Vendor Risk Management
How Abundera evaluates, monitors, and manages third-party vendor security. Five sub-processors, all SOC 2 certified.
Sub-Processor Registry
| Vendor | Purpose | Data Access | SOC 2 Type II | DPA |
|---|---|---|---|---|
| Cloudflare | Infrastructure, CDN, DNS, compute, storage | All platform data (hosting provider) | ✓ | ✓ |
| Stripe | Payment processing | Billing data, subscription status (no financial records) | ✓ | ✓ |
| Plaid | Bank account linking | Read-only bank transactions and balances (tokenized) | ✓ | ✓ |
| Resend | Transactional email | Email addresses, notification content | ✓ | ✓ |
| Twilio | SMS notifications | Phone numbers, notification content | ✓ | ✓ |
Evaluation Criteria
SOC 2 Type II Required
All sub-processors must maintain current SOC 2 Type II certification. Reports reviewed annually with re-certification tracked.
Data Minimization
Vendors receive only the minimum data required for their function. No vendor has access to the complete user profile.
Encryption in Transit
All vendor integrations require TLS 1.2+ for data in transit. API keys and tokens are encrypted at rest on our side.
Breach Notification
Contractual obligation for vendors to notify Abundera within 72 hours of a confirmed data breach affecting our data.
Data Return & Deletion
Termination procedures require data return or certified deletion within 30 days of contract end.
Geographic Restrictions
Data processing locations documented in DPA. No data transfers to jurisdictions without adequate privacy protections.
Access Controls
Vendor personnel access to Abundera data is restricted to authorized support cases with audit trail.
Change Notification
30-day advance notice required for material changes to sub-processor security posture or data handling.
Annual Review Cadence
Annual SOC 2 Review
Sub-processor SOC 2 reports reviewed annually. Findings tracked and assessed for impact on Abundera's risk posture.
Quarterly Risk Assessment
Vendor risk assessed as part of quarterly risk register review. New vendors require full evaluation before onboarding.
Continuous Monitoring
Vendor security advisories and breach disclosures monitored on an ongoing basis. Material changes trigger immediate reassessment.
Services We Do NOT Use
Abundera intentionally avoids the following categories of third-party services:
- No AWS, GCP, or Azure (single-provider Cloudflare stack)
- No AI/ML APIs, no large language models, no automated decision-making — deterministic algorithms only
- No analytics or tracking scripts (beyond Cloudflare Web Analytics)
- No advertising networks or pixels
- No customer data sold or shared with data brokers
- No third-party authentication providers (custom WebAuthn implementation)
For complete data flow details including sub-processor obligations, see our Data Processing Agreement.