Third-Party Service Providers Management
Register of TPSPs and requirements for selection, monitoring, and offboarding.
SELLAI LLC
SafeLaw Service (safelaw.ai)
TIN 312530703, Nukus, Republic of Karakalpakstan, Uzbekistan
THIRD-PARTY SERVICE PROVIDER MANAGEMENT POLICY
Document TPSP-01
Version 1.0
Effective date: 15 May 2026
Compliance: PCI DSS v4.0.1, SAQ A
Master language: Russian. In case of any discrepancy between the English translation and the Russian master, the Russian version shall prevail.
1. Purpose
This Third-Party Service Provider Management Policy (the «Policy») governs the selection, evaluation, contracting, monitoring and termination of relations of SELLAI LLC (the «Company») with third parties whose services may affect the security of user data, including payment cardholder data processed in connection with the SafeLaw service (safelaw.ai). The Policy is developed in accordance with PCI DSS v4.0.1 Requirement 12.8.
2. Scope
The Policy applies to all Third-Party Service Providers (TPSPs) that:
- have access to payment cardholder data or may affect the security of the cardholder data environment (CDE);
- process, store or transmit personal data of the Company's users;
- provide infrastructure services supporting the Company's public services;
- support or administer the Company's information systems.
3. Definitions
Third-Party Service Provider (TPSP) — a legal entity or individual, other than a Company employee, providing services as set out in Section 2 of this Policy.
Due Diligence — the process of evaluating a potential service provider's ability to safeguard data entrusted to them by the Company.
Attestation of Compliance (AoC) — a document evidencing the service provider's compliance with PCI DSS requirements.
DPA (Data Processing Agreement) — an agreement on the processing of personal data between the Company (controller) and a service provider (processor).
4. Service Provider Register
The Company maintains an up-to-date register of all service providers covered by this Policy. For each provider, the register includes:
- name, country of registration, contact details;
- type and description of services provided;
- PCI DSS service category (payment, infrastructure, hosting, AI, other);
- specific PCI DSS requirements performed by the provider on behalf of the Company;
- contract date and term;
- status and validity of the Attestation of Compliance (for payment and infrastructure TPSPs);
- status of the DPA (for processors of personal data);
- date of the most recent compliance review;
- the Company's relationship manager for the provider.
The register is reviewed at least every 12 months and updated upon any change in the composition of providers.
4.1. Current Service Providers of the Company
As of 15 May 2026:
Provider
Jurisdiction
Service / role
PCI DSS category
Ipak Yuli Bank
Uzbekistan
Payment acquiring; processing of payment cardholder data via redirect flow
Payment service (PCI DSS-compliant acquirer)
Cloudflare, Inc.
USA
WAF, CDN, DDoS protection, DNS management
Infrastructure / security controls
Netcup GmbH
Germany
Hosting of production servers of the SafeLaw service
Infrastructure / hosting
Google LLC
USA
Corporate email and collaboration (Google Workspace); AI services (Vertex AI Gemini)
Corporate services and AI
Anthropic PBC
USA
Claude API AI service
AI service
OpenAI, OpCo, LLC
USA
GPT API AI service
AI service
Namecheap, Inc.
USA
Domain registrar for safelaw.ai
Infrastructure
None of the listed providers (other than Ipak Yuli Bank as payment acquirer) has access to payment cardholder data, as the Company does not process PAN or SAD on its infrastructure.
5. Provider Selection Procedure
5.1. Due Diligence
Before contracting with a potential service provider covered by this Policy, an assessment is performed against the following criteria:
- required licences, authorisations and registrations;
- compliance with applicable standards and certifications (PCI DSS, ISO 27001, SOC 2, depending on the type of service);
- market reputation and information security incidents in public sources;
- transparency of information security and data processing policies;
- ability to enter into contractual obligations on data protection;
- geographic location of the data processing infrastructure;
- financial stability;
- SLA and support arrangements.
For payment providers and providers with access to payment cardholder data, a valid PCI DSS certificate of the required level is mandatory. A copy of the Attestation of Compliance (AoC) shall be obtained.
5.2. Documentation of the Assessment
The results of the assessment are documented in a brief report containing: the provider's name, the proposed services, the criteria reviewed, identified risks and a recommendation to contract or decline. The report is retained for the term of the contract and for 3 years thereafter.
6. Contractual Requirements
A contract with a TPSP that has access to the Company's data or affects data security includes provisions on:
- the provider's obligation to comply with applicable law and standards (including PCI DSS for payment and infrastructure providers; Law No. ZRU-547 «On Personal Data» for processors of personal data of Uzbek users);
- a clear allocation of information security responsibilities between the Company and the provider;
- the provider's obligation to notify the Company of information security incidents affecting the Company's data within a specified timeframe;
- the Company's right to request evidence of the provider's compliance with security standards;
- confidentiality of information received from the Company;
- the procedure for returning or destroying the Company's data upon termination;
- liability for breach of the security obligations.
Where it is impossible to include specific provisions in the standard terms of international providers (Cloudflare, Google, Anthropic, OpenAI, Netcup and others), the Company relies on the providers' published terms of service, privacy policies and Data Processing Agreements and ensures their alignment with the Company's requirements. Entering into a DPA with such providers is mandatory.
7. Allocation of PCI DSS Responsibilities
Responsibilities for PCI DSS compliance are clearly allocated between the Company and its TPSPs. The allocation is documented in a Responsibility Matrix.
7.1. Acquiring Bank (Ipak Yuli Bank) Responsibilities
- processing, storage and transmission of users' payment cardholder data;
- security of the payment gateway and payment pages;
- PCI DSS compliance at the level applicable to payment service providers;
- notifying the Company of security incidents affecting payment operations.
7.2. Company Responsibilities
- ensuring that payment cardholder data does not enter the Company's infrastructure;
- secure integration with the payment gateway (proper redirect flow configuration, validation of returned parameters);
- protecting safelaw.ai from tampering that could redirect users to fraudulent payment pages;
- complying with the SAQ A requirements applicable to a merchant with fully outsourced CHD processing;
- maintaining the TPSP register and monitoring TPSP PCI DSS compliance.
8. Monitoring of Provider Compliance
The Company monitors providers' compliance with applicable requirements on a regular basis:
- an up-to-date Attestation of Compliance is requested from payment and infrastructure TPSPs at least every 12 months;
- where a provider operates a public Trust Center or Compliance Page, the current status is verified through that official source;
- the Company tracks providers' security incident disclosures, including official blogs, status pages and public reports;
- if a material issue is identified at a provider (data breach, certification withdrawal, financial deterioration), a re-assessment is performed.
Monitoring outcomes are recorded in the TPSP register.
9. Change Management
A provider's status is reviewed upon any of the following events:
- changes to the services provided;
- changes to the volume or category of data transmitted to the provider;
- expiration of the provider's certification/AoC;
- public disclosure of a security incident at the provider;
- changes in ownership, jurisdiction or material operating conditions of the provider.
10. Termination of Relations
Upon termination of a contract with a provider, the Company ensures:
- prompt termination of all technical integrations (revocation of API keys, access tokens, removal of accounts at the provider and in the Company's systems);
- return or destruction of the Company's data transmitted to the provider, with documentary confirmation;
- removal of the provider from the active TPSP register (an archive record is retained for the required period);
- notifying employees who used the provider's services of the migration plan to an alternative solution.
11. Accountable Person
Responsibility for the implementation of this Policy, maintenance of the TPSP register and monitoring of provider compliance is assigned to the Information Security Officer. Pending appointment of a dedicated Officer, the function is performed by the Director of the Company.
12. Policy Review
This Policy is reviewed at least every 12 months and also upon material changes to the composition of providers, the Company's business model or the applicable regulatory framework or standards (PCI DSS).
13. Document Information
Version
Date
Changes
Approved by
1.0
15 May 2026
Initial approval of the document
R. Jumamuratov
Document Approval
This document is approved by the Director of SELLAI LLC and becomes effective from the signing date. All personnel, contractors, and other persons with access to SELLAI LLC information assets are required to acquaint themselves with this document.
Director of SELLAI LLC:
_________________________ / R. Jumamuratov
(signature) (name)
Date: «_____» _____________ 2026
Company seal.