What this template is for
Use these questions when a vendor will process personal data, support production systems, or introduce transfer risk. The goal is not to run a legal review in isolation. The goal is to understand what data the vendor receives, how it is protected, whether the contract supports your obligations, and whether your records need to be updated.
Core questions
Add these questions for higher-risk vendors:
How to use responses
Answers should inform both procurement approval and your RoPA or vendor inventory updates. If the review ends in email, the organization loses the context later.
Turn responses into a short decision:
- Approved
- Approved with conditions
- More information needed
- Legal or privacy review required
- Rejected or alternative needed
Review evidence to request
Depending on the vendor tier, request:
- DPA or data processing terms
- Subprocessor list
- Security report or certification
- Privacy policy
- Data retention documentation
- Incident notification terms
- Transfer impact documentation or standard contractual clauses where relevant
Update internal records
After approval, update:
- Vendor inventory
- RoPA
- Subprocessor list, if customer-facing
- Data map or system inventory
- Renewal review date
- Security questionnaire answer bank, if buyers ask about the vendor