Vendor Risk Assessment (VRA) Policy Summary

At Solidus AI Tech Ltd (“AITECH”), we are committed to responsible vendor management and protecting our operations, customers, and data. Our Vendor Risk Assessment (VRA) Policy ensures that all third-party vendors and partners are assessed and monitored for legal, regulatory, operational, reputational, and security risks before engagement and throughout the business relationship.

What We Assess

We evaluate vendors across six key risk categories:

• Regulatory & Compliance: Licensing, AML/CTF posture, sanctions exposure.

• Operational: Service reliability, business continuity, and disaster recovery.

• Legal: Contractual terms, liabilities, and IP rights.

• Financial: Stability, transaction integrity, and transparency.

• Reputational: Public image, ethics, and adverse media presence.

• Information Security: Data protection, privacy, and breach history.

Risk Scoring Framework

Each vendor is assigned a quantitative risk score:

• Low Risk (Score: 1): Fully compliant, minimal risk exposure.

• Medium Risk (Score: 2): Some documentation gaps or moderate sector risk.

• High Risk (Score: 3): Lacks compliance materials or operates in high-risk areas.

This scoring informs approval levels, onboarding decisions, and monitoring frequency.

Ongoing Monitoring & Review

• High-risk vendors: Reviewed annually

• Medium-risk vendors: Reviewed every 2 years

• All vendors: Reviewed before renewal or after any major change or incident.

Misconduct & Termination

Vendors may be rejected or terminated for non-compliance, falsified documents, legal violations, or reputational harm. Serious breaches may result in potential permanent blacklisting.

Privacy & Transparency

All vendor data is processed securely in accordance with our Privacy Policy. We assess vendors fairly, without discrimination, and based on objective risk criteria.

For questions or inquiries, please email us at: [email protected].