Policies
Map.ca policy

Vendor Security Policy

Security requirements Map.ca holds vendors to before, during, and after engagement.

Map.ca’s security posture is only as strong as its weakest vendor. The Vendor Security Policy defines the pre-engagement security review, the contractual security requirements, the ongoing monitoring expectations, the incident notification SLAs Map.ca requires from vendors, and the off-boarding process that ensures data is returned or destroyed at end of engagement.

It applies to the Map.ca procurement, security, legal, and engineering functions, and to every vendor with access to Map.ca production or personal data.

Requirements

  • Perform a documented security review before engagement.
  • Require contractual incident notification SLAs.

Prohibitions

  • Do not engage a vendor handling personal data without a security review.
  • Do not allow indefinite vendor data retention after off-boarding.

Related policies

Security PolicyHow Map.ca protects accounts, infrastructure, secrets, and operational data day to day.AI Vendor PolicyStandards that AI vendors must meet to handle Map.ca traffic — data handling, training restrictions, audit requirements.Access Control PolicyHow internal access to production systems, user data, and admin functions is granted, reviewed, and revoked.