Supplier Relationship and Procurement

Purpose

A supplier relationship is the interaction and collaboration between a company or organization and Rocket.Chat.

This includes various aspects of how our company manages and interacts with suppliers, such as procurement processes, due diligence, contract negotiation, quality management, communication, and collaboration on innovation and product development.

Maintaining a secure, compliant, ethical supply chain is crucial because supplier relationships can introduce vulnerabilities and risks.

This policy helps us avoid violating applicable laws and regulations, manage the risks involved, and ensure we contract suitable products and services for our needs.

Scope

This policy applies to all purchases made through Rocket.Chat and therefore is applicable to all vendors, third-party service providers, and Rocketeers who purchase any product or service (e.g. software, hardware, consulting services, goods, etc) through Rocket.Chat.

Roles and Responsibilities

• Rocket.Chat vendors/suppliers: shall be aware of this policy and fulfill its requirements.

• Internal Stakeholders: All Rocketeers involved in the hiring or purchase of services or tools must be aware of this policy and assist with fulfillment of the requirements.

• Contract Manager: They are responsible for identifying suitable suppliers, negotiating terms, ensuring compliance with budgetary constraints, managing license use, and triggering the procurement process. The Contract Manager is also responsible for submitting the purchase request to the Finance team, getting budget approval and triggering the Supplier Due Diligence process.

• Finance Team: responsible for verifying budget approval

• Legal team: responsible for ensuring this policy's contractual and legal requirements are acknowledged and met.

• GRC: responsible for ensuring security compliance and risk assessment are executed.

• DPO: responsible for ensuring this policy's privacy compliance requirements are met.

Supplier Selection

Contract Managers are tasked with identifying potential suppliers based on their respective needs and requirements and evaluate suppliers based on criteria such as quality, price, reliability, and compliance with security standards.

Licenses Quantity & Management

Rocket.Chat assigns the responsibility for license quantity and management to the contract manager. This approach is rooted in the principle of ownership, where managers take ownership of determining their needs and managing their licenses accordingly. It also emphasizes accountability, as contract managers are expected to understand and comply with licensing requirements. This model is designed to promote efficiency, enabling contract managers to make timely decisions that align with their specific project or departmental needs.

Procurement Process

• Once a suitable Supplier is identified, the Contract Manager initiates the procurement process.

• Negotiations are conducted with the Supplier to establish favorable terms and conditions.

• Finance must approve the budget allocation for the procurement before any agreements are finalized.

Principles

Throughout the entire procurement process, Rocket.Chat applies the following principles:

a. Efficient and effective resource utilization: We strive to utilize Rocket.Chat's resources responsibly and efficiently.

b. Non-discriminatory and fair competition: We promote an open and transparent competitive environment, ensuring equal opportunities for all suppliers.

c. Transparency: We maintain transparency in our procurement processes, providing clear and accessible information to all stakeholders.

d. Best value for money: We seek to obtain the best value for money in our procurement decisions, considering quality and cost-effectiveness.

e. Accountability: We hold ourselves accountable for our procurement actions, ensuring compliance with applicable laws, regulations, and internal policies.

f. Integrity: We conduct all procurement activities with the highest integrity, ethics, and professionalism standards.

g. Respect for Rocket.Chat Policies: We abide by our internal policies, ensuring compliance and adherence throughout the procurement process.

Gifts and hospitality

Rocket.Chat strictly prohibits staff involved in procurement activities from accepting gifts, favors, or hospitality in compliance with anti-bribery regulations. The company also expects suppliers to refrain from offering them.

Negotiating Terms

There are a few elements to be considered when purchasing on behalf of Rocket.Chat:

1. No automatic renewals: We do not engage in automatic renewals; all supplier contracts require formal review and authorization to extend contracts for future terms. If you encounter any such clauses, please request their removal. To expedite the process, ensure with the supplier that we explicitly do not accept automatic renewals.

2. Maximum contract length: Our standard contract term is one year. If you require a longer term, it must receive prior executive approval, as this is considered an exception process.

3. Security and privacy diligence: We always prioritize security and privacy. Therefore, we need to perform a thorough assessment. Kindly request suppliers to fill out the supplier questionnaire to provide the necessary information and a copy of their SOC 2 report, if applicable. See Vendor Risk Assessment for more information on how to fulfill this item.

4. Financial requirements: Please refer to the Accounts Payable Policy for detailed information on the financial requirements for making purchases on behalf of Rocket.Chat. The policy is available here: https://handbook.rocket.chat/departments-operations/finance/accounts-payable-policy

5. Purchase planning and timeline: It's important to be proactive in the procurement process, as the completion timeline can vary. While we strive to expedite the process, it typically takes at least between 1 to 3 weeks or more to complete, depending on the complexity of the purchase. We appreciate your understanding and cooperation in planning accordingly to ensure a smooth and timely procurement experience. If you have any urgent deadlines or specific time constraints, please start the process at the earliest opportunity so that we can streamline this process.

6. DO NOT SIGN ANY CONTRACTS. Only authorized individuals can execute contracts on behalf of Rocket.Chat. Please view the Signatory Matrix for who may sign.

By following these guidelines, we can ensure a smooth and compliant procurement process for Rocket.Chat.

Procurement Workflow

Please note that the procurement process workflow can be viewed at https://whimsical.com/procurement-process-guidelines-UEVWVA8iDc8MEVtSV UzpkW. This information is intended for internal use only.

Procurement Request

The procedure for submitting a procurement request is described at Procurement Request Process - Internal Handbook (gitbook.com) and shall be followed.

Contracts & Service levels:

1. Relationships with suppliers must be based on written agreements/contracts. Such contracts must include provisions on information security when necessary.

2. Service levels of suppliers must be agreed upon and monitored, e.g. by monitoring uptime reports quality of service, and in case the service does not meet the expected level, the supplier must be notified to remediate the issues.

3. Changes to the provision of services by vendors, including changes to agreements, must be recorded (e.g. a contract amendment).

Contract Review

• Contracts must be submitted to the legal team for review to ensure legal compliance and mitigate any potential risks.

• Legal team shall work with the supplier to address any concerns or discrepancies in the contract terms.

Security and Data Protection

1) Confidentiality

Suppliers accessing or processing Rocket.Chat data must be subject to an MNDA (Mutual Non- Non-Disclosure Agreement) or other confidentiality clauses. If you're unsure whether you need to sign an MNDA, ask yourself if any information that's not publicly available will be shared. If the answer is yes, then signing an MNDA is necessary.

Further details on how to submit an MNDA can be found at Mutual NDA - Internal Handbook (gitbook.com).

2) Risk Assessment & Compliance - Security and Privacy

Any supplier processing or having access to Rocket.Chat information (e.g: a vendor that stores, accesses, or process company data), shall be required to:

1. Fill out the Vendor Risk Assessment Questionnaire

2. Provide their latest SOC2 report, if applicable.

Through these, Rocket.Chat team can assess their controls and check compliance.

The provision of SOC 2 Type II reports by the vendors may exclude the need of filling out the Vendor Risk Assessment Questionnaire.

For instructions on how to submit the Vendor Risk Questionnaire and request the SOC 2 report, please refer to [Vendor Risk Assessment - internal playbook]

Supplier Monitoring:

Monitoring is ad hoc or whenever performance or security issues arise. For those cases, Rocket.Chat reserves the right to perform assessments and request clarifications.

Suppliers classified as critical within Rocket.Chat Asset Register, undergo an annual review of their certifications to verify if those remain valid and in accordance with Rocket.Chat expectations (e.g ISO or SOC2). If any red flags are identified, a follow-up is done.

Transitional Period (Prior to 2024):

For supplier relationships established prior to February 1, 2024, risk assessments may not have been conducted initially. However, such assessments will be prioritized during the renewal period of existing contracts.