Vendor Risk Assessment — Template
Use this template for every new sub-processor before production data touches them, and re-run annually.
1. Vendor identity
- Name:
- Website / product:
- Service provided to EcoService Pro:
- Data classes shared: ☐ Public ☐ Internal ☐ Confidential (PII) ☐ Restricted (secrets)
- Data residency:
- Sub-processor list URL:
2. Contract & legal
- ☐ Master Services Agreement / ToS on file
- ☐ Data Processing Agreement (DPA) signed
- ☐ Standard Contractual Clauses (SCCs) if EU/UK data leaves EEA
- ☐ Business Associate Agreement (if PHI — N/A for EcoService Pro today)
- Renewal date:
3. Security posture
- ☐ SOC 2 Type II report reviewed (date: )
- ☐ ISO 27001 certificate reviewed
- ☐ PCI DSS AoC (if payments)
- ☐ Public security page / trust portal URL:
- ☐ Encryption at rest (algorithm):
- ☐ Encryption in transit (TLS version):
- ☐ MFA available and enforced on our tenant
- ☐ Audit log / access log accessible to us
4. Operational
- Uptime SLA:
- Historical uptime (last 12 mo):
- Incident notification SLA:
- Support tier & response time:
- Data export / portability:
5. Data lifecycle
- What we send:
- What we retrieve:
- Retention on vendor side:
- Deletion process on termination:
6. Risk scoring (reuse register: L × I)
| Aspect | L | I | Score | | --- | :-: | :-: | :-: | | Data exposure | | | | | Availability | | | | | Lock-in | | | | | Compliance | | | | | Overall | | | |
7. Decision
☐ Approved ☐ Approved with compensating control ☐ Rejected
- Compensating controls:
- Reviewer:
- Approver (CEO / Security Lead):
- Approval date:
- Next review date:
Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.