Jungle Tech Corporation – Supplier Security Policy

Version: 1.0 | Last Updated: April 3, 2026

1. Purpose

The purpose of this policy is to ensure that all third-party service providers, vendors, and partners (“Suppliers”) maintain security standards that are equivalent to or greater than those of Jungle Tech Corporation. This protects our AI models, 3D visualization data, and partner information from "supply chain" vulnerabilities.

2. Scope

This policy applies to any external entity that has access to Jungle Tech systems, processes our data, or provides critical infrastructure (e.g., Cloud Hosting, Payment Processing, Sub-contractors).

3. Roles and Responsibilities

Strategic Oversight: CEO approves all high-level supplier contracts and budgets.

Technical Vetting: Lead DevOps & Security Engineer performs technical risk assessments and monitors supplier access to the Azure environment.

4. Supplier Selection & Onboarding

Before a new supplier is integrated into the Jungle Tech workflow, they must undergo a "Security Review" which includes:

Compliance Check: Verification of industry certifications (e.g., SOC 2 Type II, ISO 27001, or FedRAMP).

Financial Stability: Basic vetting to ensure the supplier is a viable long-term partner.

Right to Audit: All contracts must include a clause allowing Jungle Tech (or our clients) to audit the supplier’s security practices if necessary.

5. Critical Infrastructure Providers

Jungle Tech prioritizes "Tier 1" providers to minimize risk:

Cloud Hosting: Microsoft Azure (utilizing their global security compliance).

Identity: Microsoft Entra ID for centralized authentication.

Payments: Stripe or PayPal (PCI-DSS compliant).

6. Sub-Contractor Management

Any individual contractor (e.g., freelance 3D artists or AI researchers) must:

Sign the Jungle Tech Non-Disclosure Agreement (NDA).

Sign the Intellectual Property (IP) Assignment Agreement.

Use company-approved MFA for all system access.

Adhere to the Acceptable Use Policy (AUP).

7. Ongoing Monitoring

Access Reviews: Michael Habashy will conduct quarterly reviews of all third-party access accounts in Microsoft Entra ID and revoke access for any supplier no longer in active use.

Incident Reporting: Suppliers are contractually required to notify Jungle Tech within 24 hours of any security breach that may impact our data.

8. Supplier Termination (Offboarding)

Upon termination of a supplier contract:

All logical access (API keys, user accounts) is revoked immediately.

A "Certificate of Data Destruction" may be requested if the supplier hosted sensitive Jungle Tech or client data.

DevOps engineer will verify the removal of the supplier from the Azure VNet and firewall whitelists.