Third-Party Risk Management Through Comprehensive Assessment
Demonstrating Supply Chain Security Excellence
📋 Document Owner: CEO | 📄 Version: 1.3 | 📅 Last Updated: 2026-01-25 (UTC)
🔄 Review Cycle: Quarterly | ⏰ Next Review: 2026-04-25
This document provides comprehensive security posture assessment of all critical suppliers to Hack23 AB, demonstrating our commitment to supply chain security excellence. All active suppliers from our Asset Register are assessed and monitored.
See governance process: Third Party Management
Document Owner: CEO | Last Updated: 2026-01-25 09:00:00 UTC | Total Monthly Spend: $360 | Active Suppliers: 12 | Planned: 2
| Supplier | Services & Processes | Status & Cost | Porter's Five Forces | Security Classification | Business Continuity | Business Impact | Strategic Value |
|---|---|---|---|---|---|---|---|
| 🔴 AWS |         Processes:    |
    |
     |
       |
       |
    |
     |
| 🟠 GitHub |         Processes:  |
   |
    |
    |
       |
    |
    |
| 🟠 SEB |       Processes:    |
   |
  |
   |
      |
  |
   |
| 🟡 Bokio |       Processes: |
  |
   |
     |
       |
  |
     |
    Processes: |
  |
|
|
   |
|
  |
|
| 🟡 SonarSource |     Processes: |
 |
   |
   |
     |
   |
   |
| 🟢 StepSecurity |    |
  |
   |
   |
   |
  |
  |
| 🟡 FOSSA |     Processes: |
|
|
|
|
|
  |
| ⏳ OpenAI |      Processes: |
    |
 |
|
  |
 |
  |
| 🟢 Suno |      Processes: |
   |
 |
  |
  |
   |
    |
| 🟢 ElevenLabs |      Processes: |
 |
|
|
|
|
 |
| 🟡 Ludo.ai (Jet Play, Inc.) |    Processes:   |
   |
     |
  |
    |
   |
    |
| ⏳ Stripe |       Processes: |
   |
|
 |
  |
 |
  |
| 🟢 Trygg Hansa | Insurance: Cyber liability • Key person • Business interruption Processes:  |
  |
     |
   |
    |
    |
    |
| Criteria | AWS | GitHub | SEB | Bokio | SonarSource | FOSSA | StepSecurity | Suno | ElevenLabs | Ludo.ai | Trygg Hansa | OpenAI | Stripe | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Criticality | 🔴 Critical | 🟠 High | 🟠 High | 🟡 Medium | 🟠 High | 🟡 Medium | 🟡 Medium | 🟡 Medium | 🟢 Low | 🟢 Low | 🟡 Medium | 🟠 High | 🟡 Medium | 🔴 Critical |
| Monthly Cost | $50 | $125 | $15 | $55 | Free | Free | Free | Free | $25 | $25 | ~$30 | ~$35 | Planned | Planned |
| Contract Type | Pay-as-go | Annual | Ongoing | Annual | Free Tier | OSS Free | OSS Free | OSS Free | Monthly | Monthly | Monthly | Annual | Usage | Usage |
| Lock-in Risk | ✅ Low | ✅ None | ✅ None | ✅ None | ✅ Very Low | ✅ Very Low | ✅ Low | ✅ Low | ||||||
| Alternative Options | 2-3 viable | 3-4 viable | 3-4 viable | 5+ viable | 3-4 viable | 5+ viable | 3-4 viable | 3-4 viable | 10+ viable | 10+ viable | 5+ viable | 3-4 viable | 5+ viable | 2-3 viable |
| Switching Cost | $50K+ | $20K+ | $5K | $1K | $5K | $0 | $0 | $0 | $500 | $500 | $500 | €1K | $2K | $10K |
| Switching Time | 3-6 months | 1-2 months | 1 month | 1 week | 2 weeks | Instant | Instant | Instant | 1 day | 1 day | 1 day | 2 weeks | 1 week | 2-4 weeks |
| SLA Guarantee | 99.99% | 99.9% | 99.5% | 99% | 99.9% | Best effort | Best effort | Best effort | None | None | Best effort | Policy terms | Best effort | 99.99% |
| Compliance Level | ✅ Full | ✅ Full | ✅ Full | ✅ Full | ✅ Full | ❌ Basic | ❌ Basic | ❌ Basic | ✅ Full | ✅ Full | ||||
| Support Level | 24/7 | Business | 24/7 | Business | Community | Community | Community | Community | Community | Community | Business | Self-service | 24/7 | |
| Strategic Value | Exceptional | High | High | Moderate | High | High | High | High | Minimal | Minimal | Moderate | Moderate | Moderate | Exceptional |
mindmap
root((🎯 Supplier Tiers))
Tier 1 Mission Critical
AWS
RTO under 5 min
RPO under 1 min
99.99 pct SLA
No viable alternative
10K+ daily impact
Stripe
RTO under 5 min
RPO under 1 min
99.99 pct SLA
Payment critical
10K+ daily impact
Tier 2 Business Essential
GitHub
RTO under 60 min
RPO under 15 min
99.9 pct SLA
High switching cost
5K+ daily impact
SEB
RTO under 4 hours
RPO under 60 min
Payment processing
Payroll critical
5 to 10K daily impact
Tier 3 Operational Support
Bokio
RTO under 24 hours
RPO under 4 hours
Tax compliance critical
Swedish regulations
1 to 5K daily impact
OpenAI
RTO under 24 hours
RPO under 4 hours
Innovation driver
Competitive advantage
500 to 1K daily impact
SonarSource
RTO under 24 hours
RPO under 4 hours
Code quality assurance
Security compliance
500 daily impact
FOSSA
RTO under 24 hours
RPO under 4 hours
License compliance
Legal risk mitigation
500 daily impact
StepSecurity
RTO under 24 hours
RPO under 12 hours
Supply chain security
CI and CD hardening
100 daily impact
Tier 4 Supporting Services
Google Identity
RTO under 60 min
RPO under 15 min
99.9 pct SLA
Identity provider
1 to 5K daily impact
Trygg Hansa
RTO under 24 hours
RPO under 4 hours
Policy terms SLA
Insurance coverage
1 to 5K daily impact
Ludo.ai
RTO 24 to 72 hours
RPO 24 hours
Game design AI
Multiple alternatives
Low impact
Suno
RTO 24 to 72 hours
RPO 24 hours
Content generation
Easy replacement
Minimal impact
ElevenLabs
RTO 24 to 72 hours
RPO 24 hours
Audio production
Multiple alternatives
Minimal impact
mindmap
root((🔒 Security Posture))
Enterprise Grade
AWS
ISO 27001 27017 27018
SOC 1 2 3
PCI DSS Level 1
HIPAA HITECH
FedRAMP High
GDPR CCPA
Multi region DR
99.99 pct SLA
GitHub
SOC 2 Type II
ISO 27001
SLSA Level 3
2FA SSO SAML
IP allowlisting
Audit logging
Secret scanning
SAST DAST tools
Financial Compliance
SEB Banking
PSD2 compliant
Swedish FSA
SWIFT network
AML KYC verified
FATCA reporting
Strong Customer Auth
Stripe
PCI DSS Level 1
SOC 2 Type II
3D Secure 2.0
SCA ready
Token vault
Fraud detection
Regulatory Compliance
Bokio Accounting
Swedish GAAP
K2 K3 regelverket
Skatteverket integration
GDPR compliant
Data residency Sweden
Audit trail complete
Security Tooling
SonarSource
SOC 2 Type II
GDPR compliant
SAST DAST tools
Code quality gates
Security hotspots
FOSSA
SOC 2 Type II
GDPR compliant
License compliance
Vulnerability scanning
Supply chain analysis
StepSecurity
GitHub native security
SLSA compliance
Workflow hardening
Supply chain protection
Open source transparency
Insurance and Risk Transfer
Trygg Hansa
ISO 27001 aligned
Swedish FSA regulated
Cyber liability coverage
Key person insurance
Business interruption
Basic Security
Suno and ElevenLabs
Terms of service
IP protection
Commercial license
API security
OpenAI
SOC 2 Type II
Data policies
API security
Rate limiting
Ludo.ai
Terms of service
SaaS security
API security
Limited compliance
Google Identity
ISO 27001 SOC 2
OAuth2 OIDC
Strong authentication
Data protection
mindmap
root((📊 Market Forces))
🔴 Extreme Supplier Power
AWS
Market dominance 33 pct
Massive infrastructure
High switching costs
Technical lock in
Proprietary services
Network effects
GitHub
90 pct market share
Microsoft backing
Developer ecosystem
Integration depth
Community network
🟠 High Supplier Power
SEB Banking
Swedish oligopoly
Regulatory barriers
Relationship banking
Limited alternatives
High switching friction
Stripe
Market leadership
Developer friendly
Global coverage
Feature richness
API excellence
Google Identity
Market dominance
SSO integration
Free tier strategy
Data network effects
🟡 Moderate Power Balance
Bokio Accounting
Competitive market
Multiple alternatives
Standard features
Price competition
Easy data export
OpenAI
First mover advantage
But growing competition
API standardization
Price pressure
Trygg Hansa
Limited Swedish insurers
Regulatory requirements
Risk assessment
Claims history
🟢 Buyer Advantage
SonarSource
Free for OSS projects
Competitive market
Open source alternatives
Multiple providers
Easy switching
FOSSA
Free for OSS projects
Growing competition
Standard APIs
Alternative tools
Low lock in
StepSecurity
Free for OSS projects
Emerging market
GitHub native
Easy replacement
No lock in
Suno Music
Commoditized service
Many competitors
Low switching costs
Standard outputs
Monthly contracts
ElevenLabs Voice
Growing competition
Improving alternatives
API compatibility
Price wars starting
Feature parity
Social Media Platforms
Multiple free options
Easy multi platform
No lock in
Content portability
Analytics Tools
Free alternatives
Data exportability
Standard metrics
Multiple providers
mindmap
root((⚠️ Risk Assessment))
🔴 Critical Risks
AWS Outage
Full service stop
Data unavailable
Recovery Multi region
GitHub Breach
Code exposure
CICD failure
Recovery Local backup
🟠 High Risks
Bokio Failure
Tax non compliance
Financial penalties
Recovery Manual backup
SEB Issues
Payment delays
Cash flow impact
Recovery Alt account
🟡 Medium Risks
Cost Overrun
AWS usage spike
GitHub seats
Mitigation Alerts
Security Tool Outage
SonarSource down
FOSSA unavailable
StepSecurity issues
Recovery Alternative tools
🟢 Low Risks
Suno and ElevenLabs
Content delays
Quality issues
Recovery Alternatives
| Supplier | Contract Type | Term | Annual Value | Payment Terms | Renewal Date | Account Manager |
|---|---|---|---|---|---|---|
| AWS | Pay-as-you-go | Ongoing | ~$600 | Monthly invoice | N/A | AWS Support |
| GitHub | Enterprise Cloud | 12 months | ~$1,500 | Annual prepaid | 2026-07-01 | GitHub Sales Team |
| SEB | Corporate Banking | Ongoing | ~$180 fees | Monthly | Annual review | Business Support |
| Bokio | Business Plan | 12 months | ~$660 | Annual | 2026-01-01 | Customer Success |
| Free Tier | Ongoing | Free | N/A | N/A | Self-service | |
| Suno | Pro Subscription | Monthly | $300 | Monthly card | Monthly auto-renew | Self-service |
| ElevenLabs | Creator Plan | Monthly | $300 | Monthly card | Monthly auto-renew | Self-service |
| Ludo.ai | SaaS Subscription | Monthly | ~$360 | Monthly card | Monthly auto-renew | Self-service |
| Trygg Hansa | Insurance Policy | Annual | ~$420 | Annual premium | 2026-12-31 | Insurance Agent |
| OpenAI | API Usage Based | Pay-as-you-go | Planned | Monthly usage | N/A | Self-service |
| Stripe | Platform Agreement | Ongoing | 2.9% + €0.25/txn | Per transaction | N/A | Partner Team |
| SonarSource | Open Source Plan | Ongoing | Free | N/A | N/A | Community Support |
| FOSSA | Open Source Plan | Ongoing | Free | N/A | N/A | Community Support |
| StepSecurity | Open Source Plan | Ongoing | Free | N/A | N/A | Community Support |
graph LR
subgraph Strategic["🎯 Strategic Partners"]
AWS[AWS<br/>Deep Integration]
GitHub[GitHub<br/>Core Platform]
end
subgraph Operational["⚙️ Operational Suppliers"]
SEB[SEB<br/>Banking]
OpenAI[OpenAI<br/>AI Services]
Stripe[Stripe<br/>Payments]
end
subgraph Security["🔒 Security Tools"]
SonarSource[SonarSource<br/>Code Quality]
FOSSA[FOSSA<br/>License Compliance]
StepSecurity[StepSecurity<br/>Workflow Security]
end
subgraph Tactical["📦 Tactical Vendors"]
Suno[Suno<br/>Content]
ElevenLabs[ElevenLabs<br/>Audio]
Bokio[Bokio<br/>Accounting]
Ludo.ai[Ludo.ai<br/>Game Design]
end
subgraph Support["🛡️ Supporting Services"]
Google[Google<br/>Identity]
TryggHansa[Trygg Hansa<br/>Insurance]
end
Strategic -->|Quarterly Reviews| Executive[Executive Sponsor]
Operational -->|Monthly Reviews| Management[Management Team]
Security -->|Continuous Monitoring| DevSecOps[DevSecOps Team]
Tactical -->|As Needed| Operational_Team[Operational Team]
Support -->|Annual Reviews| Executive
style AWS fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#ffffff
style GitHub fill:#455A64,stroke:#455A64,stroke-width:2px,color:#ffffff
style OpenAI fill:#7B1FA2,stroke:#4A148C,stroke-width:2px,color:#ffffff
style SonarSource fill:#D32F2F,stroke:#B71C1C,stroke-width:2px,color:#ffffff
style FOSSA fill:#7B1FA2,stroke:#4A148C,stroke-width:2px,color:#ffffff
style StepSecurity fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#ffffff
| Primary Supplier | Alternative Options | Switching Cost | Switching Time | Feasibility |
|---|---|---|---|---|
| AWS | • Google Cloud • Azure • Digital Ocean |
Very High ($50k+) | 3-6 months | Low - Major refactoring |
| GitHub | • GitLab • Bitbucket • Azure DevOps |
High ($20k+) | 1-2 months | Medium - CI/CD migration |
| OpenAI | • Anthropic Claude • Google Gemini • Open source (Llama) |
Low ($2k) | 1 week | High - API compatible |
| SEB | • Swedbank • Handelsbanken • Nordea |
Medium ($5k) | 1 month | Medium - Swedish market |
| Suno | • Mubert • AIVA • Soundraw |
Low ($500) | 1 day | High - Simple switch |
| ElevenLabs | • Play.ht • Murf AI • Resemble AI |
Low ($500) | 1 day | High - Simple switch |
| Stripe | • Klarna Checkout • PayPal • Adyen |
Medium ($10k) | 2-4 weeks | Medium - Integration work |
| Bokio | • Fortnox • Visma • Björn Lundén |
Low ($1k) | 1 week | High - Data export |
| SonarSource | • CodeClimate • Veracode • Checkmarx |
None ($0) | Instant | High - Multiple options |
| FOSSA | • WhiteSource • Snyk • Black Duck |
None ($0) | Instant | High - Standard APIs |
| StepSecurity | • Socket Security • Dependabot • GitHub Advanced Security |
None ($0) | Instant | High - GitHub native |
| Ludo.ai | • Machinations • GameMaker AI • Unity AI tools |
Low ($500) | 1 day | High - Simple switch |
| • Auth0 • Okta • Azure AD |
Medium ($5k) | 2 weeks | Medium - Identity migration | |
| Trygg Hansa | • Länsförsäkringar • IF Skadeförsäkring • Folksam |
Low (€1k) | 2 weeks | High - Policy transfer |
| Supplier | Data Types | Location | Retention | Deletion | Audit Rights |
|---|---|---|---|---|---|
| AWS | All company data | EU (Ireland/Frankfurt) | Per service config | On termination | Yes - Annual |
| GitHub | Source code, secrets | US/EU | Indefinite | 90 days after deletion | Yes - SOC2 |
| OpenAI | Prompts, outputs | US | 30 days | On request | Limited |
| SEB | Financial records | Sweden | 7 years | Per law | Yes - FSA |
| Suno | Generated music | US | Account lifetime | On deletion | No |
| ElevenLabs | Voice samples | US/EU | Account lifetime | On deletion | No |
| Stripe | Payment data | EU | 7 years | Per PCI | Yes - PCI DSS |
| Bokio | Accounting data | Sweden | 7 years | Per law | Yes |
| SonarSource | Code analysis data | EU/US | Project lifetime | On deletion | Limited |
| FOSSA | License scan data | US | Project lifetime | On deletion | Limited |
| StepSecurity | Workflow metadata | US | 90 days | On request | Limited |
| Ludo.ai | Game design data, sprites | US | Account lifetime | On deletion | No |
| Identity tokens, SSO data | US/EU | Account lifetime | On deletion | Yes - SOC2 | |
| Trygg Hansa | Policy data, claims | Sweden | 10 years | Per law | Yes - FSA |
| Supplier | Documentation | Status Page | API Docs | Support Portal |
|---|---|---|---|---|
| AWS | docs.aws.amazon.com | status.aws.amazon.com | API Reference | Console |
| GitHub | docs.github.com | githubstatus.com | API v4 | Support |
| OpenAI | platform.openai.com/docs | status.openai.com | API Reference | Help |
| SEB | seb.se/foretag | N/A | Open Banking | Business Support |
| Stripe | stripe.com/docs | status.stripe.com | API Docs | Support |
| SonarSource | docs.sonarcloud.io | status.sonarcloud.io | Web API | Community |
| FOSSA | docs.fossa.com | status.fossa.com | API Docs | Support |
| StepSecurity | docs.stepsecurity.io | status.stepsecurity.io | API Reference | Support |
| Supplier | Power Level | Risk Mitigation Strategy | Hack23-Specific Actions |
|---|---|---|---|
| AWS | High | Multi-cloud strategy consideration, regular contract negotiations, maintain exit plan | Leverage AWS credits for startups, implement CloudFormation IaC for portability |
| GitHub | Moderate | Maintain local backups, consider GitLab as secondary option | Utilize GitHub Enterprise features, maintain self-hosted runners |
| Suno | Reduced | Multiple alternative AI music platforms available | Create proprietary music library as backup, explore Mubert/AIVA alternatives |
| ElevenLabs | Reduced | Multiple alternative voice synthesis providers available | Build sound effect library, consider PlayHT/Resemble AI as alternatives |
| SEB | High | Limited banking alternatives in Swedish market, maintain good relationship | Explore Swedbank/Handelsbanken for backup accounts |
| Bokio | Moderate | Alternative accounting solutions available (Fortnox, Visma) | Maintain export capabilities, document accounting processes |
| Stripe | High | Limited payment processor alternatives with same features, plan for redundancy | Consider Klarna Checkout for Swedish market, PayPal as backup |
| SonarSource | Very Low | Free for open source, multiple alternatives available | Leverage free tier for public repos, maintain alternative scanning tools |
| FOSSA | Very Low | Free for open source, competitive market with alternatives | Use free tier for public repos, consider WhiteSource/Snyk as alternatives |
| StepSecurity | Very Low | Free for open source, emerging market with growing alternatives | Leverage free security hardening, monitor for alternative solutions |
Critical suppliers (AWS, SEB, Stripe) have very high entry barriers, providing stability but also creating dependency risks. Lower barrier suppliers (Suno, ElevenLabs, security tools) offer more flexibility for switching.
| Service Category | Substitute Risk | Mitigation | Hack23 Strategy |
|---|---|---|---|
| Cloud Infrastructure | Low | Few viable alternatives to AWS at scale | Maintain infrastructure as code for potential migration |
| Version Control | Moderate | GitLab, Bitbucket available as alternatives | Regular repository backups, maintain platform-agnostic CI/CD |
| Music Generation | High | Many AI music platforms emerging | Diversify audio content sources, build proprietary library |
| Voice Synthesis | High | Rapidly evolving market with new entrants | Create voice presets library, maintain multiple provider accounts |
| Banking | Low | Limited options in Swedish market | Maintain strong relationship with SEB |
| Accounting | Moderate | Several established competitors | Ensure data portability, maintain accounting documentation |
| Payment Processing | Low | Few processors with Stripe's global reach | Plan for multi-provider payment strategy |
| Code Quality | High | Multiple SAST/DAST tools available | Leverage free OSS tools, maintain multiple scanning approaches |
| License Compliance | High | Growing market with multiple providers | Use multiple scanning tools, maintain internal license database |
| Workflow Security | High | Emerging market with rapid innovation | Monitor security tool landscape, adopt best practices |
- AWS: Complete service outage affecting Black Trigram game servers and Citizen Intelligence Agency
- Stripe (planned): Payment processing halt, direct revenue impact
- GitHub: Development and deployment delays, affecting all projects
- SEB: Financial transaction delays, payroll impact
- Bokio (planned): Accounting process delays, compliance reporting delays
- SonarSource: Code quality analysis delays, potential security vulnerabilities undetected
- FOSSA: License compliance delays, legal risk exposure
- StepSecurity: CI/CD security gaps, supply chain vulnerability exposure
- Suno: Marketing content delays, game soundtrack updates
- ElevenLabs: Content production delays, voice asset generation
| Supplier | Support Level | Contact | Response Time | Escalation |
|---|---|---|---|---|
| AWS | Enterprise | AWS Support Portal | 15 minutes |  |
| GitHub | Enterprise | GitHub Support | 1 hour |  |
| SEB | Business | Dedicated Account Manager | 4 hours | |
| Stripe | Standard | Support Portal | 24 hours |  |
| Bokio | Standard | Support Email | 24 hours | |
| SonarSource | Community | Community Forum | 48 hours |  |
| FOSSA | Community | Support Email | 48 hours | |
| StepSecurity | Community | GitHub Issues | 48 hours | |
| Suno | Basic | Support Email | 48 hours | |
| ElevenLabs | Basic | Support Email | 48 hours | |
- 🎯 Information Security Strategy - AI-first operations, Pentagon framework, and strategic supplier direction
- 🔐 Information Security Policy - Overall security governance framework with AI-First Operations Governance
- 🤖 AI Policy - AI-assisted supplier assessment and risk analysis
- 🏷️ Classification Framework - Business impact and supplier criticality methodology
- 📉 Risk Register - Supplier-related risk identification and treatment
- 🤝 Third Party Management - Supplier risk assessment and governance framework
- 📝 Change Management - Supplier integration change control
- 💻 Asset Register - Supplier services and platform inventory
- 🔄 Business Continuity Plan - Supplier dependency and continuity planning
- 🚨 Incident Response Plan - Supplier incident coordination procedures
📋 Document Control:
✅ Approved by: James Pether Sörling, CEO
📤 Distribution: CEO, Insurance Company, Legal Counsel
🏷️ Classification: Confidential - Internal Use Only
📅 Effective Date: 2026-01-25
⏰ Next Review: 2026-04-25
🎯 Framework Compliance: 
