An organization's security posture is only as strong as its weakest vendor. When a healthcare system entrusts Ariana Nexus with Protected Health Information, the system's CISO does not evaluate only Ariana Nexus's controls — they evaluate the controls of every vendor, subcontractor, and platform that Ariana Nexus uses to process, store, or transmit that data. When a defense agency assesses Ariana Nexus for a CUI engagement, the contracting officer requires assurance that NIST SP 800-171 controls flow down to every entity in the supply chain.
Ariana Nexus governs its third-party relationships with the same rigor it applies to its own operations. Every vendor is assessed before onboarding. Every subcontractor is vetted before assignment. Every platform is evaluated for security, privacy, and regulatory compliance. Every contractual relationship is governed by agreements that impose obligations consistent with the commitments Ariana Nexus makes to its own clients.
Ariana Nexus classifies all third-party vendors into three tiers based on the nature and sensitivity of their access to Ariana Nexus data, client data, and operational systems:
Tier 1 — Critical Platform Vendors: Vendors that process, store, or transmit Ariana Nexus or client data as a core part of their service. Compromise or failure of a Tier 1 vendor would directly impact Ariana Nexus's ability to deliver services and protect data.
Tier 2 — Operational Vendors: Vendors that provide services supporting Ariana Nexus operations and may have limited or indirect access to organizational data, but do not process client PHI, CUI, or Restricted-tier data.
Tier 3 — Ancillary Vendors: Vendors that provide commoditized services with no access to sensitive organizational or client data.
Microsoft — Microsoft 365 Business Premium (Exchange, SharePoint, OneDrive, Teams, Entra ID, Defender, Purview, Intune). Tier 1 — Critical. Data access: All organizational and client data. Key agreement: Microsoft Business Associate Agreement (BAA) executed; Microsoft Online Services DPA. Certifications held: SOC 2 Type II, ISO 27001, ISO 27018, FedRAMP High, HIPAA, HITRUST, CSA STAR.
Cloudflare — CDN, DNS, SSL/TLS, DDoS protection for ariananexus.com. Tier 2 — Operational. Data access: Website traffic data, DNS records, IP addresses of website visitors. Key agreement: Cloudflare DPA (standard terms). Certifications held: SOC 2 Type II, ISO 27001, PCI DSS.
Webflow — Website hosting platform for ariananexus.com. Tier 2 — Operational. Data access: Website content, contact form submissions (no PHI, no CUI, no client data). Key agreement: Webflow Terms of Service and DPA. Certifications held: SOC 2 Type II.
Google — Google Analytics, Google Workspace (limited use), Google Search Console. Tier 2 — Operational. Data access: Website analytics data, search performance data. Key agreement: Google Data Processing Terms. Certifications held: SOC 2 Type II, ISO 27001, FedRAMP.
No client PHI, CUI, or Restricted-tier data is processed on any platform other than Microsoft 365 Business Premium, for which a BAA is executed. This is the single most important vendor governance control in the Ariana Nexus environment.
Ariana Nexus maintains a formal, documented vendor due diligence process that is applied before any new vendor is onboarded. The process evaluates vendors against the following criteria:
Security Assessment:
Privacy Assessment:
Regulatory Compliance Assessment:
Financial and Business Viability:
OFAC and Sanctions Screening:
The due diligence assessment is documented for each vendor and retained in the Ariana Nexus compliance records. Documentation includes the assessment date, criteria evaluated, findings, risk rating (Critical, Moderate, Low, Minimal), and the approval or rejection decision. Vendor due diligence records are available for client audit upon request.
Vendor governance does not end at onboarding. Ariana Nexus conducts ongoing monitoring of all Tier 1 and Tier 2 vendors:
Ariana Nexus uses subcontractors — contract interpreters, freelance translators, and subject-matter specialists — to deliver client services. These individuals are members of the Human Intelligence Collective, Ariana Nexus's curated network of Afghan-language professionals.
Subcontractors who access client data, attend client engagements, or perform work involving PHI, CUI, or Restricted-tier information are subject to the same security, privacy, and compliance controls that apply to Ariana Nexus employees.
Every subcontractor undergoes the same vetting process applied to employees:
All subcontractors execute the following agreements before accessing any Ariana Nexus system or client data:
Microsoft Entra ID Account — Required — every subcontractor receives a managed identity.
Multi-Factor Authentication — Enforced — no exceptions.
Conditional Access — Applied — location, device compliance, and risk-based policies.
Device Enrollment (Intune) — Required for subcontractors using Ariana Nexus-provisioned or BYOD devices accessing M365.
Sensitivity Labels — Required — subcontractors apply classification labels per the four-tier framework.
DLP Policies — Applied — same DLP enforcement as employees across all surfaces.
Audit Logging — Active — all subcontractor activity logged in M365 Unified Audit Log.
Access Scope — Restricted — subcontractors receive access only to the engagement-specific resources required for their assignment.
Access Duration — Time-bound — access expires at engagement completion; quarterly review for ongoing assignments.
Remote Wipe — Available — for devices accessing Ariana Nexus resources.
All subcontractors complete the following training before assignment:
Training completion records are maintained and available for client audit.
When a subcontractor's engagement ends:
For engagements involving personal data of EU or UK data subjects, Ariana Nexus executes DPAs with clients that include:
When Ariana Nexus engages sub-processors (including subcontractors who process personal data), Ariana Nexus ensures that the same data protection obligations flow down through back-to-back DPA provisions. Clients receive advance notice before Ariana Nexus engages a new sub-processor, with the right to object.
For healthcare engagements involving PHI:
For federal government engagements:
NDAs are executed with every vendor and subcontractor before access to Ariana Nexus systems or data. NDAs cover:
Ariana Nexus aligns its supply chain risk management practices with NIST SP 800-161 Rev. 1 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations):
When a Tier 1 or Tier 2 vendor experiences a security incident:
Under GDPR Article 28(2), Ariana Nexus maintains a registry of sub-processors engaged for personal data processing:
Microsoft Corporation — Cloud platform (M365), email, storage, collaboration, identity, security. Data processed: All engagement data including potential PHI and CUI. Location: United States (primary); global data centers per Microsoft geography. Agreement: Microsoft BAA; Microsoft Online Services DPA.
Cloudflare, Inc. — CDN, DNS, DDoS protection. Data processed: Website visitor IP addresses, traffic data. Location: United States; global edge network. Agreement: Cloudflare DPA.
Webflow, Inc. — Website hosting. Data processed: Contact form submissions, website content. Location: United States. Agreement: Webflow DPA.
Google LLC — Analytics, search tools. Data processed: Website analytics data, anonymized usage data. Location: United States. Agreement: Google Data Processing Terms.
Individual Subcontractors (HIC Members) — Interpretation, translation, annotation, content moderation. Data processed: Engagement-specific data per assignment (may include PHI, CUI, PII). Location: United States (primarily); international as engagement requires. Agreement: Subcontractor Agreement, NDA, BAA (where applicable), DPA flow-down.
Client notification: Clients are notified in advance before Ariana Nexus engages a new sub-processor for their engagement, consistent with GDPR Article 28(2) and the applicable DPA.
Ariana Nexus's third-party and vendor governance architecture is designed in alignment with the following recognized frameworks and standards:
NIST SP 800-161 Rev. 1 — Cybersecurity Supply Chain Risk Management. Aligned — vendor due diligence, tiering, monitoring, and incident coordination.
NIST SP 800-171 Rev. 2 — SA (Security Assessment) family — contractor systems. Aligned — vendor security assessment; flow-down for CUI engagements (monitors Rev. 3 transition).
ISO 27001:2022 — Annex A.5.19–A.5.23 — Supplier Relationships. Aligned — vendor governance framework addresses all supplier controls.
SOC 2 (TSC) — CC9.2 — Risk Mitigation through Vendor Management. Aligned — formal due diligence, contractual controls, ongoing monitoring.
HIPAA (45 CFR § 164.308(b)) — Business Associate contract requirements. Compliant — BAAs executed with Microsoft and healthcare clients.
HIPAA (45 CFR § 164.502(e)) — Business Associate provisions for subcontractors. Aligned — subcontractor BAA provisions for PHI engagements.
GDPR Article 28 — Processor and sub-processor obligations. Aligned — DPA template ready; sub-processor registry maintained.
GDPR Articles 44–49 — International data transfer safeguards. Aligned — SCCs and UK IDTA in DPA; TIAs conducted.
FAR 52.204-21 — Basic safeguarding flow-down to subcontractors. Aligned — flow-down provisions in subcontractor agreements.
DFARS 252.204-7012 — CUI protection flow-down. Aligned — NIST 800-171 requirements flow to subcontractors.
CMMC Level 2 — SA (Security Assessment) domain. Roadmap — formal flow-down documentation for CMMC certification.
CJIS Security Policy — Policy Area 1 — Information Exchange Agreements. Aligned — vendor agreements address data security; CJIS addendum planned.
EU AI Act (Article 10) — Data governance for AI training data (sub-processor quality). Aligned — subcontractor QA, annotation standards, data provenance.
NIST AI RMF — Govern function — third-party AI risk. Aligned — vendor and subcontractor governance for AI service delivery.
FCPA / UK Bribery Act — Anti-corruption in vendor relationships. Compliant — anti-corruption policy applied to vendor and subcontractor relationships.
OFAC — Sanctions screening of vendors and subcontractors. Compliant — screening at onboarding and periodically.
For procurement officers: Ariana Nexus maintains a formal vendor due diligence process with documented criteria, a three-tier vendor classification, and ongoing monitoring. Every subcontractor is vetted to the same standard as employees. BAAs, DPAs, NDAs, and FAR/DFARS flow-down provisions are in place. We can provide our vendor inventory, due diligence documentation, and sub-processor registry upon request.
For CISOs: Our Tier 1 vendor (Microsoft) holds SOC 2 Type II, ISO 27001, and FedRAMP High certifications. No client PHI, CUI, or Restricted data is processed on any platform other than the BAA-covered Microsoft 365 environment. Subcontractors are governed by the same MFA, Conditional Access, DLP, and audit logging controls as employees.
For compliance officers: Our DPA template is GDPR Article 28 compliant with SCCs and UK IDTA. Sub-processor changes require client notification. HIPAA BAA terms flow down to subcontractors. FAR/DFARS clauses flow down to government engagement subcontractors. OFAC screening covers all vendors and subcontractors.
For government contracting officers: NIST SP 800-171 and FAR 52.204-21 requirements flow down to all subcontractors accessing CUI or covered contractor information systems. DFARS 252.204-7012 cyber incident reporting applies to the subcontractor supply chain. OFAC compliance is enforced throughout the vendor and subcontractor ecosystem.
If your organization requires vendor governance documentation, sub-processor registry, or supply chain risk assessment evidence, contact trust@ariananexus.com or +1 (202) 771-0224.
Ariana Nexus views vendor governance as a multi-year discipline. The following roadmap reflects our planned maturation path:
Formal vendor due diligence process. Three-tier vendor classification. Four active vendors assessed and governed. Subcontractor vetting, NDAs, training, and technical controls. BAA executed with Microsoft. DPA template ready. OFAC screening for all vendors and subcontractors. Sub-processor registry maintained.
Automated vendor risk scoring. Standardized vendor security questionnaire. Annual Tier 1 vendor review cycle formalized. Subcontractor credentialing database. CJIS vendor agreement addendum.
SOC 2 Type II evidence for vendor management (CC9.2). ISO 27001 Annex A.5.19–A.5.23 certification. CMMC flow-down documentation for C3PAO assessment. Formal fourth-party risk assessment for Tier 1 vendors.
Vendor risk management platform evaluation. Automated sub-processor notification for GDPR. International subcontractor governance framework (EU, UK, Canada, Australia). Continuous vendor monitoring integration with Sentinel SIEM.
AI-assisted vendor risk assessment. Real-time supply chain threat intelligence. Automated regulatory flow-down configuration per engagement type. Multi-vendor redundancy evaluation for critical services.
Autonomous vendor governance engine. Blockchain-verified subcontractor credential management. Zero-trust supply chain architecture. Global vendor compliance dashboard for client visibility.
Third-Party Vendor Actions. Ariana Nexus conducts due diligence on its vendors and imposes contractual obligations through BAAs, DPAs, NDAs, and service agreements. However, Ariana Nexus does not control its vendors' operations, security practices, or personnel. Ariana Nexus disclaims liability for security incidents, data breaches, service disruptions, or compliance failures attributable to third-party vendor actions, except to the extent specified in the applicable Engagement Agreement.
Subcontractor Performance. Ariana Nexus vets, trains, and governs its subcontractors. However, subcontractors are independent contractors, not employees. Ariana Nexus's liability for subcontractor performance is limited to the terms of the applicable Engagement Agreement.
Vendor Certifications. Vendor certifications cited on this page (SOC 2, ISO 27001, FedRAMP, etc.) are maintained by the vendors themselves. Ariana Nexus does not guarantee the accuracy, currency, or continued validity of vendor certifications. Clients should independently verify vendor certifications as part of their own due diligence.
Roadmap Items. The maturity roadmap reflects current plans as of the Effective Date. Roadmap items are forward-looking statements, not binding commitments.
Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ARIANA NEXUS'S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THIRD-PARTY VENDOR OR SUBCONTRACTOR GOVERNANCE SHALL NOT EXCEED THE AMOUNTS SET FORTH IN THE APPLICABLE ENGAGEMENT AGREEMENT, OR, WHERE NO ENGAGEMENT AGREEMENT EXISTS, ONE HUNDRED DOLLARS ($100). ARIANA NEXUS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING FROM OR RELATED TO VENDOR OR SUBCONTRACTOR ACTIONS, SECURITY INCIDENTS, OR COMPLIANCE FAILURES.
EEA and UK Users. For users located in the European Economic Area or the United Kingdom, nothing in this section limits or excludes liability for: (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; (iii) any liability that cannot be excluded under the Consumer Rights Act 2015 (UK) or Directive 2011/83/EU; or (iv) any other liability that cannot be limited or excluded by mandatory applicable law.
Dispute Resolution. Any dispute arising out of or relating to this page shall be subject to the dispute resolution provisions in the Terms of Use, Section 18.
This page is provided for informational purposes and does not constitute a warranty, guarantee, or binding commitment regarding Ariana Nexus's vendor governance practices. Vendor certifications and capabilities described herein are maintained by the vendors themselves and are subject to change. Nothing in this page shall be construed as a waiver of any right, defense, or immunity available to Ariana Nexus under applicable law.
