<aside> đź’ˇ Please refer to this document whenever a third party, such as; vendor, sub-processor, SaaS tool, native desktop application or integration is being considered for use, free or paid.
</aside>
Lay out the issue and problem you are trying to solve. Take a step back and look at the bigger picture. Do we even need the process you're considering using a tool for? Do we have an existing tool already in use? Be conscious of optimizing a bad process. Consider if you should depreciate the process entirely.
If you do need to procure or start using a new tool, ask yourself the following questions:
Third party tools could collect personally identifiable information (PII) from Remoters, customers and team members (internal or external). Examples are (but not limited to): name, email, address, IP address, role, birthday etc.
Tools can also ingest confidential information about Remote’s products, customers, or team members.
ALL vendors and third parties need a security review, as a data breach from a 3rd party is still ultimately Remote’s responsibility.
Note: This includes “free” tools or tools you can sign up yourself on behalf of Remote or your team. Just because something is free doesn’t mean there’s no risk - and even if you’re not submitting confidential data, integrations can cause inadvertent problems.
In many cases, a Legal review is also required so that Remote is contractually protected in relation to the services being provided.
Go to this page to create a new vendor assessment process.
Note: Some information will probably be direct from the Third party
In the event that a tool needs to connect to the product, we need to understand how this works and how the data stored within the product is impacted. The product may well have to leverage a 3rd party to achieve certain task not carried out by the product itself, this is known as a subprocessor. The privacy is covered in the section above, but the other questions that need to be answered are: