RPACT Third Party and Supplier Management Policy
RPACT GbR
POL-RPACT-006
Version 1.0.0
POL-RPACT-006_Third_Party_and_Supplier_Management_Policy.Rmd
RPACT GbR
Am Rodenkathen 11
23611 Sereetz
Germany
www.rpact.com
Copyright © 2025 RPACT GbR. All rights reserved.
| Policy ID | POL-RPACT-006 |
| Title | RPACT Third Party and Supplier Management Policy |
| Description | This policy defines how RPACT GbR manages third-party and supplier relationships, including the establishment of formal agreements and the enforcement of regulatory and client-specific compliance obligations. |
| Author | Friedrich Pahlke |
| Reviewer | Gernot Wassmer, Daniel Sabanés Bové |
| Creation date | 2025-03-26 |
| Version | 1.0.0 |
| Date of modification | 2025-03-31 |
| Effective date | 2025-03-31 |
Purpose
This policy defines how RPACT GbR manages third-party and supplier relationships, including the establishment of formal agreements and the enforcement of regulatory and client-specific compliance obligations.
Scope
This policy applies to all external individuals and organizations who provide services or access to systems, software, or information on behalf of RPACT GbR, particularly in relation to regulated software development or services involving client information.
Company Context
As of the effective date, RPACT operates as a small partnership of
independent experts and does not rely on external vendors for critical
IT or software development services.
Any collaboration with external contributors is done under formal
agreements (e.g., Non-Disclosure Agreements, consulting contracts), and
only with trusted professionals.
This policy is future-oriented and ensures readiness for structured third-party onboarding as the company grows.
Policy
Formal Agreements
- Any third party or supplier involved in service delivery or system
access must operate under a formal written agreement.
- Agreements must define the scope of work, confidentiality
obligations, ownership of deliverables, and responsibilities for
compliance with regulatory requirements and client policies.
- For individual collaborators, this may take the form of an NDA or freelance service agreement.
Regulatory and Policy Compliance
- Third parties are required to adhere to all applicable regulatory
requirements relevant to their work scope.
- Where client-specific policies apply (e.g., GxP, data privacy, information security), these are to be communicated to the third party and acknowledged in writing.
Information Protection
- All third parties must be informed of their responsibility to
protect confidential information, including any client data they may
access.
- RPACT ensures that information is only shared on a need-to-know basis, using secure, access-controlled environments.
Risk-Based Management and Periodic Evaluation
- RPACT applies proportional oversight based on the criticality of the
third party’s role.
- All suppliers or collaborators involved in GxP-related work,
security-relevant functions, or infrastructure components are subject to
evaluation prior to engagement.
- The depth and frequency of evaluations are based on risk:
| Risk Level | Example Scenarios | Review Frequency |
|---|---|---|
| High Risk | External IT services or infrastructure tools | At least annually |
| Moderate Risk | Contract developers for internal tools | Every 1–2 years |
| Low Risk | Limited-scope contributors under NDA | Every 2–3 years |
- For high-risk suppliers, the evaluation includes the design and
effectiveness of their internal controls and compliance mechanisms
(e.g., relevant to Sarbanes-Oxley Act (SOX) if applicable).
- Evaluations may include review of documentation (e.g., SOC 2
reports), performance history, and alignment with internal quality
standard and regulatory expectations.
- External vendors (if introduced in the future) will be subject to formal onboarding and periodic review.
- As of the effective date of this policy, RPACT does not engage any suppliers that fall under the high-risk category as defined above. This policy will be updated accordingly should that change in the future.