GDPR vendor review questions for SaaS teams

A practical set of privacy-focused questions to ask subprocessors before approving them.

Maria Rodriguez

By Maria Rodriguez

Data Privacy & Legal Compliance Writer · 6 min read

What this template is for

Use these questions when a vendor will process personal data, support production systems, or introduce transfer risk. The goal is not to run a legal review in isolation. The goal is to understand what data the vendor receives, how it is protected, whether the contract supports your obligations, and whether your records need to be updated.

Core questions

  • What categories of personal data will you process for us?
  • In which regions will that data be stored or accessed?
  • Which subprocessors support this service?
  • What retention and deletion controls are available?
  • How are security incidents communicated to customers?
  • Can you support data subject request workflows if needed?
  • Add these questions for higher-risk vendors:

  • What security certifications or audit reports are available?
  • How do you restrict employee access to customer data?
  • Do you use customer data for product analytics, model training, or benchmarking?
  • How do you notify customers about subprocessor changes?
  • What technical controls protect data in transit and at rest?
  • Can customer data be exported or deleted on request?
  • What is your backup retention period?
  • What contractual terms govern international transfers?
  • Who is the privacy or security contact for escalations?
  • How to use responses

    Answers should inform both procurement approval and your RoPA or vendor inventory updates. If the review ends in email, the organization loses the context later.

    Turn responses into a short decision:

    • Approved
    • Approved with conditions
    • More information needed
    • Legal or privacy review required
    • Rejected or alternative needed
    For conditions, record the owner and due date. For example, a vendor may be approved only after a DPA is signed, a region setting is configured, or a subprocessor list is reviewed.

    Review evidence to request

    Depending on the vendor tier, request:

    • DPA or data processing terms
    • Subprocessor list
    • Security report or certification
    • Privacy policy
    • Data retention documentation
    • Incident notification terms
    • Transfer impact documentation or standard contractual clauses where relevant
    Do not ask for every artifact from every vendor. Match the evidence request to the sensitivity of the data and the role the vendor plays.

    Update internal records

    After approval, update:

    • Vendor inventory
    • RoPA
    • Subprocessor list, if customer-facing
    • Data map or system inventory
    • Renewal review date
    • Security questionnaire answer bank, if buyers ask about the vendor
    This keeps privacy review connected to ongoing operations instead of becoming a one-time procurement checkpoint.

    Keep the momentum

    Turn this guidance into a working program

    CloudAnzen helps teams connect evidence, review failing controls, manage risk, and stay audit-ready across frameworks from one place.