Vendor Contract Checklist

Don’t forget to include a review of your contracts with vendors when reviewing your own security compliance. Here is the short version of my checklist for vendor contracts:

  • Confidential Information – How can the vendor use confidential information?
  • Safeguarding Information – Do you require the vendor to meet specific standards, have specific controls, keep data within the borders of the U.S.?
  • Oversight – When and who does the audit of the vendor?
  • Data Breach Procedures
  • Compelled Disclosures – Are they required to tell you in time for a legal response to subpoenas?
  • Termination Procedures – What do they do with information when the contract ends?
  • Subcontractors – Are subcontractors of the vendor required to meet the same standards?
  • Employee training
  • Insurance and Indemnity requirements
  • Definitions – Do you have definitions that match your requirements? For example, does your insurance definition of breach match your contract definition?