Vendor Security
Third parties held to a clear standard
Vendors that handle customer data or support critical systems are reviewed against documented criteria before and during the relationship.
Evaluation
What we look for
- Security and privacy posture appropriate to scope
- Compliance attestations where applicable
- Documented data handling and retention
- Encryption and access control standards
- Operational reliability and support practices
- Sub-processor transparency
Expectations
Contractual safeguards
- Data processing terms with named purposes
- Confidentiality and security obligations
- Breach notification commitments
- Limits on data use beyond the agreed purpose
- Termination and data return or deletion rights
- Right to assess controls when warranted
Lifecycle
Ongoing oversight
- Risk-tiered review cadence
- Monitoring for material changes in vendor posture
- Tracking of issues and remediation
- Periodic reassessment of high-impact vendors
- Documented offboarding for ended relationships
- Central inventory of in-scope vendors