1. Does the vendor have a current SOC 2 Type II report?

Yes No / Not sure

Non-negotiable for anyone handling your data.

2. Do they sign a Data Processing Agreement (DPA)?

Yes No / Not sure

GDPR/CCPA compliance relies on this.

3. Is data encrypted at rest and in transit?

Yes No / Not sure

TLS in transit + AES-256 at rest is table stakes.

4. Are breach notifications contractually required within 72 hours?

Yes No / Not sure

GDPR requirement; asks whether they will tell you fast.

5. Do they have MFA enforced on admin accounts?

Yes No / Not sure

Asks whether YOUR data sits behind their MFA.

6. Is sensitive data stored in the jurisdiction you require?

Yes No / Not sure

EU customers need EU data residency typically.

7. Are sub-processors disclosed and contractually constrained?

Yes No / Not sure

Their vendors are your vendors too.

8. Do they have cyber insurance?

Yes No / Not sure

Signals they take breach risk seriously financially.

9. Is there an incident response plan they will share?

Yes No / Not sure

Reassurance they plan for the bad days.

10. Can you export / delete your data easily?

Yes No / Not sure

Data portability = escape hatch if things go wrong.

11. Are they on any regulator blocklist or in active litigation?

Yes No / Not sure

Google them; check FTC complaints and court records.

12. Have they had a breach in the last 3 years?

Yes No / Not sure

A past breach isn't automatically disqualifying but demands extra care.

Vendor Risk Analyzer