Illuminate reviews all third-party vendors before engagement and on an ongoing basis to ensure they meet our standards for security, compliance, operational reliability, and alignment with our fiduciary obligations as an SEC-registered investment adviser.
Initial Review
Before onboarding a new vendor, Illuminate evaluates:
- Business purpose and necessity of the engagement
- Scope of data or systems the vendor will access, with particular attention to client PII, financial data, and account credentials
- Vendor's information security posture, including SOC 2 Type II reports, ISO 27001 certification, or equivalent documentation where applicable
- Regulatory and compliance standing, including any history of enforcement actions, breaches, or material litigation
- Financial stability and operational track record
- Business continuity and disaster recovery capabilities
- Subcontractor relationships and data handling practices
- Contractual terms covering confidentiality, data protection, breach notification, audit rights, and termination
Risk Tiering
Vendors are classified as high, medium, or low risk based on the sensitivity of data accessed, criticality to operations, and regulatory exposure. Higher-risk vendors receive deeper diligence and more frequent review.
Ongoing Monitoring
Illuminate reviews active vendors at least annually, or more frequently for high-risk relationships. Ongoing monitoring includes:
- Reconfirmation of security certifications and audit reports
- Review of any reported incidents, breaches, or service disruptions
- Assessment of continued business need and performance against SLAs
- Updates to contractual terms as needed
Documentation and Accountability
All vendor reviews, approvals, and supporting documentation are retained as part of Illuminate's compliance records. The CCO has final authority over vendor approval and offboarding decisions.