LEGAL TEMPLATE
Vendor Assessment Checklist Template
Vendor evaluation: security, privacy, business viability, risk summary, and approval.
Use this templateWhat's inside
Field | Details |
|---|---|
Vendor | Company name |
Service | What we're buying |
Business Owner | Internal person requesting this vendor |
Assessor | |
Date | |
Next Review | |
Overall Risk | Medium |
What We're Buying & Why
What does this vendor do for us, and what happens if they disappear tomorrow?
Question | Answer |
|---|---|
What service/product? | |
Why this vendor over alternatives? | |
What data do they access or store? | PII, financial, health, proprietary, none |
How critical is this vendor? | Can we operate without them for a day? A week? Ever? |
Contract value | $XX,XXX / year |
Security
Control | Status | Evidence | Notes |
|---|---|---|---|
SOC 2 Type II or equivalent certification | Yes | Link to report | |
Data encrypted at rest and in transit | Yes | ||
Access controls and least privilege | Yes | ||
Incident response plan | Yes | ||
Regular penetration testing | Review | How often? By whom? | |
Data retention and deletion policy | Yes | ||
Sub-processor disclosure | Yes | Where is data processed? |
Compliance & Privacy
Item | Status | Notes |
|---|---|---|
GDPR / privacy compliance | Yes | |
DPA available and reviewed | Yes | Link to DPA review |
Data processing locations | Countries | |
Industry-specific compliance (HIPAA, PCI, etc.) | N/A |
Business Viability
Factor | Assessment | Notes |
|---|---|---|
Financial stability | Stable | Public company / funded startup / profitable? |
Customer base | How many customers? Any similar to us? | |
Support quality | Response times, dedicated account manager? | |
Lock-in risk | Low | Can we export our data? Open standards? Migration path? |
Risk Summary
Category | Risk Level | Key Concern |
|---|---|---|
Security | Low | |
Privacy / data protection | Medium | |
Business continuity | Low | |
Financial / vendor viability | Low | |
Overall | Medium |
Recommendation
Question | Answer |
|---|---|
Approve this vendor? | Yes / Yes with conditions / No |
Conditions (if any) | Specific items that must be resolved before onboarding |
Ongoing monitoring | What we'll check at the next review |
Approval
Role | Name | Decision | Date |
|---|---|---|---|
Assessor | Recommends | ||
Business owner | Pending | ||
Security / IT | Pending | ||
Legal | Pending |
Other Legal templates
-
Compliance ChecklistCompliance tracking: requirements status, gap remediation, risk exceptions, audit history, and training. -
Contract Review NotesContract analysis: key clauses, risk assessment, recommended changes, and approval workflow. -
Data Processing Agreement ReviewDPA review: processing scope, GDPR protections checklist, sub-processors, and recommended changes.