Vendor risk · proceso transparente

Vendor risk management

8 criterios scoring · DPA obligatorio antes deployment · exit plan documentado cada vendor · re-evaluation anual + event-driven · 8 subprocesadores actuales evaluados públicamente. Compliance + reliability + exit-flexibility = vendor management madura.

Ver subprocesadores Compliance roadmap Data residency

8 criterios scoring vendor

Compliance posture

20%

GDPR · SOC2 · ISO 27001 certifications · DPA available · data residency EU · breach notification timeline · audit reports public

Security architecture

20%

Encryption at rest + in transit · key management · access control · MFA · network isolation · vulnerability disclosure program · penetration testing cadence

Reliability + SLA

15%

Historical uptime · SLA terms · backup strategy · disaster recovery RTO/RPO · status page · postmortems published · multi-region availability

Financial stability

10%

Revenue · funding stage · burn rate transparency · pricing predictability · M&A risk · public financials vs private startup

Geographic + legal jurisdiction

10%

Company HQ · data processing locations · sub-processor chain · government data requests transparency · Schrems II compliance · EU adequacy

Operational maturity

10%

Support SLA · response times · escalation paths · documentation quality · change management · onboarding rigor · ticket system access

Integration + interoperability

10%

API stability · webhook reliability · standard formats · export capabilities · vendor lock-in risk · open source alternatives

Roadmap alignment

Product direction match · pricing roadmap · feature freezes · sunset policies · upgrade paths · customer feedback loop · community health

Total weights = 100%. Score final 0-100. Threshold approval: ≥75. Score 60-74 require CEO approval explicit. Score <60 reject.

8 vendors actuales · evaluación pública

Vendor	Categoría	Score	Risk	Last review	Evidencia
Cloudflare (Workers + Pages)	Infrastructure · edge compute	92/100	Bajo	2026-04-10	SOC2 Type II · ISO 27001 · 99.99% uptime histórico · EU data residency available · DPA standard available
Supabase (Postgres + Auth)	Database · backend	88/100	Bajo-Medio	2026-03-22	SOC2 Type II in progress · GDPR DPA signed · EU eu-west-1 region · Pro plan PITR · open source self-host option (exit plan)
Upstash (Redis + QStash)	Cache · queue	76/100	Medio	2026-04-05	DPA contrafirma pendiente (escalado 7d deadline) · serverless model · eu-central-1 · Redis open source standard (exit plan portable)
OpenAI (LLM provider)	AI · inference	78/100	Medio	2026-04-15	Data Processing Addendum US-based · zero retention API mode · SOC2 Type II · contingency: Anthropic + Mistral alternativas evaluadas
Stripe (payments)	Payments processor	95/100	Bajo	2026-03-30	PCI-DSS Level 1 · SOC2 Type II · ISO 27001 · 99.999% uptime · EU entity Stripe Payments Europe DPA standard
Meta (WhatsApp Cloud API)	Messaging channel	65/100	Alto	2026-04-22	Account ban history documented (account aiempire26 ban · migrated joconar6) · single-vendor lock-in for WhatsApp · contingency: BSP fallback documented
Cal.com (booking)	Scheduling	72/100	Medio	2026-04-08	Open source self-host option · cloud SaaS DPA pendiente contrafirma · MIT license fallback selfhost ready
Sentry (error tracking)	Observability	85/100	Bajo-Medio	2026-04-12	EU region de.sentry.io · DPA signed · SOC2 Type II · PII scrubbing config standard · open source self-host alternative

Exit plans documentados · cada vendor

Sin exit plan no hay vendor approval. Lock-in risk se mitiga ANTES de adoption · no después de breach.

Cloudflare

Migrate Worker to Hono.js framework on Deno Deploy/Bun · Pages to Vercel · DNS portable · estimated 2-3 weeks engineering effort

Supabase

Self-host Postgres + Auth via Supabase open source · or migrate to AWS RDS + Auth0 · DB dump portable · estimated 4-6 weeks effort

Upstash

Standard Redis protocol · migrate to AWS ElastiCache / Redis Cloud · QStash to AWS SQS + EventBridge · estimated 1-2 weeks effort

OpenAI

Switch to Anthropic Claude or Mistral via vercel-ai SDK abstraction · model swap minimal code change · estimated 3-5 days effort + re-prompt tuning

Stripe

Critical infrastructure · migration not planned · contingency only Adyen secondary processor evaluation post 100 paying clients

Meta WhatsApp

BSP fallback (Twilio · 360dialog · MessageBird) · 24-72h migration window per number · backup playbook documented `/runbooks-publicos`

Cal.com

Self-host MIT license OR replace with Calendly/Acuity · webhook abstraction allows swap · estimated 1 week

Sentry

Self-host open source OR Datadog/Honeycomb · SDK abstraction `lib/sentry.ts` allows swap · estimated 3-5 days

Review cadence · 5 reglas

Anual · re-evaluation completa todos vendors Q1 cada año · score + risk update · evidence refresh
Trigger eventos · re-evaluation immediate si: breach reportado · SLA violado · pricing 30%+ subida · M&A acquisition · regulatory change material
Onboarding nuevo vendor · approval CEO + DPA + evidence pack mandatory ANTES de prod deployment · NO exceptions
Sunset/exit plan · cada vendor MUST have documented exit plan · refresh trimestral · validar viability cada 6m
Audit log · vendor changes versioned git history `/subprocesadores` + `/changelog-arquitectura` · transparent public

Known risks · transparent disclosure

Meta WhatsApp (score 65): single-vendor lock-in para canal WhatsApp · account ban risk documented (precedente real aiempire26 ban). Mitigation: BSP fallback documented runbook + migration plan A2 documented.

Upstash + Cal.com: DPA contrafirma pendiente · escalado deadline 7d con auto-fallback decisión migración si no respuesta. Transparente publicado `/founder/MASTER_PENDING_JONATAN.md`.

OpenAI (US-based): data processing US jurisdiction · zero retention API mode mitiga pero Schrems II concern exists. Contingency: Anthropic + Mistral EU alternatives evaluated y SDK abstraction ready.

¿Tu procurement necesita vendor questionnaire detallado?

Para clínicas Enterprise + DSOs · vendor questionnaire detallado (SIG · CAIQ · SOC2 reports · pen test reports · architecture diagrams) disponible bajo NDA. Acelera vuestro procurement security review.

Solicitar vendor pack Subprocesadores Seguridad