> I, as the company paying for your service, have no direct ability to influence the policy that you apply to the tokens you issue

a) why would you want that burden b) you're never gonna get it

Ask before you spend the money, stick it in the contract. If you don't like the answer don't sign the contract.

There's no universe where a typical tiny customer is going to be able to impose policy on a large vendor, and there's just not that many vendors in this space. So, yes, I could go with "We're not going to use Github or Gitlab or any similar vendor because they don't meet our needs in this respect" but then I'm probably going to spend a bunch of time explaining to my board why we're reimplementing issue tracking and CI and that's likely to be some rough chuckles.

Either github's systems are good enough for you to use, or they aren't.

If they aren't, you need to find or implement something that is good enough.

That is, in fact, what I'm trying to do - this is the explanation for why I'm doing so.