SC.12 — IT Supplier Controls#
System: AI Connectors Platform Last updated: 2026-04-29
This document describes how the AI Connectors platform fulfils the SC.12 control category.
Control Attestation Table#
| Control | Description | Status | Evidence |
|---|---|---|---|
| CTRL0537478 — SC.12.01 | Ensure that risks to Novo Nordisk from suppliers are assessed | Compliant | privacy-gdpr.md §3 (DPA table); AWS DPA and Microsoft DPA in place for all critical suppliers |
| CTRL0537519 — SC.12.02 | Ask the supplier to account for their security controls | Compliant | AWS and Microsoft security controls documented via SOC 2 Type II, ISO 27001, and service-specific documentation; Snyk maintains EU infrastructure with DPA |
| CTRL0537497 — SC.12.03 | Ensure that an assessment is performed for third-party access | Compliant | All suppliers assessed for data processing risk; DPAs signed; cross-border transfers documented in privacy-gdpr.md §4 |
| CTRL0537533 — SC.12.04 | Ensure that third parties with access are managed | Compliant | AWS Customer Agreement and Microsoft Product Terms include right to audit; all suppliers operate under contractual security obligations |
Security Controls Reference#
CTRL0537478 — SC.12.01: Ensure that risks to Novo Nordisk from suppliers are assessed#
Control Text: Ensure that the risks to Novo Nordisk IT Solution are appropriately mitigated and that the control environment in any outsourcing situation is comparable to internal control environments. This includes cloud solutions.
Applicability: The IT Solution is relying on IT supplier(s).
Additional Description
The control environment established with an external supplier (including cloud providers) should be comparable to the internal control environment that would be required if the solution were hosted and managed internally.
See the General Guidance section of the SC.12 page on IT Security Central for a more in-depth explanation of how to manage security when working with external suppliers.
Detailed Description
The AI Connectors platform fulfils this control by relying exclusively on enterprise-tier suppliers (AWS, Microsoft, GitHub, Snyk) that operate under Novo Nordisk enterprise agreements with contractual security and data protection obligations. All suppliers maintain enterprise-grade certifications (SOC 2 Type II, ISO 27001) demonstrating control environments comparable to or exceeding internal Novo Nordisk IT security standards. Data Processing Agreements are signed with all suppliers, and all data processing occurs within the EU (AWS eu-central-1, Microsoft EU tenant, Snyk EU API), eliminating cross-border transfer risk. Supplier risk assessments are managed centrally by Novo Nordisk supplier management processes, with compliance evidence continuously available via AWS Artifact and Microsoft Service Trust Portal.
Implementation Considerations
privacy-gdpr.md§3 — DPA table for all suppliers (AWS, Microsoft, Snyk)privacy-gdpr.md§4 — cross-border transfer mechanisms and EU data residency
CTRL0537519 — SC.12.02: Ask the supplier to account for their security controls#
Control Text: Ask the supplier to account for how their controls are equal to the controls defined in this IT Risk Assessment.
Applicability: The IT Solution is relying on IT supplier(s).
Additional Description
Use the example Request for Information (RFI) questionnaire (available on the SC.12 guidance page) when asking suppliers to document how their controls are equivalent to those required in the IT Risk Assessment tool.
Detailed Description
The platform fulfils this control by verifying that all suppliers maintain security controls equivalent to IT Risk Assessment requirements through published SOC 2 Type II and ISO 27001 certifications. AWS Artifact and Microsoft Service Trust Portal provide continuous access to detailed security control documentation, demonstrating supplier accountability for infrastructure security. The AI Connectors team implements all required customer-side controls on top of supplier infrastructure (IAM least privilege, encryption at rest and in transit, audit logging, network isolation) to meet the shared responsibility model obligations. All suppliers operate under enterprise agreements requiring maintenance of certifications and ongoing compliance evidence.
Implementation Considerations
operation-maintenance.md§4.1 — monitoring and logging architecture covering platform-level security controlsprivacy-gdpr.md§3 — DPA table documenting supplier security obligations
CTRL0537497 — SC.12.03: Ensure that an assessment is performed for third-party access#
Control Text: Ensure that an assessment is performed in order to ensure that supplier risks are documented and addressed appropriately.
Applicability: The IT Solution is relying on IT supplier(s).
Additional Description
For information on how to assess suppliers, see "Assessment and evaluation of IT suppliers - Guideline" on the Manage Suppliers section of the IT&Q Portal.
Detailed Description
The platform fulfils this control by conducting comprehensive third-party access assessments for all suppliers that process platform data (AWS, Microsoft) or code artifacts (Snyk, GitHub). All data processing occurs under signed Data Processing Agreements with EU data residency enforced (AWS eu-central-1, Microsoft EU tenant with EU Data Boundary, Snyk EU API). Each supplier has been assessed for GDPR compliance covering lawful basis, data minimization, purpose limitation, and storage limitation. No cross-border transfers outside the EEA occur for any platform data, eliminating international transfer risk.
Implementation Considerations
privacy-gdpr.md§3 — DPA table documenting all supplier assessments and data processing activitiesprivacy-gdpr.md§4 — cross-border transfer mechanisms (all EU-based, no international transfers)
CTRL0537533 — SC.12.04: Ensure that third parties with access are managed#
Control Text: Ensure that third parties with access to the Novo Nordisk IT Solution follow Novo Nordisk IT security requirements, including requirements defined by this document. Include a right to audit in the contracts.
Applicability: The IT Solution is relying on IT supplier(s).
Additional Description
For information on how to assess suppliers, see "Assessment and evaluation of IT suppliers - Guideline" on the Manage Suppliers section of the IT&Q Portal.
Relevant example documents available on the SC.12 guidance page: - IT security requirements specification for external IT suppliers - Contract appendix for non-Tier 1 IT solutions hosted/managed by IT suppliers - Contract appendix (Tier 1) for IT solutions with Tier 1 physical security requirements
Note: These example documents are based on a completely filled-out IT risk assessment and best practice. Not all controls in those example documents will be suitable or required for every outsourced cloud IT solution.
Detailed Description
The platform fulfils this control by ensuring all supplier contracts include right-to-audit clauses and contractual security obligations aligned with Novo Nordisk IT security requirements. AWS Customer Agreement and Microsoft Product Terms include audit rights, with continuous compliance evidence provided via AWS Artifact and Microsoft Service Trust Portal (SOC 2 Type II, ISO 27001 reports published annually). The AI Connectors team monitors supplier security posture via AWS Security Hub (configuration compliance, threat detection, vulnerability scanning) and Azure AD audit logs (authentication anomaly detection). All suppliers operate under contractual obligations to maintain enterprise-grade certifications and follow security incident notification procedures.
Implementation Considerations
operation-maintenance.md§4.1 — monitoring and logging architecture covering supplier compliance monitoringprivacy-gdpr.md§3 — DPA table documenting right-to-audit clauses and security obligations