Service 05
Most data breaches originate with vendors. This review audits your full vendor stack, identifies missing Data Processing Agreements, and builds a risk-scored register of your third-party exposure.
What's Included
Most data breaches originate with vendors — not internal systems. This review audits your full vendor stack, identifies missing Data Processing Agreements, and flags where your sub-processor exposure creates real liability. Your liability does not stop at your front door.
Under US state privacy laws, when you share personal data with a vendor who processes it on your behalf, you are responsible for what that vendor does with it. If they suffer a breach or misuse the data, the enforcement action may come to you — not them.
Engagement Summary
Vendor Data Inventory
A complete list of vendors with access to personal data, categorized by data type, processing purpose, and storage location. Most SMBs discover 10–40 vendors touching personal data in some form — many they had not thought of as data processors.
DPA Gap Analysis
Review of existing vendor contracts against DPA requirements under applicable state laws. Flags every vendor missing a compliant DPA or where existing clauses fall short of legal requirements.
Risk-Scored Vendor Register
Each vendor scored by risk level based on data sensitivity, processing scope, and current contract status. Tells you exactly where to focus first and where the exposure is highest.
DPA Templates
Ready-to-use Data Processing Agreement templates for standard vendor categories: SaaS processors, analytics vendors, marketing platforms, and payment processors. Adapted for compliance with applicable state laws.
Remediation Priority List
A sequenced list of which vendors to address first, with guidance on whether to execute a DPA, renegotiate terms, or end the relationship. Clear decisions, not vague recommendations.
Sub-Processor Register
Documentation of your vendors' vendors — the sub-processors who may also touch your data. Required under several state laws for full chain-of-custody accountability.
Who This Is For
Common Questions
What if a vendor refuses to sign a DPA?
This happens, particularly with large platforms that have standard terms only. In those cases, we identify whether the vendor's existing terms are sufficient — some large platforms have DPA-equivalent language built in — and if not, we advise on whether the risk justifies continuing the relationship.
How many vendors does this typically cover?
Most SMB engagements cover 15–40 vendors. The scope depends on the complexity of your tech stack. We discuss this during the discovery call and scope accordingly.
Do I need to have DPAs with all of my vendors?
Not necessarily all of them. DPA requirements apply to vendors who process personal data on your behalf. A vendor who only provides you a service without touching your customer data may not require one. The review determines which vendors fall into which category.
Can this be done as part of a broader engagement?
Yes. The Vendor Risk Review is often combined with the Gap Analysis or the Foundational Privacy Setup. We can scope a combined engagement that covers multiple service areas at a reduced total cost.
Book a free 30-minute discovery call to scope the engagement based on your vendor stack.