Vendor and Processor Checklist
- Work top-down: ownership first, then systems, then evidence.
- Check “claimed deletion” against backups, analytics, and vendor exports.
- Do not file the checklist without a named review date.
- Link failures to tickets; avoid checkbox theater.
See also: Compliance portal · Official resources · Guides index
If vendors or service providers touch personal data, they are part of your operational privacy picture whether or not the business has formally documented that relationship well.
The biggest risk is usually not the existence of vendors. It is that nobody can clearly explain which vendors access what data, why they need it, and what would happen during a request, incident, or workflow change.
Checklist
- Build a vendor matrix. Rows = vendors; columns = data categories, processing purposes, lawful role (fiduciary/processor), geography, and criticality.
- Validate access scope. Compare contract exhibits to actual SSO roles, API scopes, and exported datasets—shadow access is common.
- Subprocessors. Capture onward transfers, change-notification clauses, and whether you must publish names (subprocessor page).
- Security & confidentiality baseline. Document minimum technical controls (encryption, logging, MFA) you expect and verify during onboarding.
- Incident cooperation. Confirm timelines for breach assistance, data location disclosure, and regulator communication support.
- Deletion & return. Define how vendor deletes or returns personal data on exit; rehearse a termination once a year.
- Data location & transfers. Note residency promises vs actual regions; map cross-border transfer posture when India notifications evolve.
- Instruction flow. For processors, retain written instructions or ticket trails showing you control purpose changes (processor primer).
- DPAs / schedules. Check auditing rights, insurance, liability caps, and whether marketing-friendly “we comply with all laws” language is backed by specifics.
- Shadow IT sweep. Hunt for unsanctioned CRMs, chatbots, or AI assistants that ingest customer data without procurement review.
- Rights propagation. Table how access, correction, erasure, withdrawal, or grievance requests flow to each vendor—include timeouts.
- Renewal trigger. Add vendor privacy review to renewal calendars, not only security scans.
Common blind spots
- Marketing and CRM tools added informally over time
- Support and analytics vendors retained long after the original workflow changed
- Agencies or service providers with broad access but little internal oversight
- Manual exports sent outside core systems without durable tracking
What a good review produces
A good vendor review leaves the team with a clearer inventory, better ownership, and a more defensible answer to simple questions like: who can see this data, what are they doing with it, and what happens when the user or workflow changes?