Quarterly subprocessor risk review with tier classification

SOC2.CC9.VENDOR · GLOBAL · operational_security

Severity

medium

Cadence

quarterly

Region

global

Current status (Apollo Gaming Ltd.)

not evaluated

Requirement

Every subprocessor (AWS, GitHub, Anthropic, etc.) is classified by risk tier and reviewed every calendar quarter. Tier-1 subprocessors (those processing operator data) must have a current DPA on file.

Source: AICPA TSC — CC9 Risk Mitigation (vendor management)

Evidence specification

Evidence type	Connector	Spec	Acceptance criteria
`doc_presence`	`doc-sharepoint`	{ "path": "/vendor-risk-register.xlsx", "required_fields": [ "last_reviewed_at", "tier_1_count", "tier_1_with_current_dpa_count" ] }	`last_reviewed_at within 92 days` `tier_1_count == tier_1_with_current_dpa_count`

Recent evaluations (Apollo Gaming Ltd.)

No evaluation history for this control yet.