Vendor Management¶
Objective¶
This page offers a thoughtful way to work with external providers. It covers the website partner, hosting services, and smaller internal application providers that support Cafh.
Why this matters¶
Vendors make important work possible for Cafh. They also introduce distance between the organization and the systems, accounts, data, and contracts that support daily life. A clear vendor practice helps Cafh receive outside help without losing direction or memory. It also helps the committee work with providers in a way that is respectful, steady, and well recorded.
Risks this page helps reduce¶
- Vendor lock-in
- Hidden costs or missed renewals
- Support paths that no one can find in an incident
- Broad vendor access that stays open too long
- Weak visibility into data handled by a provider
- Hard service transfer at the end of a contract
Core rules¶
These rules keep the relationship clear from the start. Vendors bring needed skill and speed. Cafh still needs to keep direction, ownership, and records in its own hands.
- The committee must approve all vendor work requests.
- Each vendor must have one named Cafh contact.
- Each critical service must have a current contract owner.
- Vendor work must be logged in the committee records.
New vendor checklist¶
The checklist turns a vendor choice into a documented decision. It helps the committee compare providers, spot gaps early, and avoid hidden obligations.
- Service description
- Vendor name and legal entity
- Data handled by the vendor
- Support path and support hours
- Contract start and renewal dates
- Access needed by the vendor
- Exit path and data return path
- Result of the Cafh tool and software review
Work request flow¶
One request path helps vendors and Cafh at the same time. It reduces side agreements and keeps cost, scope, risk, and deadlines visible.
- A member sends the request to the committee.
- The committee reviews need, cost, risk, and priority.
- The committee approves the request or returns it for more detail.
- The named Cafh contact opens the vendor request.
- The committee records status, deadlines, and decisions.
- The committee closes the request after confirmation.
Access and control¶
Access should match the task and nothing more. This reduces the effect of mistakes, shortens cleanup after a contract ends, and keeps Cafh in charge of the core service chain.
- Vendors must get the minimum access needed for the job.
- Cafh must own the main accounts for hosting, domains, and core services.
- Shared credentials must live in the Cafh password manager.
- Remove vendor access at once after contract end or role end.
Sample vendor register¶
Use one row per provider. Replace the sample names and contact paths with the current data used by Cafh.
High means the provider supports a critical service or handles restricted data. Medium means the provider supports important work but does not control the core platform. Low means the provider supports a limited area with lower direct impact.
| Provider type | Example provider | Main role | Criticality | Cafh owner | Key vendor contact | Contact path | Review note |
|---|---|---|---|---|---|---|---|
| Infrastructure provider | DigitalOcean | Hosting, compute, storage, and network services | High | Technology committee | Support desk or account manager | Control panel, support ticket, and billing email | Review admin access, backups, and billing owner |
| Website and application provider | Website partner | Website changes, bug fixes, and member area support | High | Website owner | Project lead | Shared email help@website-partner.example and ticket board |
Review source access, deploy rights, and support hours |
| Software vendor | Member records platform | Internal records and member data workflows | High | Membership owner | Support lead | Support portal and email support@appvendor.example |
Review export path, backups, and privacy terms |
| Platform provider | Zoom | Meetings, calls, and online events | Medium | Committee chair | Business support or account admin | Admin console and support case | Review host roles, recordings, and recovery settings |
| Graphic and content provider | Design studio or translation partner | Visual assets, editing, translation, or public content support | Medium | Communications owner | Project contact | Shared email studio@example.com |
Review brand assets, file return path, and approval flow |
| Domain and DNS provider | Registrar or DNS host | Domain renewal, DNS, and SSL records | High | Technology committee | Domain support contact | Registrar portal and support case | Review renewal dates, MFA, and recovery path |
Review¶
Vendor management does not end after signature. Regular review shows whether the service still fits Cafh's needs, cost, support quality, and data duties.
- Review vendor list every 6 months.
- Review support quality after major work or incidents.
- Keep a current list of services, costs, and renewal dates.