"How to evaluate vendor security before signing a contract"

"Before signing a contract with any vendor that will access your data, evaluate four things: their compliance certifications (SOC 2 Type II is the baseline — ask for the report, not just the badge), their data handling practices (where is your data stored, who can access it, how is it encrypted, and can you delete it), their incident response capabilities (how quickly will they notify you of a breach), and their subprocessor chain (who else touches your data). For critical vendors, request a SOC 2 Type II report, review their pentest summary, check for a BAA if health data is involved, and negotiate data handling terms in the contract. For non-critical vendors, a trust page review and SOC 2 badge verification is usually sufficient."

How to Do a Vendor Security Review Before Signing a Contract

A client signed a contract with a data analytics vendor without a security review. Six months later, they learned the vendor was storing their customer data on a shared infrastructure with no encryption at rest, no access logging, and a breach notification timeline of “as soon as practicable” — which legally could mean months. The client had SOC 2 Type II. Their vendor didn’t. Their auditor flagged it. Their customers asked about it. They spent four months migrating to a different vendor.

Every vendor you add to your stack is a node in your attack surface. A breach at your analytics provider is your breach — your customers’ data was exposed, and they don’t care whose server it was on. Vendor security review isn’t bureaucratic overhead. It’s risk management.

The Tiered Approach

Not every vendor needs the same level of scrutiny. Tier your reviews based on what data the vendor accesses:

Tier 1 — Critical (full review). Vendors that access, process, or store sensitive data: customer PII, financial data, health information, authentication credentials, or source code. Examples: cloud providers, databases, customer support platforms, payment processors, identity providers. These vendors get the full review.

Tier 2 — Standard (moderate review). Vendors that access internal data but not customer-sensitive data: project management tools, communication platforms, internal analytics. These get a streamlined review focused on access controls and data handling.

Tier 3 — Low risk (basic check). Vendors that don’t access sensitive data: design tools, documentation platforms, internal wikis. Verify they have basic security practices (SOC 2 or equivalent) and move on.

The Full Review Process (Tier 1)

Step 1: Request the SOC 2 Type II report. Not the marketing page that says “SOC 2 compliant.” The actual audit report. SOC 2 reports are confidential but vendors share them under NDA with prospective customers. If a vendor won’t share their SOC 2 report, that’s a red flag. If they don’t have SOC 2, that’s a bigger red flag for any vendor handling customer data.

What to look for in the report: The scope — does it cover the product you’re using? The opinion — any qualified opinions or exceptions? The control descriptions — do they match what you need? Any findings or exceptions noted by the auditor.

Step 2: Review data handling practices. Ask specific questions: Where is data stored (region, cloud provider)? Is data encrypted at rest and in transit? Who at the vendor can access your data, and under what circumstances? What’s their data retention policy? Can you export and delete your data when the contract ends? Do they use subprocessors, and if so, who?

Step 3: Check their incident response. What’s their breach notification timeline? (72 hours or less is the standard you should require.) How will they notify you? What information will the notification include? Have they had any breaches in the past, and what did they do about them?

Step 4: Review the contract terms. Security terms should be in the contract, not just on the vendor’s website. Key clauses: data processing agreement (DPA) if you’re subject to GDPR, Business Associate Agreement (BAA) if PHI is involved, right to audit (or at minimum, right to receive updated SOC 2 reports), breach notification timeline, data deletion obligations on contract termination, and limitation of liability for security incidents.

Step 5: Evaluate the subprocessor chain. Your vendor likely uses other vendors. If you share customer data with Vendor A and Vendor A shares it with Vendors B, C, and D for processing, you need to know who B, C, and D are and whether they meet your security standards. Most SOC 2 reports address subprocessor management, but ask for the subprocessor list explicitly.

The Questions That Matter

When I conduct vendor security reviews, these are the questions that reveal the most:

“Can you walk me through what happens when an employee leaves your company?” This reveals their offboarding and access revocation process. Vague answers (“we revoke access”) are a red flag. Specific answers (“access is revoked from all systems within 24 hours via automated deprovisioning through Okta, and we verify revocation as part of our quarterly access review”) indicate maturity.

“Where does my data live at rest, and can you guarantee it stays in that region?” This reveals data residency practices and whether they have controls to prevent data from moving to jurisdictions you haven’t approved.

“What was your last security incident, and what did you change as a result?” Every company has incidents. The answer reveals their transparency and their ability to learn. “We’ve never had an incident” is either dishonest or indicates they don’t have sufficient monitoring to detect them.

“If I send you a data deletion request today, what’s the process and timeline?” This tests their operational readiness for data subject rights requests. If they can’t answer specifically, they haven’t built the process.

Red Flags

Walk away — or negotiate much harder — if you see:

No SOC 2 or equivalent certification for a vendor handling sensitive data. A breach notification timeline longer than 72 hours (or “as soon as practicable” without a defined timeframe). No encryption at rest. Inability to provide a subprocessor list. No DPA available for a vendor processing personal data. Contract terms that exclude liability for security incidents. Reluctance to share security documentation under NDA.

Building the Process

For companies conducting regular vendor reviews, systematize it. Build a vendor inventory spreadsheet: vendor name, data classification tier, SOC 2 status, DPA/BAA status, last review date, contract renewal date. Review Tier 1 vendors annually. Review Tier 2 vendors every two years. Trigger a review for any vendor when their contract renews or when you plan to expand their data access.

This doesn’t need to be a full-time job. For a company with 20-50 vendors, the initial inventory takes a day. Ongoing reviews take 2-4 hours per Tier 1 vendor and 30 minutes per Tier 2 vendor.