Vendor Onboarding

• Information Security – network/application security, access control, encryption, vulnerability/patch management, incident response.

• Privacy & Data Protection – GDPR/UK GDPR, state privacy laws, data residency, DPA terms, data subject rights.

• Anti-Bribery & Corruption (FCPA/ABC) – policies, training, third-party oversight, gifts & entertainment controls.

• Regulatory & Compliance Fit – sector rules applicable to the service (e.g., DORA/MiCA for EU crypto/ops resiliency; SEC/FINRA where relevant).

• Financial Viability – going-concern indicators, adverse media/litigation, insurance coverage.

• Business Continuity / Disaster Recovery (BC/DR) – RTO/RPO, test cadence and results, dependency mapping.

• Workforce Integrity (as applicable) – background checks for staff in scope (esp. temp labor/staff aug).

Provide via Payward’s Vendor Risk System; if your policy prohibits uploads, share via secure links or your trust portal.

• Security Assurance: SOC 2 Type II (or ISO/IEC 27001 certificate + SoA), recent pen-test summary & remediation status, vulnerability management policy, incident response plan.

• Privacy & Data: Privacy Notice, DPA, subprocessors list, data-flow diagrams (collection → processing → storage → transfer → deletion), data residency statement, retention schedule.

• Technical Controls: encryption at rest/in transit details, key management, access control/SSO/MFA, logging/monitoring, SDLC/secure coding, change management.

• BC/DR: BCP/DRP summary, most recent BC/DR test report with outcomes/RTO/RPO, dependency mapping (cloud/third parties).

• Regulatory Artifacts (as applicable): PCI AoC (if cardholder data), HIPAA/BAA (if PHI), DORA operational resilience attestation (if service supports EU operations), export control/sanctions screening posture.

• Financial & Corporate: latest financials or credit report, insurance (Cyber/Tech E&O/GL; limits & carriers), legal entity details, ultimate parent/ownership.

• People & ABC: ABC/anti-corruption policy & training overview; background-check attestations where persons access Payward sensitive data or facilities.

Vendors will receive a welcome email from Payward’s Vendor Risk System ([email protected]) containing their login credentials (example shown below). Shortly after, a second email will provide access to their assigned due diligence questionnaires (DDQs).

These questionnaires are tailored to the nature and risk level of the services being provided. Vendors can add additional contacts within Payward’s Vendor Risk System to assist with completion, or contact <[email protected]> for support with the tool.

• Complete the onboarding process via the Zip Vendor Portal

• Undergo required due diligence reviews (as assigned by Payward’s Vendor Risk System)

• Have a fully executed contract in place (e.g., MSA, SOW, Order Form)

Payward’s Procurement and Legal teams will initiate the appropriate agreement based on the engagement type. All contracts must:

• Be reviewed and approved by Payward’s Procurement and Legal teams

• Be executed via DocuSign with valid signature authority

Once the agreement is signed and onboarding is complete, a Purchase Order (PO) will be issued.

For any contract questions, contact your Payward business sponsor.

The Zip Vendor Portal is localized and available in:

• English

• Chinese

• French

• German

• Japanese

• Portuguese

• Spanish

You can change the language via the dropdown menu at the top of the portal.

If your email is associated with more than one organization, Zip will prompt you to select which organization you'd like to access after entering your login email. Once selected, you'll be directed to that organization's unique sign-in page.

If you haven't set up MFA yet, Zip will prompt you to do so immediately after your first login. You can choose to receive authentication codes via:

• Phone call or text message

• An authenticator app (e.g., Google Authenticator, Microsoft Authenticator, or Okta Verify)

The method you choose will be tied to your email address for all future logins. To switch methods later, you'll need to reset your MFA credentials.

Using a Phone Number: Enter your phone number when prompted and click Send by text or Get a phone call. Zip will immediately send your 6-digit code and direct you to the verification screen.

Using an Authenticator App: Click Use authenticator app instead. Zip will display a QR code — open your authenticator app, scan the code, then click Enter code and enter the 6-digit code shown in your app. If you have trouble scanning, click Trouble scanning? to get a manual entry code instead.

Each time you sign in, Zip will prompt you to verify your identity using whichever MFA method you set up. Enter your 6-digit code and click Verify to complete sign-in.

Didn't receive a code?

• Click Resend code to try again

• If more than 5 minutes have passed, click Request a new code

Forgot your password?

• Click Forgot your password? on the login page and Zip will email you a reset link.

If you lose access to your phone or need to change your authentication method:

1. Click Reset your multi-factor authentication on any page during the Zip login process

2. Click Confirm and Submit

3. Zip will send a confirmation to the email and phone number associated with your account

4. Once an admin approves the request, you'll be able to set up new MFA credentials on your next login