM is documented in this policy (§3.1), the Information Security Policy (ISP §2, §3, §11), and the DPIA (legal/DPIA/spexsure-dpia-2026-07.md §2). Customers receive the SSRM summary via this CAIQ and the sub-processors page at https://spexsure.com/legal/subprocessors.
4. Sub-Processor Risk Assessment
4.1 Approved Sub-Processors
All 9 sub-processors have been reviewed and approved. DPAs are executed with each. Certifications verified annually.
| Sub-processor | Role | Certifications | Last Reviewed |
|---|---|---|---|
| Vercel | Application hosting (AWS Lambda) | SOC 2 Type II | 2026-07-01 |
| Supabase | PostgreSQL database (AWS RDS) | SOC 2 Type II | 2026-07-01 |
| Cloudflare | WAF, CDN, DDoS protection, DNS | SOC 2 Type II, ISO 27001 | 2026-07-01 |
| Anthropic | AI API (Claude) | SOC 2 Type II | 2026-07-01 |
| Stripe | Payment processing | PCI DSS Level 1, SOC 2 | 2026-07-01 |
| Resend | Transactional email | SOC 2 Type II | 2026-07-01 |
| PostHog | Product analytics | SOC 2 Type II | 2026-07-01 |
| Upstash | Redis rate limiting | SOC 2 Type II | 2026-07-01 |
| Atlassian | Jira integration target | SOC 2 Type II, ISO 27001 | 2026-07-01 |
4.2 Sub-Processor Change Process
Before adding a new sub-processor that will process customer data:
- Confirm SOC 2 Type II or equivalent certification
- Execute DPA before any data transfer
- Update
https://spexsure.com/legal/subprocessors(30-day advance notice to customers per ToS) - Add to ISP §11 sub-processor table
- Assess impact on DPIA and update if processing purpose changes
5. Software Supply Chain Controls
5.1 Dependency Management
- All npm dependencies are pinned to exact versions in
package-lock.json - GitHub Dependabot monitors all dependencies weekly for known vulnerabilities
- Dependabot opens automated PRs for vulnerable packages
npm audit --audit-level=criticalruns in CI on every push (ci.yml); build fails on critical CVEs- Deferred vulnerabilities (e.g. transitive CVEs with no exploit path) documented in
SECURITY.mdwith justification - Remediation SLAs: Critical 24h / High 7 days / Medium 30 days (ISP §6.3)
5.2 CI/CD Pipeline Security
- All GitHub Actions workflows pin to commit SHAs (not
@v3/@v4tags): prevents supply chain compromise via tag hijacking - GitHub Dependabot monitors GitHub Actions for vulnerable versions
SECURITY.mdandpublic/.well-known/security.txtdefine responsible disclosure contact- No third-party Actions have write access to the repository or secrets
5.3 Container and Infrastructure Security
Spexsure is serverless and does not build or manage containers. Infrastructure supply chain risk is delegated to:
- Vercel: AWS Lambda runtime managed and patched by Vercel; Next.js runtime updated via standard npm upgrade process
- Supabase: PostgreSQL version managed by Supabase; patched without customer action required
- Cloudflare: Edge network managed and patched by Cloudflare
6. Supply Chain Incident Response
If a supply chain compromise is detected (e.g. compromised npm package, rogue GitHub Action, sub-processor breach notification):
- Isolate: Remove or revert the compromised dependency immediately; block the CI/CD pipeline if needed
- Assess: Determine if the compromised component had access to customer data or cryptographic keys
- Notify: If customer data was exposed, follow Incident Response Plan (
public/security/incident-response.md) — 72h ICO notification clock starts - Replace: Deploy patched or substitute dependency; re-run full E2E Playwright suite before re-enabling production
- Review: Update STRIDE threat model and this policy if a new attack vector was identified
7. Review Schedule
| Review | Cadence | Next Due |
|---|---|---|
| Sub-processor certification verification | Annual | 2027-07-01 |
| Policy content review | Annual | 2027-07-01 |
| Dependabot alert review | Weekly (continuous) | Ongoing |
| npm audit CI gate | Every push (continuous) | Ongoing |
Related: ISP §8 and §11 (apps/web/public/security/infosec-policy.md), Sub-processors page (public/legal/subprocessors), DPIA (legal/DPIA/spexsure-dpia-2026-07.md), Encryption Key Rotation Plan (legal/security/spexsure-encryption-key-rotation.md).