R-010-001 Suppliers evaluation
- Governed by GP-010 Purchases and suppliers evaluation
Supplier verification
The editable spreadsheet is here: https://docs.google.com/spreadsheets/d/1AKpRbAkVn3I-mxIFqwcx2FjB27jla2kTschyCZXjeQk/edit?usp=sharing
| # | Code | Provider Name | Type | Score | Required score | Approve |
|---|---|---|---|---|---|---|
| 1 | S-AMA | Amazon Web Services, Inc | Controlled Impact Vendor (CIV) | 13 | 8 | TRUE |
| 2 | S-ATL | Atlassian Corporation | Controlled Impact Vendor (CIV) | 11 | 8 | TRUE |
| 3 | S-GOO | Google LLC | Non-Impact Vendor (NIV) | 12 | 6 | TRUE |
| 4 | S-PSC | PS Consulting | Non-Impact Vendor (NIV) | 8 | 6 | TRUE |
| 5 | S-AUD | Audens | Non-Impact Vendor (NIV) | 8 | 6 | TRUE |
| 6 | S-STR | Stripe, Inc | Non-Impact Vendor (NIV) | 12 | 6 | TRUE |
| 7 | S-IDI | iDISC Information Technologies, S.L. | Non-Impact Vendor (NIV) | 13 | 6 | TRUE |
| 8 | S-LAW | Lawesome | Non-Impact Vendor (NIV) | 8 | 6 | TRUE |
| 9 | S-HUB | HubSpot, Inc. | Non-Impact Vendor (NIV) | 12 | 6 | TRUE |
| 10 | S-HOL | Holded Technologies | Non-Impact Vendor (NIV) | 9 | 6 | TRUE |
| 11 | S-FAC | Factorial | Non-Impact Vendor (NIV) | 11 | 6 | TRUE |
| 12 | S-SLA | Slack Technologies, Salesforce Inc | Non-Impact Vendor (NIV) | 12 | 6 | TRUE |
| 13 | S-APO | Apotech Consulting | Non-Impact Vendor (NIV) | 10 | 6 | TRUE |
| 14 | S-BSI | BSI | Non-Impact Vendor (NIV) | 10 | 6 | TRUE |
| 15 | S-MIC | Microsoft | Controlled Impact Vendor (CIV) | 13 | 8 | TRUE |
| 16 | S-GLA | GL AI INVESTMENT | Controlled Impact Vendor (CIV) | 10 | 8 | TRUE |
| 17 | S-DOC | Docker, Inc. | Controlled Impact Vendor (CIV) | 12 | 8 | TRUE |
| 18 | S-CMG | CMG MedDev | Non-Impact Vendor (NIV) | 8 | 6 | TRUE |
| 19 | S-DME | Dmed software | Controlled Impact Vendor (CIV) | 11 | 8 | TRUE |
| 20 | S-DES | Design science | Controlled Impact Vendor (CIV) | 10 | 8 | TRUE |
| 21 | S-BRA | Brazil Import Healthcare Solutions | Non-Impact Vendor (NIV) | 10 | 6 | TRUE |
Security evaluation for IT suppliers (ENS op.pl.3, op.ext.2/3)
The following IT suppliers undergo an annual security evaluation as required by ENS. Evaluation date: 2026-02-26. Scoring criteria are defined in GP-010 section 5c (5 criteria, 1-3 points each, threshold >=12/15).
| # | Code | Provider Name | Security Score | Required | Approved | Certifications | RSEG Approval |
|---|---|---|---|---|---|---|---|
| 1 | S-AMA | Amazon Web Services, Inc | 15 | 12 | TRUE | ENS ALTA, ISO 27001, SOC 2 Type II | Required |
| 2 | S-ATL | Atlassian Corporation | 12 | 12 | TRUE | ISO 27001, SOC 2 | — |
| 3 | S-GOO | Google LLC | 14 | 12 | TRUE | ISO 27001, SOC 2 Type II | — |
| 12 | S-SLA | Slack Technologies, Salesforce Inc | 14 | 12 | TRUE | ISO 27001, SOC 2 | — |
| 15 | S-MIC | Microsoft | 13 | 12 | TRUE | ISO 27001, SOC 2 Type II | Required |
S-AMA
- Name: Amazon Web Services, Inc
- Service/Product provided: Cloud services
- Type: Controlled Impact Vendor (CIV)
- Final score: 13
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 7 | 1 | Prior experience with this supplier shows a high degree of quality of the supplier. However, the supplier has a poor rating on Trustpilot. Still, AWS is the leading cloud supplier worldwide and its trusted by the majority of the consumers. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The presence of a certificated quality manage system is evidenced in the supplier's website and also in the constract of license of use in force between. |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The vendor provided an ISO 27001 certificate, that is attached as evidence to this record as S-AMA-ISMS Certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 9 | 2 | It's quite afforable by all standards, plus they offer un free credits for being an innovative startup |
| Technical capacity | Capability to provide the services | 8 | 2 | They have a wide range of services, including elastic balancing, as well as instances for different processing activities. |
| Experience | Knowledge and domain on their activity | 10 | 2 | They practically invented modern cloud infrastructure services. |
| International | Presence in the whole world | 10 | 2 | They operate in all continents. |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 3 | Proactive communication via AWS Health Dashboard; detailed post-incident analyses published for major events |
| Contractual compliance | 3 | Full SLA compliance throughout our relationship; no breaches observed in eu-west-1 services |
| Technical expertise | 3 | Industry leader; proactive security recommendations via AWS Trusted Advisor and Security Hub |
| Security issues | 3 | No security incidents affecting our organization; holds ENS ALTA certification, ISO 27001, SOC 2 Type II |
| Service availability | 3 | Availability consistently exceeds the 99.99% SLA commitment for our services in eu-west-1 |
- Security score: 15/15 — Approved
- Certifications: ENS ALTA, ISO 27001, SOC 2 Type II
- RSEG approval: Required and granted — infrastructure provider classified as high-risk component
S-ATL
- Name: Atlassian corporate
- Service/Product provided: Project management software, code collaboration software
- Type: Controlled Impact Vendor (CIV)
- Final score: 11
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 5 | 1 | Prior experience with this supplier shows a high degree of quality of the supplier. However, the supplier has a very bad rating on Trustpilot. Still, Atlassian is of the major project management softwares. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has an ISO 27001 certification that is attached as evidence to this record as S-ATL-ISMS Certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 10 | 2 | We are using the free version and it's enough. When scaling to the paid version, it is still affordable. |
| Technical capacity | Capability to provide the services | 10 | 2 | Atlassian is the only one providing, in the same ecosystem, a task manager, a knowledgebase and a git code repository. This makes it perfect to manage all the lifecycle: requirements (in Confluence), activities (in Jira) and deliverables (in Bitbucket). |
| Experience | Knowledge and domain on their activity | 10 | 2 | The supplier is a long-lived company, one of the most in this space. |
| International | Presence in the whole world | 10 | 2 | The supplier operates in all continents. |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 2 | Adequate response times; status page provides updates during incidents |
| Contractual compliance | 2 | Generally compliant; occasional notification delays during degraded service periods |
| Technical expertise | 3 | Expert-level project management and collaboration tools with comprehensive security features (Atlassian Guard) |
| Security issues | 2 | Historical service disruptions documented publicly; current track record is clean; holds ISO 27001 and SOC 2 |
| Service availability | 3 | Recent availability has been consistent, meeting or exceeding SLA commitments |
- Security score: 12/15 — Approved (meets threshold)
- Certifications: ISO 27001, SOC 2
S-GOO
- Name: Google LLC
- Service/Product provided: Google Workspace
- Type: Non-Impact Vendor (NIV)
- Final score: 12
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 7 | 1 | Prior experience with this supplier shows a high degree of quality of the supplier. The supplier has an average rating on Trustpilot. It is a well-established company and its trusted by the majority of the consumers. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | Google Cloud Platform is certified as ISO 9001 compliant after undergoing an audit by an independent third party. |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has an ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 7 | 1 | It's not expensive and it includes services that, if hired separately from different companies, would add up to triple the price. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier has a wide range of services. |
| Experience | Knowledge and domain on their activity | 10 | 2 | Well-established company with a significant number of years of experience. |
| International | Presence in the whole world | 10 | 2 | The supplier operates worldwide. |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 3 | Fast communication via Google Workspace Status Dashboard and admin console alerts; responsive support for Workspace customers |
| Contractual compliance | 3 | Full SLA compliance; no breaches observed for our Workspace subscription |
| Technical expertise | 3 | Expert-level platform with comprehensive security admin controls, DLP, and audit logging |
| Security issues | 3 | No security incidents affecting our organization; holds ISO 27001, SOC 2 Type II |
| Service availability | 2 | Meets the 99.9% SLA commitment; occasional brief service degradations observed in Gmail and Drive, all within SLA |
- Security score: 14/15 — Approved
- Certifications: ISO 27001, SOC 2 Type II
S-PSC
- Name: PS Consulting
- Service/Product provided: Regulatory and Quality services
- Type: Non-Impact Vendor (NIV)
- Final score: 8
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The supplier does not have reviews in Trustpilot, but the reviews from companies we know were good. The supplier does not have a huge market penetration, which is expected. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have an ISO 13485 certification; however, the supplier implemented a quality management system compliant with ISO 13485. |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 6 | 1 | It's not expensive and it includes services that, if hired from different companies, would increase the price. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier has employees with the technical capacities required to provide the services. |
| Experience | Knowledge and domain on their activity | 9 | 2 | They have demonstrated the required knowledge and experience to provide the services |
| International | Presence in the whole world | 5 | 1 | The supplier operates in Spain only, but they provide services for the European CE Marking |
S-AUD
- Name: Audens
- Service/Product provided: Legal services
- Type: Non-Impact Vendor (NIV)
- Final score: 8
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The supplier does not have reviews in Trustpilot, but the reviews from companies we know were good. The supplier does not have a huge market penetration, which is expected. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 6 | 1 | It's not expensive and it includes services that, if hired separately from different companies, would increase the price. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier has significant experience in the field. |
| Experience | Knowledge and domain on their activity | 9 | 2 | The supplier is specialised in new technologies, both for GDPR and also other contractual matters. |
| International | Presence in the whole world | 5 | 1 | The supplier operates in Spain only, but most of it applies to the whole EU. |
S-STR
- Name: Stripe, Inc
- Service/Product provided: Financial services
- Type: Non-Impact Vendor (NIV)
- Final score: 12
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The supplier has an average score in Trustpilot, plus the reviews from companies we know were good. The supplier has a strong market penetration. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has an equivalent to ISO 27001 certification, called Payment Card Industry (PCI) Data Security Standard. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 8 | 2 | It's one of the most afforable solutions, much more than Paypal. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier has a wide range of services, including the possibility to allow care providers to charge patients through us. |
| Experience | Knowledge and domain on their activity | 9 | 2 | The supplier is specialised in the field and has years of experience. |
| International | Presence in the whole world | 10 | 2 | The supplier is the payment processor with the largest geographic coverage. |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 3 | Excellent incident communication via status.stripe.com; responsive developer support |
| Contractual compliance | 3 | Full SLA compliance; consistent service delivery |
| Technical expertise | 3 | Industry-leading payment platform with proactive security features (Radar for fraud detection, real-time webhook notifications) |
| Security issues | 3 | No security incidents affecting our organization; PCI DSS Level 1 certified, SOC 2 Type II |
| Service availability | 3 | Consistently exceeds SLA availability targets |
- Security score: 15/15 — Approved
- Certifications: PCI DSS Level 1, SOC 2 Type II
S-IDI
- Name: iDISC Information Technologies, S.L.
- Service/Product provided: Translation services
- Type: Non-Impact Vendor (NIV)
- Final score: 13
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. They don't have reviews in Trustpilot, but the reviews from companies we know were good. The supplier exhibits significant market penetration, as evidenced by its headquarters in Spain, the USA, and Brazil. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has an ISO 9001 certification. Other relevant certifications for the services provided: ISO 17100 (Translation services) certiifcation, ISO 18587 (Translation services - Post-editing of machine translation output) certification. |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has an ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 6 | 1 | Good standard prices for the services provided. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier has a wide range of services. In addition to translation, the supplier offers comprehensive services in writing, proofreading, content management, subtitling, dubbing, interpreting (both in-person and online), voice-over, multilingual DTP and SEO optimization of translations. |
| Experience | Knowledge and domain on their activity | 9 | 2 | The supplier has highly qualified translators who are fluent in both the source and target languages. |
| International | Presence in the whole world | 8 | 2 | The supplier offers translation in more than 56 languages; the supplier has headquarters in Spain, in USA and Brazil. |
S-LAW
- Name: Lawesome
- Service/Product provided: Legal services
- Type: Non-Impact Vendor (NIV)
- Final score: 8
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The supplier does not have reviews in Trustpilot, but the reviews from companies we know were good. The supplie does not have a huge market penetration, which is expected. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 7 | 1 | The supplier counts with experts in big companies and startups and applies a special price for small companies and comparing the expertise and quality they're one of the most afforable solutions. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier has a wide range of services, including financing rounds consultancy, corporate venturing, protection and explotation of innovation. |
| Experience | Knowledge and domain on their activity | 8 | 2 | The supplier is specialised in the field and have years of experience. |
| International | Presence in the whole world | 5 | 1 | The supplier operates in Spain only, but most of it applies to the whole EU. |
S-HUB
- Name: HubSpot, Inc
- Service/Product provided: Customer Relationship Management software
- Type: Non-Impact Vendor (NIV)
- Final score: 12
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 9 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The supplier is rated above the media in Trustpilot and our experience working with it is satisfactory. They have a huge market penetration |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier does not have ISO 27001 certification, but they are SOC-2 certified, that is the equivalent in the US. The SOC-3 public report of internal controls over security, availability, processing integrity, and confidentiality is archived as evidence. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 8 | 2 | We are using the free version and it's enough. When scaling to the paid version, it is still affordable. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier connects everything scaling companies need to deliver a best-in-class customer experience into one place. |
| Experience | Knowledge and domain on their activity | 9 | 2 | The supplier has more than 15 years of experience |
| International | Presence in the whole world | 10 | 2 | The supplier operates worldwide. |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 2 | Adequate response via ticket-based support and status page |
| Contractual compliance | 3 | Full SLA compliance |
| Technical expertise | 3 | Comprehensive CRM platform with role-based access control and audit logging |
| Security issues | 3 | No security incidents affecting our organization; SOC 2 Type II certified |
| Service availability | 3 | Consistently available, exceeding SLA commitments |
- Security score: 14/15 — Approved
- Certifications: SOC 2 Type II
S-HOL
- Name: Holded Technologies
- Service/Product provided: Software for invoicing and accounting
- Type: Non-Impact Vendor (NIV)
- Final score: 9
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The don't have reviews in Trustpilot, but the reviews from companies we know were good. The supplier is increasing is market penetration. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 8 | 2 | Best solution for startups and it is one of the most afforable. |
| Technical capacity | Capability to provide the services | 8 | 2 | The solution the supplier offers allows us automating tasks and streamlining our accounting and invoicing |
| Experience | Knowledge and domain on their activity | 7 | 1 | The supplier has more than 5 years of experience helping SMEs being more efficient and having more information about their businesses to make better decisions. |
| International | Presence in the whole world | 10 | 2 | The supplier operates worldwide |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 2 | Adequate ticket-based support; smaller platform with less formal incident communication |
| Contractual compliance | 2 | Generally compliant; occasional minor delays during maintenance windows |
| Technical expertise | 2 | Adequate invoicing and accounting platform with standard security controls |
| Security issues | 3 | No security incidents affecting our organization |
| Service availability | 3 | Service availability has been consistent and meets contractual expectations |
- Security score: 12/15 — Approved (meets threshold)
- Certifications: None — INCIBE security questionnaire sent per GP-010 section 5c
S-FAC
- Name: Factorial
- Service/Product provided: Human Resources management software
- Type: Non-Impact Vendor (NIV)
- Final score: 11
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 9 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The supplier is rated above the media in Trustpilot and our experience working with it is satisfactory. The supplier has a strong market penetration. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has an ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 7 | 1 | Best solution for startups and it's one of the most afforable. |
| Technical capacity | Capability to provide the services | 8 | 2 | In addition to automating processes, Factorial provide us with data with which to grow our company's talent. |
| Experience | Knowledge and domain on their activity | 8 | 2 | More than 5 years of experience |
| International | Presence in the whole world | 9 | 2 | The supplier operates in more than 12 countries |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 2 | Adequate ticket-based support; status page available |
| Contractual compliance | 3 | Full compliance with subscription terms |
| Technical expertise | 3 | Comprehensive HR platform with role-based access control and GDPR-compliant data handling |
| Security issues | 3 | No security incidents affecting our organization; ISO 27001 certified |
| Service availability | 2 | Meets SLA; occasional performance degradations observed during peak periods |
- Security score: 13/15 — Approved
- Certifications: ISO 27001
S-SLA
- Name: Slack Technologies, Salesforce Inc
- Service/Product provided: Cloud-based team communication platform
- Type: Non-Impact Vendor (NIV)
- Final score: 12
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 9 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The supplier has a good rating onTrustpilot, and the reviews from companies we know were good. The supplier has a huge market penetration. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 8 | 2 | We are using the free version and it's enough. When scaling to the paid version, it is still affordable. |
| Technical capacity | Capability to provide the services | 9 | 2 | It offers a wide range of features and benefits that are useful for us as real-time messaging, channels to organize conversations based on projects, teams or departments, integration with a wide range of other tools, search functionality and mobile access. |
| Experience | Knowledge and domain on their activity | 9 | 2 | The supplier demonstrated to have the required knowledge and experience to provide the services |
| International | Presence in the whole world | 10 | 2 | The supplier operates worldwide |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 3 | Good incident communication via status.slack.com and in-app notifications |
| Contractual compliance | 3 | Full SLA compliance |
| Technical expertise | 3 | Enterprise-grade messaging platform with comprehensive security features (Enterprise Key Management, DLP integrations) |
| Security issues | 3 | No security incidents affecting our organization; ISO 27001 and SOC 2 certified |
| Service availability | 2 | Meets SLA; occasional brief degraded performance observed |
- Security score: 14/15 — Approved
- Certifications: ISO 27001, SOC 2
S-APO
- Name: Apotech Consulting
- Service/Product provided: Regulatory services
- Type: Non-Impact Vendor (NIV)
- Final score: 10
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The don't have reviews in Trustpilot, but our experience working with them was good. The supplier shows an increasing market penetration. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 8 | 2 | The supplier offers an international portfolio of consultancy, in some cases cheaper than their equivalences with other suppliers, in other cases more expensive. |
| Technical capacity | Capability to provide the services | 9 | 2 | The supplier demonstrated their capability of providing us with the high-quality services. |
| Experience | Knowledge and domain on their activity | 9 | 2 | The supplier counts with a big amount of consultants with demonstrate experience on the different consultancy projects they offer. |
| International | Presence in the whole world | 9 | 2 | The supplier is UK-based, however offers services around the world, as Mexico and USA. |
S-BSI
- Name: BSI
- Service/Product provided: Notified Body services
- Type: Non-Impact Vendor (NIV)
- Final score: 10
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Despite the supplier has a poor rating on Trustpilot, it is worldwide recognized. They have a huge market penetration and we are satisfied with the services |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | They do not have ISO 13485 certification |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has ISO 27001 certifaction |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 4 | 0 | The price is the most expensive in comparison with their competitors, but they offer faster terms. |
| Technical capacity | Capability to provide the services | 8 | 2 | The European Commission has notified that BSI, Notified Body number : 2797, has the technical capacity to provide the services that we require. |
| Experience | Knowledge and domain on their activity | 10 | 2 | The supplier is accredited by different international bodies as: American National Standards Institute - American Society for Quality National Accreditation Board LLC (ANAB); China National Accreditation Service for Conformity Assessment (CNAS); Raad voor Accreditatie (RvA) in the Netherlands; United Kingdom Accreditation Service (UKAS). |
| International | Presence in the whole world | 9 | 2 | The supplier is recognized as Notified Body worldwide |
S-MIC
- Name: Microsoft
- Service/Product provided: Code repository
- Type: Controlled Impact Vendor (CIV)
- Final score: 13
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 6 | 1 | We do not have previous experience with this supplier yet. Despite the supplier has a poor rating on Trustpilot, it is worldwide recognized. The supplier has a huge market penetration |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has ISO 9001 certification |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has ISO 27001 and ISO 27018 certifications, and the supplier is SOC 1, SOC 2 and SOC 3 compliant |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 9 | 2 | We are using the free version and it's enough. When scaling to the paid version, we will review this section. |
| Technical capacity | Capability to provide the services | 9 | 2 | Microsoft GitHub is the only one providing a git code repository that includes a verified signature choice for the commits performed compliant with the 21 CFR part 11. This makes it perfect to manage the QMS documents and records. |
| Experience | Knowledge and domain on their activity | 10 | 2 | The supplier is a well-established company in the field |
| International | Presence in the whole world | 9 | 2 | The supplier operates worldwide |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 3 | Proactive incident communication via githubstatus.com; detailed post-incident reports |
| Contractual compliance | 3 | Full SLA compliance for GitHub services |
| Technical expertise | 3 | Industry-leading code hosting and CI/CD platform with comprehensive security features (Dependabot, code scanning, secret scanning) |
| Security issues | 2 | Occasional supply chain security incidents reported in the npm ecosystem (public disclosures); GitHub platform itself maintains strong security posture; ISO 27001 and SOC 2 certified |
| Service availability | 2 | Meets SLA; occasional degraded performance in GitHub Actions observed |
- Security score: 13/15 — Approved
- Certifications: ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3
- RSEG approval: Required and granted — code repository containing all source code classified as high-risk component
S-GLA
- Name: GL AI INVESTMENT
- Service/Product provided: Servers
- Type: Controlled Impact Vendor (CIV)
- Final score: 10
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 7 | 1 | We do not have previous experience with this supplier yet, however the references we got from very reliable sources are very encouraging. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | It is subjected to external audits and evaluations of third parties in accordance with international quality management regulations (ISO9001, ISO17025, 17065, EFQM) and customer audits periodically. |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | We could not find ISO 27001 certification or equivalent. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 9 | 2 | We have closed a long-term contract, with a lower price than other providers such as AWS for better service (more computing capacity). |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier provide sservers dedicated exclusively to us with plenty of power, plus dedicated support staff. |
| Experience | Knowledge and domain on their activity | 8 | 2 | They are suppliers of Skymedic, an aesthetic medicine company, providing them the same services that we have contracted. |
| International | Presence in the whole world | 6 | 1 | The supplier does not have international presence yet, but their supplier Leitat also colaborates with the worldwide recognized company HP |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 3 | Direct and immediate communication as related entity; issues escalated without delay |
| Contractual compliance | 3 | Full compliance under intercompany service agreement |
| Technical expertise | 2 | Adequate server management and infrastructure capabilities for dedicated hosting |
| Security issues | 3 | No security incidents affecting our services; servers dedicated exclusively to our organization |
| Service availability | 2 | Meets contractual expectations; occasional planned maintenance windows |
- Security score: 13/15 — Approved
- Certifications: None — INCIBE security questionnaire sent per GP-010 section 5c
- RSEG approval: Required and granted — infrastructure provider classified as high-risk component
S-DOC
- Name: Docker, Inc
- Service/Product provided: Platform-as-a-service (PaaS) products
- Type: Controlled Impact Vendor (CIV)
- Final score: 12
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | The references we got from very reliable sources are very encouraging. We are satisfied with their services. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has ISO 27001 certification and SOC2. The supplier also complies with leading privacy regulations like GDPR, CCPA, CPA, CTDPA, VCDPA, UCPA, and the APEC Privacy Framework |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 10 | 2 | It is an open source |
| Technical capacity | Capability to provide the services | 10 | 2 | Docker excels in containerization technology, offering a powerful Docker Engine and a cloud-based registry service, Docker Hub. It supports cross-platform compatibility and integrates seamlessly with orchestration tools like Kubernetes for high availability and scalability. |
| Experience | Knowledge and domain on their activity | 9 | 2 | Established in 2013, it has a strong market presence and significantly influenced the containerization field, with wide adoption by major corporations. It boasts a large, active community and a history of continuous innovation. |
| International | Presence in the whole world | 10 | 2 | The supplier operates worldwide |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 2 | Adequate incident communication via status.docker.com; community-driven support model |
| Contractual compliance | 3 | Full compliance with subscription terms and licensing |
| Technical expertise | 3 | Industry standard for containerization; comprehensive documentation and security scanning (Docker Scout) |
| Security issues | 2 | Occasional vulnerabilities reported in Docker Hub community images; Docker platform itself maintains security through regular patching; ISO 27001 and SOC 2 certified |
| Service availability | 3 | Docker Hub and Docker Desktop consistently available, exceeding SLA commitments |
- Security score: 13/15 — Approved
- Certifications: ISO 27001, SOC 2
S-CMG
- Name: CMG MedDev
- Service/Product provided: Regulatory and Quality services
- Type: Non-Impact Vendor (NIV)
- Final score: 8
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | Prior experience with this supplier shows a high degree of quality of the supplier. The don't have reviews in Trustpilot, but the reviews from companies we know were good. They don't have a huge market penetration, which is expected. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 7 | 1 | The pricing of the selected supplier is comparable to that of its competitors, yet remains the most economical option. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier's employees have relevant expertise required to provide the services. |
| Experience | Knowledge and domain on their activity | 9 | 2 | The supplier demonstrated the required knowledge and experience to provide the services |
| International | Presence in the whole world | 5 | 1 | The supplier operates in Spain, although the supplier provides services to comply with FDA medical device regulation |
S-DME
- Name: Dmed software
- Service/Product provided: Cybersecurity testing
- Type: Controlled Impact Vendor (CIV)
- Final score: 11
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | The supplier has been recommended to us because of the quality of its services. The supplier is present in Europe. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | TRUE | 2 | The supplier has an ISO 13485 certificate |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 8 | 2 | The supplier has comparable prices The pricing of the selected supplier is comparable to that of its competitors, yet remains the most economical option. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier can count on knowledgeable personnel with extensive experience in cybersecurity topics for medical device requirements in Europe and USA. |
| Experience | Knowledge and domain on their activity | 8 | 2 | The supplier has extensive experience in cybersecurity testing according to FDA requirements. |
| International | Presence in the whole world | 7 | 1 | The supplier is based in Europe, although the supplier provides services to comply with FDA medical device regulation |
Security evaluation (ENS)
| Criterion | Score | Comments |
|---|---|---|
| Incident resolution | 2 | Adequate communication for project-based engagements; responsive to queries during testing periods |
| Contractual compliance | 3 | Full compliance with agreed testing scope, timelines, and deliverables |
| Technical expertise | 3 | Expert-level cybersecurity testing capabilities; DEKRA CASA Tier 3 certified methodology; specialized in medical device cybersecurity |
| Security issues | 2 | No direct security incidents; limited formal security certifications visible for the organization itself (no ISO 27001) |
| Service availability | 2 | Project-based delivery; meets agreed timelines and milestones |
- Security score: 12/15 — Approved (meets threshold)
- Certifications: None — INCIBE security questionnaire sent per GP-010 section 5c
S-DES
- Name: Design science
- Service/Product provided: Human factors testing
- Type: Controlled Impact Vendor (CIV)
- Final score: 10
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | The supplier has been recommended to us because of the quality of its services. The supplier is present in US and Europe (Germany). |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 8 | 2 | The price of this supplier, compared to the price for the same service of other companies based in US, is affordable. |
| Technical capacity | Capability to provide the services | 8 | 2 | The supplier can count on knowledgeable personnel with extensive experience in planning and conducting human factors testing according to FDA requirements. |
| Experience | Knowledge and domain on their activity | 8 | 2 | The supplier has extensive experience in the human factors testing according to FDA requirements. |
| International | Presence in the whole world | 8 | 2 | The supplier has offices in US and in Europe (Germany). |
S-BRA
- Name: Brazil Import Healthcare Solutions
- Service/Product provided: Regulatory services in Brazil
- Type: Non-Impact Vendor (NIV)
- Final score: 10
| Criteria | Parameters | Value | Score | Comments |
|---|---|---|---|---|
| Quality of services | Prior experience with this supplier Customer reviews in Trustpilot.com Market penetration | 8 | 2 | One employee had prior experience with this supplier and reported a high degree of quality and satisfaction. There is not any review in Trustpilot, however, previous experience with this supplier was satisfactory. The supplier is specialised in the Brazilian market; however the supplier has headquarters in USA and UK and counts with 30 years of experience. |
| QMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have a QMS certification (ISO 9001 / ISO 13485) |
| ISMS Certification | Observed by looking at the supplier's claims and the mention of the QMS in the license of use. | FALSE | 0 | The supplier does not have ISO 27001 certification. |
| Affordable price | Compared to competitors and considering special discounts we may enjoy | 8 | 2 | The supplier offers regulatory services with comparable costs to other competitors. |
| Technical capacity | Capability to provide the services | 9 | 2 | The supplier has the adequate resources to provide us with the required regulatory services. |
| Experience | Knowledge and domain on their activity | 9 | 2 | The supplier has 30 years experience in regulatory and quality matters and counts on speciaised consultants. |
| International | Presence in the whole world | 9 | 2 | The supplier is based in Brazil and their core business is the Brazilian market. The supplier has headquarters in USA and UK. |
Record signature meaning
- Author: JD-004
- Reviewer: JD-005
- Approver: JD-001 ㅤ