2023-04-11 NOTICE: The following policy or plan is currently under internal review and may not be up-to-date or fully aligned with our organization's current practices or procedures. Please check back shortly, or contact us for more information.
3rd Party Policy
Fox and Geese makes every effort to assure all 3rd party organizations are
compliant and do not compromise the integrity, security, and privacy of Fox and
Geese or Fox and Geese Customer data. 3rd Parties include Customers, Partners,
Subcontractors, and Contracted Developers.
Applicable Standards from the HITRUST Common Security Framework
- 05.i - Identification of Risks Related to External Parties
- 05.k - Addressing Security in Third Party Agreements
- 09.e - Service Delivery
- 09.f - Monitoring and Review of Third Party Services
- 09.g - Managing Changes to Third Party Services
- 10.1 - Outsourced Software Development
Applicable Standards from the HIPAA Security Rule
- 164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements
Policies to Assure 3rd Parties Support Fox and Geese Compliance
- Fox and Geese does not allow 3rd party access to production systems
containing PHI or PII.
- All connections and data in transit between the Fox and Geese Platform and
3rd parties are encrypted end to end.
- A standard business associate agreement with Customers and Partners is
defined and includes the required security controls in accordance with the
organization's security policies. Additionally, responsibility is assigned in
- Fox and Geese has Service Level Agreements (SLAs) with Subcontractors with an
agreed service arrangement addressing liability, service definitions,
security controls, and aspects of services management.
- Subcontractors must coordinate, manage, and communicate any changes to
services provided to Fox and Geese.
- Changes to 3rd party services are classified as configuration management
changes and thus are subject to the policies and procedures described in
Configuration Management Policy;
substantial changes to services provided by 3rd parties will invoke a Risk
Assessment as described in
Risk Management Policies.
- Fox and Geese utilizes monitoring tools to regularly evaluate
Subcontractors against relevant SLAs.
- No Fox and Geese Customers or Partners have access outside of their own
environment, meaning they cannot access, modify, or delete anything related
to other 3rd parties.
- Fox and Geese does not outsource software development.
- Fox and Geese maintains and annually reviews a list all current Partners and
- The list of current Partners and Subcontractors is maintained by the Fox
and Geese Privacy Officer, includes details on all provided services (along
with contact information).
- The annual review of Partners and Subcontractors is conducted as a part of
the security, compliance, and SLA review referenced below.
- Fox and Geese assesses security, compliance, and SLA requirements and
considerations with all Partners and Subcontractors. This includes annual
assessment of SOC2 reports for all Fox and Geese infrastructure partners.
- Fox and Geese leverages recurring calendar invites to assure reviews of all
3rd party services are performed annually. These reviews are performed by
the Fox and Geese Security Officer and Privacy Officer. The process for
reviewing 3rd party services is outlined below:
- The Security Officer initiates the SLA review by creating an Issue in
the Fox and Geese Quality Management System.
- The Security Officer, or Privacy Officer, is assigned to review the SLA
and performance of 3rd parties. The list of current 3rd parties,
including contact information, is also reviewed to assure it is up to
date and complete.
- SLA, security, and compliance performance is documented in the Issue.
- Once the review is completed and documented, the Security Officer
approves or rejects the Issue. If the Issue is rejected, it goes back
for further review and documentation.
- Regular review is conducted as required by SLAs to assure security and
compliance. These reviews include reports, audit trails, security events,
operational issues, failures and disruptions, and identified issues are
investigated and resolved in a reasonable and timely manner.
- Any changes to Partner and Subcontractor services and systems are reviewed
- For all partners, Fox and Geese reviews activity annually to assure partners
are in line with SLAs in contracts with Fox and Geese.
- SLA review is monitored on a quarterly basis using the Quality Management
System reporting to assess compliance with above policy.
- The 3rd Party Assurance process is reviewed annually and updated to include
any necessary changes.
- Changes to the 3rd Party Assurance process will also be made on an ad-hoc
basis in cases where operational changes require it or if the process is