Suppliers & Partners Policy

# Suppliers & Partners Policy – 2Zone Therapy v1.0

**Effective Date:** 23 October 2025  
**Last Updated:** 23 October 2025  

---

## 1. Purpose
This policy outlines how **2Zone Therapy**, including its associated platforms **HealthGPT** and **ERRIC**, selects, audits, and maintains relationships with suppliers, service providers, and technology partners.  
Its purpose is to ensure that all third parties handling data or providing critical services meet the same standards of **security, privacy, ethics, and reliability** that we apply internally.

---

## 2. Scope
This policy applies to:
- Cloud hosting providers and data centers  
- Payment processors and communication platforms  
- AI and analytics technology vendors  
- Translation, content, and voice partners  
- Contractors or consultants with access to internal systems or data  

---

## 3. Supplier Qualification
Before onboarding, all suppliers must:
- Demonstrate **GDPR compliance** or equivalent data protection standards  
- Provide proof of **ISO 27001**, **SOC 2**, or equivalent certification  
- Sign a **Data Processing Agreement (DPA)** where applicable  
- Undergo a basic **security and reliability assessment**

No supplier will be granted production access without written approval from the **Data Protection Officer (DPO)** or designated compliance lead.

---

## 4. Annual Review & Compliance
Suppliers are **reviewed annually** to ensure continued compliance and performance.  
The review includes:
- Security and uptime reports  
- Data-handling audits  
- Incident and breach records  
- Pricing and service-level evaluations  

Suppliers failing to meet our standards may be suspended or terminated.

---

## 5. Data Transfers & International Partners
All data transfers outside the European Economic Area (EEA) must comply with:
- **EU Standard Contractual Clauses (SCCs)**, or  
- Another approved legal mechanism under the GDPR.

Transfers must always be **minimized, encrypted, and logged**.

---

## 6. Confidentiality & Non-Disclosure
All partners are required to sign **Confidentiality and Non-Disclosure Agreements (NDAs)** covering:
- Client and health-related data  
- AI models, prompts, and internal documentation  
- Business plans, pricing, and research activities  

Breach of confidentiality will result in **immediate contract termination** and may trigger legal action.

---

## 7. Sustainability & Ethics
We give preference to suppliers who:
- Operate responsibly and ethically  
- Comply with environmental and labor laws  
- Avoid the use of forced, child, or exploitative labor  
- Maintain diversity and fair pay standards  

Our partnerships reflect not only compliance but shared values.

---

## 8. Sub-Processors
Some suppliers may act as **approved sub-processors** for specific services (e.g., AI hosting, translation audio generation).  
A public list of these sub-processors will be available on our website and updated periodically.

Clients and users are notified of any **material changes** to sub-processor lists.

---

## 9. Incident Management
In the event of a security incident or data breach involving a supplier:
- The supplier must notify 2Zone Therapy **within 24 hours** of detection.  
- We will assess impact, contain exposure, and notify affected clients if required by law.  
- Root cause and remediation details must be provided within **10 business days**.

---

## 10. Termination
2Zone Therapy reserves the right to **terminate any supplier agreement** if:
- The supplier fails to meet security or contractual obligations  
- A breach or data misuse occurs  
- Ethical or compliance standards are violated  

All data must be returned or securely destroyed upon termination, with written certification.

---

## 11. Contact
**2Zone Therapy – Compliance & Procurement Division**  
Email: **compliance@2zonetherapy.com**  
Data Protection Officer (DPO): **privacy@2zonetherapy.com**

---