Vendor Risk Assessment
Contract Clauses
Align security exhibits and DPAs with vendor risk tier so legal negotiations stay proportional and audit-ready.
Security addendum essentials
- •Breach notification timelines and required detail.
- •Access control expectations (SSO, MFA, logging).
- •Change management and incident response contacts.
- •Right to request evidence by tier (SOC, pentest, diagrams).
Data Processing Agreement (if PII/PHI)
- •Lawful basis, purpose limitation, and data minimization.
- •Subprocessor approval and notification requirements.
- •Data residency/transfer terms and encryption standards.
- •Retention and deletion SLAs, including backups.
For high-risk vendors
- •Audit/assessment rights scoped to security and privacy controls.
- •Penetration test or independent assessment cadence.
- •Business continuity and disaster recovery testing expectations.
- •Stronger liability caps or carve-outs tied to data sensitivity.
Negotiation tips
- •Scale requests to the tier; avoid slowing low-risk deals with heavy exhibits.
- •Accept equivalent evidence (e.g., ISO + bridge letter) when SOC timing is tight.
- •Clarify who must approve subprocessor additions and how notice is delivered.