Vendor Risk Assessment Checklist (2026)

Encryption. Verify TLS 1.2+ for data in transit. Confirm AES-256 or equivalent for data at rest. Check TLS configuration using public scanning tools — ThirdProof checks this automatically.

Access controls. Does the vendor support SSO (SAML/OIDC)? Is MFA enforced for administrative access? Are role-based access controls (RBAC) available? Can you configure IP allowlisting?

Security headers. Check HTTP security headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options. Header configuration reflects security engineering maturity. ThirdProof's web infrastructure analysis scores this automatically.

Vulnerability management. Does the vendor have a vulnerability disclosure program? Do they perform regular penetration testing? Is there a bug bounty program? How quickly are critical vulnerabilities patched?

Incident response. What is the vendor's incident response plan? What are breach notification timelines? Who is the security contact? How will they communicate during an active incident?

Infrastructure security. Where is data hosted? What cloud provider(s)? Are environments isolated between customers (single-tenant vs. multi-tenant)? Is there a disaster recovery plan with documented RTOs and RPOs?

Certifications. Which compliance certifications does the vendor hold? SOC 2 Type II, ISO 27001, HITRUST, PCI DSS, FedRAMP? Can these be independently verified or are they self-attested? Request actual reports, not just trust page claims. ThirdProof's trust page scanner distinguishes between independently verified and vendor-attested certifications across 27 intelligence sources.

Data processing agreements. Is there a DPA in place? Does it address data classification, processing purposes, retention periods, deletion procedures, and subprocessor management? For GDPR-subject data, does the DPA include Standard Contractual Clauses?

Regulatory alignment. Does the vendor's compliance program align with your regulatory requirements? Healthcare organizations need HIPAA-compliant vendors. Financial institutions need vendors meeting OCC/FFIEC standards. Government agencies need FedRAMP-authorized vendors.

Privacy practices. Does the vendor have a published privacy policy? Does it align with the data handling described in sales materials and contracts? Does the vendor collect telemetry, analytics, or usage data beyond what is necessary for service delivery?

Audit rights. Does the contract include right-to-audit provisions? Can you request and review SOC 2 reports, penetration test results, or other security documentation?

Financial stability. Is the vendor financially stable? Publicly traded companies have audited financials available through SEC EDGAR. For private companies, request financial statements, check for recent funding rounds, and review business registration status. ThirdProof checks GLEIF (Legal Entity Identifier), SEC filings, and business registration automatically.

Insurance. Does the vendor carry cyber liability insurance? What are the coverage limits? Is there errors and omissions (E&O) coverage? Insurance coverage indicates both financial protection and underwriter confidence in the vendor's security program.

Business continuity. What happens if the vendor goes bankrupt or is acquired? Are there data escrow provisions? Can you export your data in a standard format? What are the contractual obligations regarding service continuity during transitions?

Pricing stability. Does the contract include rate lock provisions? Are there caps on annual price increases? What happens to your data if you stop paying — is there a grace period?

Service availability. What are the vendor's uptime SLAs? What is the historical uptime track record? Are there public status pages? What are the remedies for SLA violations — credits, termination rights, or neither?

Subprocessor management. Does the vendor publish a subprocessor list? How many subprocessors handle your data? Does the vendor notify you of subprocessor changes? Can you object to new subprocessors?

Change management. How does the vendor handle product updates? Are there breaking changes to APIs? Is there a deprecation policy with adequate notice periods? Can you control update timing for critical systems?

Support and responsiveness. What support tiers are available? What are response time commitments for critical issues? Is there 24/7 support for production incidents? Who is your escalation contact?

Data portability. Can you export your data in standard formats (CSV, JSON, API)? What is the export process? Is there a cost for data export? How long does the vendor retain your data after contract termination?

Breach history. Has the vendor experienced data breaches? Check the HHS Breach Portal (healthcare), state attorney general breach notifications, and adverse media. A history of breaches does not automatically disqualify a vendor, but it should be documented and factored into your risk assessment.

Sanctions and watchlist screening. Is the vendor or any of its officers on OFAC, EU, or UN sanctions lists? Are there any PEP (Politically Exposed Person) associations? Sanctions exposure creates legal liability for your organization.

Litigation and regulatory actions. Are there pending lawsuits, regulatory investigations, or consent orders involving the vendor? Court filings and regulatory actions are public record — ThirdProof checks these as part of the standard assessment.

Media and reputation. What does recent media coverage reveal about the vendor? Are there reports of data mishandling, employee complaints, executive departures, or customer disputes? Adverse media signals may precede formal regulatory or legal actions.

Ownership and governance. Who owns the vendor? Are there foreign ownership considerations relevant to data sovereignty? Has the vendor been recently acquired, and if so, how might the acquisition affect data handling and service continuity?