Hello, Thank you for your inquiry. The Apache Software Foundation is a non commercial, open source organization that relies on a large community of volunteers and companies to maintain its software. It provides this software free (and gratis) 'as is' - as per its license[0].
As such we are not a 'vendor'. You may wish to read some information on how the ASF works[2] and look at our general compliance statement[3]. If you would like to engage with the project community you can do so through their public channels, such as the project's mailing lists. If you do require a commercial supplier there may be companies that offer Commercial products or repackaged versions of our open source releases; and often pair this with various certifications and compliance statements (such as CC, STIG, CJIS, USGBC, 508, Army NW, etc) and commercial support. I can't make any particular recommendation, but if that is relevant to you that might be something to seek out. Kind regards, Arnout Engelen ASF Security [0] https://www.apache.org/licenses/LICENSE-2.0 [1] http://www.apache.org/security/ [2] http://apache.org/foundation/how-it-works.html [3] https://security.apache.org/blog/data-processing-compliance-statements-and-sla/ On Fri, Aug 29, 2025 at 1:19 PM Vendor Governance <[email protected]> wrote: > Hello, > > > > I hope this email finds you well! > > > > We are excited to work with you and look forward to our continued > partnership. > > > > Xome’s Vendor Risk Governance Team received a notification that we are in > the early stages of the onboarding process with Xome Holdings, LLC. > > > > As part of the Third-Party Management process, all Service Providers > *must* complete an onboard and periodic due diligence process to become a > certified vendor. Please review and complete the attached documents as > part of this certification. Additionally, provide the required documents > as outlined in the Xome Required Document Checklist. For any questions > that do not apply, please enter N/A and explain why the question is not > applicable. > > > > So you are aware, there are three (3) primary steps to Xome’s vendor > engagement approval and on-boarding process: > > - Procurement spends approval process for services. > - Negotiation and execution of the contractual agreements. > - Due diligence review by the Vendor Risk Governance Team. > > > > Description of Service: INC3020258 - $0 REQ to get VRG approval on: > Framework - Apache Maven > > > > Please see the attached Xome required documents for a list of documents > needed. > > > > *We look forward to receiving your response. Please confirm receipt of > this email as soon as possible and return the certification package on or > before 09/10/2025. * > > > > If you have any questions, please don’t hesitate to reach out by replying > to all on this email chain. > > > > > > Thanks & Regards, > > Kavitha. V > > Vendor Risk Governance (Analyst II) – Xome > > > > *[image: A logo with a house and a roof Description automatically > generated]* > > > This e-mail communication and any attachments may contain confidential, > copyrighted, and legally privileged information for use solely by the > designated recipients to which this e-mail is addressed. If you are not the > intended recipient, you are hereby notified that you have received this > communication in error, and that any review, disclosure, dissemination, > distribution, or copying of this message or its contents is prohibited and > may be subject to governing laws protecting its disclosure. If you have > received this communication in error, please destroy all copies of this > communication and any attachments. >
