Valydex
Configure print settings: Paper = Letter, Margins = None
Vendor Security Assessment Checklist
Privacy-first vendor due diligence for SMB procurement teams
Vendor Information & Data Flow
Page 1
Valydex · 2026
PurposeUse this checklist before approving security vendors and tools. Defer procurement if vendors cannot provide precise, documented answers.
Vendor Information
Vendor Name
Product/Service
Assessment Date
Assessed By
Risk Rating
Low / Medium / High
Approval Decision
Approved / Conditional / Rejected
Next Review Date
Quick Risk Rating
Check all that apply before detailed review
  • Handles regulated data (PII, PHI, financial)
  • Requires admin/privileged access
  • Processes customer data
  • Stores data outside approved regions
  • Involves AI/ML data processing
Data Flow & Scope Validation
  • Vendor has provided a current data flow diagram showing collection points, processing systems, storage locations, and outbound transfers
  • Field-level export of all collected data elements (including optional telemetry) has been reviewed
  • Data scope is clearly documented and limited to operational requirements
  • Personal data categories (PII, financial, health, etc.) are explicitly listed
Source: valydex.com/guides/privacy-first-cybersecurity-guide
For internal use only · Not for distribution
Vendor Security Assessment Checklist
Privacy-first vendor due diligence for SMB procurement teams
Storage, Access, & Security Controls
Page 2
Valydex · 2026
Storage & Retention Requirements
  • Primary data processing location is documented (country/region)
  • Data storage locations are documented (cloud provider, region)
  • Data retention policy is clearly defined with specific timeframes
  • Retention periods can be shortened contractually if needed
  • Data deletion procedures are documented and executable without support escalation
Access Controls & Security Posture
  • Privileged vendor access is logged and limited to specific roles
  • Vendor has current SOC 2 Type II or ISO 27001 certification (verified within last 12 months)
  • Audit reports and compliance attestations are available for review
  • Subprocessors are disclosed with names, locations, and data access scope
  • Subprocessor change notification process is documented and contractually binding
Source: valydex.com/guides/privacy-first-cybersecurity-guide
For internal use only · Not for distribution
Vendor Security Assessment Checklist
Privacy-first vendor due diligence for SMB procurement teams
Incident Response & AI Governance
Page 3
Valydex · 2026
Incident Response & Breach Procedures
  • Breach notification window is defined in contract (recommended: within 72 hours)
  • Vendor has documented incident response procedures
  • Breach cooperation obligations include forensics support and customer notification assistance
  • Recent security incidents (last 24 months) have been disclosed and remediated
AI Model Training & Data Use Restrictions
Critical for vendors offering AI-powered features or analytics
  • Vendor has confirmed whether customer data is used for model training
  • AI training data use is disabled by default (opt-in only)
  • Customer prompts, logs, and metadata are excluded from training datasets
  • Data use limitations prohibit secondary commercial reuse without explicit approval
  • Vendor provides transparency report on AI/ML processing activities
Source: valydex.com/guides/privacy-first-cybersecurity-guide
For internal use only · Not for distribution
Vendor Security Assessment Checklist
Privacy-first vendor due diligence for SMB procurement teams
Contractual Requirements & Escalation
Page 4
Valydex · 2026
Contract & Legal Requirements
  • Right to audit or receive independent third-party assurance artifacts is included
  • Data processing agreement (DPA) is signed and aligns with GDPR Article 28 requirements
  • Service level agreements (SLAs) for security controls are clearly defined
  • Termination and data return procedures are documented with specific timelines
  • Liability and indemnification terms cover data breach scenarios
Escalation Criteria & Required Actions
If any of these criteria are met, follow the escalation action before approval
CriteriaRequired Action
Vendor cannot provide data flow diagramDefer procurement until available
Data stored outside approved regionsEscalate to Legal/Compliance
No SOC 2 or ISO 27001 within last 12 monthsRequest compensating controls or defer
Breach notification window > 72 hoursNegotiate contractual amendment
Customer data used for AI training by defaultRequire opt-out confirmation in contract
Subprocessors undisclosed or undefinedReject until disclosure provided
Source: valydex.com/guides/privacy-first-cybersecurity-guide
For internal use only · Not for distribution