1. Third-Party Risk Philosophy

Nexly.biz (the “Company”) recognizes that our institutional security is only as strong as its weakest external node. Our mission is to maintain a high-fidelity Third-Party Risk Management (TPRM) framework that ensures every vendor, contractor, and partner adheres to Nexly’s radical standards for data privacy, technical resilience, and ethical conduct.

2. Universal Structural Scope

This policy applies to all third-party entities that process Nexly data, provide critical infrastructure (SaaS/PaaS), or maintain physical access to Company nodes. This includes sub-processors (fourth-party) engaged by our direct vendors.

3. Vendor Integrity Oversight Board

The VI-OB is responsible for the final adjudication of high-risk vendor contracts. They oversee the TPRM lifecycle, ensuring that procurement decisions are driven by "Integrity Scoring" rather than solely by cost-efficiency.

4. High-Fidelity Risk Tiering

Vendors are triaged into three tiers based on their impact logic:

• Tier 1 (Critical): Entities with deep system access, processing restricted data, or hosting core educational infrastructure.
• Tier 2 (Sensitive): Entities with limited data access or providing non-critical operational support.
• Tier 3 (Commodity): Standard service providers with zero access to internal Nexly nodes or metadata.

5. Technical Due Diligence Lifecycle

Before onboarding, Tier 1 and 2 vendors must undergo "Integrity Screening." This includes financial stability audits, reputational background checks, and verification of their internal governance architectures.

6. Cybersecurity & SOC2 Vetting

Critical vendors must provide high-fidelity security attestations (e.g., SOC2 Type II, ISO 27001). We conduct independent "Vulnerability Assessments" of vendor endpoints to ensure their perimeter integrity matches Nexly’s internal standards.

7. Contractual Integrity & DPA Mandates

All partnerships are governed by legally binding "Integrity Riders." These include mandatory Data Processing Agreements (DPA), strict uptime SLAs, and immediate (within 12h) breach notification requirements.

8. Right to Audit & Physical Verification

Nexly reserves the "Radical Right to Audit." We may conduct annual technical audits or physical site inspections of Tier 1 vendor facilities to verify that their "Actual Practice" aligns with their "Contractual Promises."

9. Fourth-Party (Sub-processor) Risk Logic

Our vendors must disclose their own sub-processor chain. Nexly reserves the right to veto any fourth-party entity that does not meet our security standards, ensuring that data does not leak into low-integrity nodes.

10. Continuous Monitoring & Sentiment Triage

We utilize automated "Security Scorecards" to monitor vendor perimeters in real-time. Any significant drop in a vendor’s security hygiene score triggers an immediate "Integrity Investigation" and potential service suspension.

11. SLA Enforcement & Service Credits

Vendor performance is tracked against high-fidelity service level agreements. Repeated violations of uptime, security, or support response times result in contractual penalties and eventual terminal dissociation.

12. Termination & Secure Exit Strategy

Every vendor contract includes a "Secure Exit Protocol." This ensures that upon termination, all Nexly data is forensically wiped from vendor nodes and all technical integrations are surgically decoupled to prevent "Legacy Access" risks.

13. Vendor Integrity Command

To submit a Vendor Due Diligence questionnaire, report a third-party security anomaly, or inquire about our Tiering Matrix, please contact the Vendor Integrity Desk.