Service 05
Vendor & Third-Party
Risk Review.
Most data breaches originate with vendors. This review audits your full vendor stack, identifies missing Data Processing Agreements, and builds a risk-scored register of your third-party exposure.
What's Included
Your Full Vendor Stack.
Audited and Scored.
Most data breaches originate with vendors, not internal systems. This review audits your full vendor stack, identifies missing Data Processing Agreements, and flags where your sub-processor exposure creates real liability. Your liability does not stop at your front door.
Under US state privacy laws, when you share personal data with a vendor who processes it on your behalf, you are responsible for what that vendor does with it. If they suffer a breach or misuse the data, the enforcement action may come to you, not them.
Engagement Summary
Vendor Data Inventory
A complete list of vendors with access to personal data, categorized by data type, processing purpose, and storage location. Most SMBs discover 10 to 40 vendors touching personal data in some form, many they had not thought of as data processors.
DPA Gap Analysis
Review of existing vendor contracts against DPA requirements under applicable state laws. Flags every vendor missing a compliant DPA or where existing clauses fall short of legal requirements.
Risk-Scored Vendor Register
Each vendor scored by risk level based on data sensitivity, processing scope, and current contract status. Tells you exactly where to focus first and where the exposure is highest.
DPA Templates
Ready-to-use Data Processing Agreement templates for standard vendor categories: SaaS processors, analytics vendors, marketing platforms, and payment processors. Adapted for compliance with applicable state laws.
Remediation Priority List
A sequenced list of which vendors to address first, with guidance on whether to execute a DPA, renegotiate terms, or end the relationship. Clear decisions, not vague recommendations.
Sub-Processor Register
Documentation of your vendors' vendors, the sub-processors who may also touch your data. Required under several state laws for full chain-of-custody accountability.
Who This Is For
Built for companies that share
data with vendors.
- You use SaaS tools for CRM, email marketing, analytics, or customer support
- You have never reviewed your vendor contracts for DPA language
- A partner, client, or enterprise customer has asked about your vendor risk management
- You are preparing for a SOC 2 audit or similar compliance review
- You are in M&A due diligence and need to document your third-party data exposure
- You share customer data with marketing or advertising platforms
- You have vendors in other countries who process your customers' personal data
Common Questions
FAQ
What if a vendor refuses to sign a DPA?
This happens, particularly with large platforms that have standard terms only. In those cases, we identify whether the vendor's existing terms are sufficient, some large platforms have DPA-equivalent language built in, and if not, we advise on whether the risk justifies continuing the relationship.
How many vendors does this typically cover?
Most SMB engagements cover 15 to 40 vendors. The scope depends on the complexity of your tech stack. We discuss this during the discovery call and scope accordingly.
Do I need to have DPAs with all of my vendors?
Not necessarily all of them. DPA requirements apply to vendors who process personal data on your behalf. A vendor who only provides you a service without touching your customer data may not require one. The review determines which vendors fall into which category.
Can this be done as part of a broader engagement?
Yes. The Vendor Risk Review is often combined with the Gap Analysis or the Foundational Privacy Setup. We can scope a combined engagement that covers multiple service areas at a reduced total cost.
Ready to know your vendor risk?
Book a free 30-minute discovery call to scope the engagement based on your vendor stack.