Rudrriv Trust Center

Accountable subcontractor management

Rudrriv uses a risk-based process to evaluate, approve, oversee and offboard subcontractors and subprocessors. Specialist capability is used where it adds value without reducing accountability for information, quality, continuity or contractual commitments.

  • Risk-based due diligence
  • Written flow-down obligations
  • Controlled access and data use
  • Accountable exit and deletion
Governance chain Accountability across the delivery lifecycle
Risk governed
Customer commitment Contract, scope, data and service expectations
Control source
Rudrriv accountability Approval, governance, oversight and escalation
Responsible party
Approved subcontractor Defined work, written duties and limited access
Controlled delivery
Review and evidence Performance, change, incidents and closure
Ongoing assurance
Before accessReview and approval
During serviceMonitor and escalate
At exitRemove and confirm
Direct answer

How Rudrriv manages subcontractors

Rudrriv manages subcontractors as an extension of its service-risk environment—not as an unmanaged handoff. Before material work or access begins, the need, role, data, systems, location, dependency and customer obligations are considered. Controls are then applied according to the risk and documented scope.

Rudrriv may use different types of third parties across professional services, technology, cloud infrastructure and operational support. The exact providers, safeguards, customer rights and processing locations depend on the contracted service and should be confirmed in the applicable agreement or due-diligence process.

Subcontractor

A third party engaged to perform part of a service, activity or contractual obligation.

Subprocessor

A processor engaged by another processor to process personal data on a controller’s behalf.

Governance principles

The rules that guide subcontractor decisions

These principles support consistent decision-making across professional-service providers, independent specialists, cloud platforms, technology vendors and other delivery partners.

Rudrriv remains accountable

Using a subcontractor does not remove Rudrriv’s responsibility for the services and obligations assigned to Rudrriv under the applicable customer agreement.

Risk determines the review

Review depth is based on the work performed, information involved, system access, delivery dependency, location, legal requirements and potential customer impact.

Obligations flow down

Relevant confidentiality, security, privacy, service, audit, incident, continuity and deletion requirements are addressed through appropriate written terms.

Access is minimised

Subcontractors should receive only the information, systems and permissions needed for an approved purpose and defined period.

Material dependencies are visible

Rudrriv seeks to understand who supports delivery, what they do, where material processing occurs and which risks require ongoing oversight.

Oversight continues through exit

Governance covers selection, onboarding, operation, change, incident response, renewal, access removal, return or deletion and transition.

Lifecycle governance

Control from initial need through final exit

The depth of each stage is proportionate to the subcontractor’s access, criticality and potential impact. Low-risk suppliers do not require the same review as a provider that handles sensitive data or supports a critical service.

Need and scope

Define the business need, service boundary, data involved, systems required, delivery location, criticality and customer commitments.

Expected output Documented requirement and initial risk classification

Due diligence

Assess capability, ownership, security, privacy, confidentiality, continuity, legal status, reputation and relevant assurance evidence.

Expected output Risk-informed suitability decision

Approval

Obtain the required business, delivery, security, privacy, legal or customer approval before access or material work begins.

Expected output Recorded approval, conditions and owner

Contract and onboarding

Set written obligations, permitted use, access boundaries, reporting duties, service expectations and onboarding controls.

Expected output Executed terms and controlled access

Operation and review

Track performance, material changes, access, issues, incidents, control evidence and renewal requirements proportionate to risk.

Expected output Ongoing oversight and corrective actions

Exit and transition

Remove access, recover assets, return or delete information, preserve required records and support an orderly handover.

Expected output Closure evidence and residual-risk review
Management controls

Controls applied according to service and risk

Not every control applies identically to every relationship. The applicable contract, customer requirements, access model, data sensitivity, jurisdiction and provider capability determine the final control set.

Named ownership

  • Business and delivery owner identified
  • Approval authority defined
  • Escalation route documented
  • Review responsibility assigned

Risk tiering

  • Criticality and dependency considered
  • Data and access sensitivity assessed
  • Location and concentration risk reviewed
  • Review depth matched to risk

Due diligence

  • Capability and experience evaluated
  • Security and privacy information reviewed
  • Continuity and financial considerations assessed
  • Material exceptions recorded

Contractual safeguards

  • Confidentiality and permitted-use terms
  • Security and privacy obligations
  • Incident and cooperation duties
  • Return, deletion and termination terms

Access governance

  • Named or attributable access where supported
  • Least-privilege permissions
  • Approved authentication and credential handling
  • Timely change and removal

Data controls

  • Data minimisation
  • Approved transfer and storage methods
  • Location and retention considerations
  • Deletion or return requirements

Service and quality oversight

  • Defined deliverables and acceptance criteria
  • Review and exception handling
  • Performance and issue tracking
  • Corrective-action follow-up

Incident coordination

  • Prompt reporting expectations
  • Containment and evidence cooperation
  • Customer escalation based on facts and obligations
  • Root-cause and remediation follow-up

Continuity and resilience

  • Critical dependency awareness
  • Backup or transition planning where appropriate
  • Concentration-risk consideration
  • Recovery priorities aligned to impact

Change management

  • Material scope changes reviewed
  • New locations or downstream providers assessed
  • Customer notice or approval where required
  • Contract and records updated

Ongoing monitoring

  • Risk-based review cadence
  • Evidence refreshed when material
  • Issues and commitments tracked
  • Renewal decision documented

Offboarding

  • Access and credentials removed
  • Customer information returned or deleted
  • Assets and documentation recovered
  • Open risks and transition actions closed

Control boundary: Customer-managed systems, customer-selected platforms and customer-mandated providers can create shared responsibilities. Those responsibilities should be documented so approval, configuration, monitoring, incident response and access removal are not assumed or duplicated.

Customer expectations

Clear commitments, clear boundaries

This table explains Rudrriv’s general approach. It is not a substitute for the service agreement, data processing agreement, statement of work or approved subprocessor schedule.

General subcontractor-management position
Topic Rudrriv approach What the customer should confirm
Use of subcontractors Rudrriv may use qualified subcontractors where appropriate for service delivery, subject to the applicable agreement, approved scope and risk. The customer agreement remains the controlling document for any restrictions, approval rights or service-specific commitments.
Responsibility Rudrriv does not treat subcontracting as a transfer of its contractual accountability. Customers continue to engage Rudrriv as the responsible contracting party unless the agreement expressly states otherwise.
Subprocessor authorisation Where Rudrriv acts as a processor and engages another processor, authorisation and notice are handled according to the applicable data processing terms and law. Service-specific subprocessor information can be addressed during contracting or a privacy and security review.
Material changes Changes that materially affect an agreed service, data flow, location, risk profile or customer right are reviewed before implementation. Notice, objection or approval mechanisms apply only where required by the contract or applicable law.
Evidence and assurance Rudrriv may request policies, questionnaires, reports, certifications, testing summaries or other evidence proportionate to the risk. Evidence availability can be limited by confidentiality, licensing, security and the scope of the supplier relationship.
Termination Access, information, assets and transition obligations are addressed when a subcontractor relationship ends. Return, deletion, retention and handover follow the applicable contract, legal requirements and technical capabilities.
Privacy and subprocessors

Additional controls when personal data is processed

Where Rudrriv acts as a processor, the use of subprocessors is governed by the applicable data processing terms, documented instructions and relevant privacy law. The objective is sufficient transparency, appropriate authorisation and protection that continues through the processing chain.

No universal subprocessor claim

This page does not state that every Rudrriv service uses the same providers, countries, data flows or transfer mechanisms. Those details must be confirmed for the service being purchased.

Processing-chain visibility

For relevant services, Rudrriv seeks sufficient information about the identity, role, location and processing activities of material subprocessors.

Purpose limitation

Personal data should be processed only for documented service purposes and according to the controller’s instructions as reflected in the applicable terms.

Equivalent protection

Data protection obligations appropriate to the processing are intended to flow down to subprocessors through written terms.

International-transfer review

Cross-border processing and transfer mechanisms are assessed where applicable to the service, data, countries and customer requirements.

Assistance and cooperation

Relevant subcontractors may be required to support requests, investigations, audits, incidents and regulatory obligations within their service boundary.

Return and deletion

Retention, return and deletion obligations are defined according to the contract, legal requirements, backup design and technical feasibility.

Change and incident handling

Material events are reviewed, not silently absorbed

Subcontractor governance must respond when the service, provider, location, risk or customer impact changes.

Material change review

  • Change in service scope, ownership, delivery model or critical dependency.
  • New processing location, data category, system access or downstream provider.
  • Control deterioration, unresolved finding or material assurance exception.
  • Customer notification, objection or approval where the agreement requires it.
  • Updated risk decision, contract, access and operating documentation.

Incident and issue escalation

  • Prompt reporting expectations based on the nature and potential impact.
  • Containment, investigation and preservation of relevant evidence.
  • Fact-based coordination with Rudrriv and affected customers.
  • Legal and contractual notification decisions by the responsible parties.
  • Corrective action, root-cause review and lessons incorporated into oversight.
Standards and guidance

Recognised references for supplier and processor oversight

Rudrriv’s approach is informed by widely recognised security, supply-chain and privacy guidance. These references help structure governance but do not create a certification claim.

Information-security reference

ISO/IEC 27001:2022

Provides a risk-based management-system reference that includes supplier relationships, supplier agreements and monitoring of supplier services.

Supplier-relationship reference

ISO/IEC 27036 series

Provides guidance for establishing, managing and improving information-security practices across supplier relationships.

Cyber supply-chain reference

NIST SP 800-161 Rev. 1

Supports identification, assessment and treatment of cybersecurity risks across products, services and supply-chain relationships.

Governance and outcome reference

NIST Cybersecurity Framework 2.0

Includes cybersecurity supply-chain risk management outcomes within the Govern function and supports repeatable risk oversight.

Practical oversight reference

NCSC Supply Chain Security Principles

Organises supply-chain security around understanding risks, establishing control, checking arrangements and continuous improvement.

Processor-chain reference

EDPB Opinion 22/2024

Provides European data-protection guidance on controller, processor and subprocessor obligations, transparency and sufficient guarantees.

Important: Framework alignment, use as a reference, certification, attestation and independent assurance are different statements. Rudrriv will only represent a certification or report when current evidence exists and the stated scope is accurate.
Procurement and privacy questions

Frequently asked questions

These answers provide general information. Service-specific commitments are defined by the applicable contract, statement of work, data processing terms and approved supporting documents.

Does Rudrriv use subcontractors?
Rudrriv may use subcontractors, specialist professionals, independent contractors, affiliates, cloud providers or other service providers where appropriate for an agreed service. Their involvement depends on the scope, capability required, customer agreement, information involved and assessed risk.
Is a subcontractor the same as a subprocessor?
No. A subcontractor is a broader commercial term for a third party supporting delivery. A subprocessor is a processor engaged by another processor to process personal data on behalf of a controller. A provider may be both, but the classification depends on its actual role and data-processing activity.
Does Rudrriv remain responsible for subcontracted work?
Yes, Rudrriv remains responsible for its obligations under the applicable customer agreement unless that agreement expressly provides otherwise. Contractual responsibility does not prevent customers from having direct rights or remedies where law or contract provides them.
How does Rudrriv assess a subcontractor?
Assessment is proportionate to risk and may cover capability, ownership, reputation, financial and operational stability, security, privacy, confidentiality, data location, continuity, insurance, legal requirements, conflicts, downstream dependencies and available assurance evidence.
Will customers be told about every subcontractor?
Notification depends on the applicable agreement, service scope and law. General business suppliers that do not access customer information or support the contracted service may not require customer notice. Material service subcontractors and subprocessors are handled according to relevant contractual and legal requirements.
Can a customer object to a new subprocessor?
Any notice and objection right is defined in the applicable data processing agreement or customer contract. Such rights normally apply to relevant subprocessors rather than every supplier used by Rudrriv, and the agreement may define the objection process, timing and available resolution options.
What security requirements apply to subcontractors?
Requirements depend on the service and risk. They may include confidentiality, least-privilege access, approved authentication, secure data handling, incident reporting, vulnerability management, continuity, personnel controls, audit cooperation, retention and deletion.
Can subcontractors use their own subcontractors?
Downstream engagement is controlled according to the applicable contract and risk. Where permitted, relevant obligations should continue through the processing or service chain, and material changes may require prior approval, notice or additional assessment.
Where are subcontractors located?
Location varies by service and provider. Rudrriv does not make a universal location commitment on this page. Service-specific delivery and processing locations should be confirmed during contracting, due diligence or a data-flow review.
How does Rudrriv monitor subcontractors?
Monitoring may include service reviews, issue tracking, access review, evidence refresh, questionnaire updates, assurance reports, incident follow-up, change notifications, performance measures and renewal assessments. Frequency and depth are based on risk and contractual requirements.
What happens when a subcontractor relationship ends?
Rudrriv coordinates offboarding based on the service and contract. Actions may include access removal, credential rotation, asset recovery, information return or deletion, documentation transfer, open-issue closure, continuity measures and confirmation of residual obligations.
Can customers request subcontractor-management information?
Yes. Customers may send a reasonable due-diligence request to support@rudrriv.com. Information provided will depend on the service scope, confidentiality commitments, security considerations, legal restrictions and whether a non-disclosure agreement is required.
Is Rudrriv certified to the frameworks listed on this page?
This page identifies recognised standards and guidance used as references. It does not represent certification, attestation or independent assurance unless Rudrriv separately provides a current certificate or report that expressly covers the relevant scope.

Last reviewed: July 2026

Review the delivery chain before service begins

Share your service scope, data categories, location restrictions, approval requirements and due-diligence process so subcontractor and subprocessor responsibilities can be defined early.

Start a governance discussion