# Third Party Risk Management

## Objective

The purpose of this policy is to define the way in which FundApps manages third party risks.

## Scope

This policy applies to all FundApps third parties which impact FundApps' Information System.

## Policy

#### Initial Assessment

FundApps assess the risk posed by all third party providers which interact with FundApps' Information System.

This assessment is based on the review of security accreditations the third party might hold (e.g. ISO 27001 certificate, SOC 2 report) as well as specific questions tailored to the Third Party provider.

Risks identified through this process will be managed in accordance to FundApps' [Risk Management Framework](/client-portal/-LubIC9uIsME-_T0mNXu/fundapps-policies/risk-management.md).

#### Regular Review

FundApps reviews the risks posed by critical Third Party providers on an annual basis.

This review is logged in FundApps' monthly security meeting.

#### Roles and Responsibilities

| Role                                         | Responsibility                                                                                              |
| -------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| Security Team                                | Perform risk assessment of third party provider                                                             |
| System Owner (Supplier Relationship Manager) | <p>Describe the nature of the third party Relationship<br><br>Facilitate review of third party provider</p> |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://policies.fundapps.co/client-portal/-LubIC9uIsME-_T0mNXu/fundapps-policies/infosec/third-party-risk-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.