← All guides
Vendor Risk8 min read20 May 2026

Vendor Risk Management for SaaS: How to Assess Third-Party Security Before Onboarding

A practical guide to vendor risk management for SaaS founders — how to tier vendors, what to ask in security questionnaires, and what evidence to require before granting access to customer data.

Why vendor risk management matters for SaaS

Your security posture is only as strong as your weakest vendor. For SaaS companies, a third-party breach is not just an operational problem — it can be a regulatory one too. Under GDPR Article 28, you (the controller) are responsible for ensuring your processors provide sufficient security guarantees. Under SOC 2 CC9.2, you must manage third-party risks as part of your Trust Service Criteria compliance. And when an enterprise buyer does due diligence on your product, the first thing they will ask is: "How do you manage your vendors?"

This guide walks you through a practical vendor risk management (VRM) process you can implement without a dedicated security team.

Step 1: Build your vendor inventory

You cannot manage what you cannot see. Start by listing every third-party tool your company uses — not just obvious ones like AWS and Stripe, but also:

  • Customer support platforms (Intercom, Zendesk, Freshdesk)
  • Error tracking and monitoring (Sentry, Datadog, New Relic)
  • AI / ML APIs (OpenAI, Anthropic, Cohere)
  • Analytics (Mixpanel, Amplitude, PostHog)
  • Authentication (Auth0, Clerk, Cognito)
  • Email delivery (SendGrid, Postmark, Resend)
  • CRM and sales tools (HubSpot, Salesforce, Pipedrive)
  • HR and payroll systems (Personio, Deel, Rippling)
  • Productivity tools (Google Workspace, Notion, Slack)

For each vendor, document: what data they access, what service they provide, which team owns the relationship, contract/renewal date, and whether a Data Processing Agreement (DPA) is in place.

Step 2: Tier your vendors by risk

Not every vendor deserves the same level of scrutiny. A tiering model lets you focus your effort where it matters most.

TierDefinitionExamplesAssessment Depth
CriticalCore infrastructure; processes PHI, financial data, or large volumes of personal dataAWS/GCP/Azure, Stripe, primary database, auth providerFull questionnaire + SOC 2 report + DPA required
HighProcesses personal data; customer-facing; significant operational dependencyIntercom, SendGrid, Sentry, Datadog, OpenAISecurity questionnaire + DPA required
MediumLimited personal data; internal tools; no direct customer data accessHubSpot (internal CRM), Notion, Linear, FigmaSelf-attestation questionnaire + DPA if personal data
LowNo personal data; operational/productivity toolsCanva, Loom, Calendly (no customer data)Standard contract review; no formal assessment

Assign each vendor a tier based on the data they touch and their operational criticality. A simple formula: Risk Tier = Data Sensitivity × Operational Dependency.

Step 3: Send a security questionnaire

For Critical and High tier vendors, send a security questionnaire before onboarding. This does three things: it surfaces hidden risks, creates a paper trail for auditors, and signals to the vendor that you take security seriously.

A good vendor security questionnaire covers:

  • Information security controls — Do they have a documented security policy? Who owns security?
  • Access control — Is MFA enforced? Do they use the principle of least privilege? How is offboarding handled?
  • Encryption — What encryption is used at rest and in transit? What key management approach?
  • Business continuity — What are their RTO/RPO commitments? When did they last test their DR plan?
  • Incident response — How quickly will they notify you of a breach? Do they have a 24/7 security contact?
  • Sub-processors — Do they publish a sub-processor list? How do they notify you of changes?
  • Compliance certifications — SOC 2 Type 2? ISO 27001? When was the last pen test?
  • Legal — Will they sign your DPA? What is their data deletion timeline on contract termination?

Use ComplyKit's Vendor Risk Assessment Generator to create a tailored questionnaire in minutes — configurable by risk tier and data category.

Step 4: Review responses and evidence

Questionnaire responses without evidence are just self-attestation. For Critical tier vendors, require supporting documentation:

  • SOC 2 Type 2 report — ask for the full report (under NDA) or at minimum the executive summary with the independent auditor's opinion
  • ISO 27001 certificate — verify it is in scope for the service you are using and has not expired
  • Pen test executive summary — should be less than 12 months old; check scope and critical/high finding remediation
  • DPA / BAA — execute before any personal data flows to the vendor
  • Sub-processor list — verify the vendor publishes this publicly or will provide it on request

For vendors that cannot provide any of these, consider requiring a remediation plan with a timeline before full onboarding, or escalate the risk acceptance decision to your CISO or board.

Step 5: Execute the right contracts

Security questionnaires are operational. Contracts are legal. Both are required.

  • Data Processing Agreement (DPA) — mandatory under GDPR Art. 28 for any processor handling personal data of EU residents. Your GDPR DPA should cover: processing purposes, technical and organisational measures, sub-processor obligations, breach notification timeline, data deletion on termination, and audit rights.
  • HIPAA Business Associate Agreement (BAA) — mandatory in the US if the vendor handles Protected Health Information (PHI). See our HIPAA BAA Generator.
  • NDA — required before sharing your security questionnaire responses or reviewing the vendor's SOC 2 report. Use our NDA Generator.
  • SLA — ensure uptime commitments, support response times, and incident notification obligations are contractually binding, not just marketing copy.

Step 6: Ongoing monitoring

Vendor risk is not a one-time check. Establish a monitoring cycle:

  • Annual re-assessment — for Critical and High tier vendors, repeat the full questionnaire annually or after any major security incident
  • Certification expiry tracking — track SOC 2 report dates and ISO 27001 certificate expiry; require updated reports as they become available
  • Sub-processor change notifications — ensure your DPA requires the vendor to notify you of sub-processor changes (typically 30 days in advance under GDPR)
  • Security news monitoring — subscribe to vendor security bulletins; set up Google Alerts for "[vendor name] breach" or "[vendor name] vulnerability"
  • Contract renewal review — at each renewal, verify DPA terms are still current and request updated evidence documents

Common vendor risk management mistakes

  • Onboarding first, assessing later — the questionnaire should gate access, not follow it. Once a vendor has access to customer data, leverage is lost.
  • Treating all vendors equally — low-tier operational tools don't need the same rigor as your database provider. Tiering saves time without sacrificing coverage.
  • Accepting SOC 2 Type 1 as equivalent to Type 2 — Type 1 is a design audit at a point in time. Type 2 proves the controls work over a sustained period (6–12 months). For Critical vendors, require Type 2.
  • No DPA = no onboarding — many small SaaS vendors don't proactively offer DPAs. Ask. If they refuse to sign one, that is a red flag for GDPR compliance.
  • Forgetting about AI sub-processors — if your vendor uses OpenAI, Anthropic, or another AI API, your customer data may be passing through that AI. Require disclosure and verify the AI provider's DPA covers your use case.

What enterprise buyers expect to see

When you go upmarket, your customers will conduct vendor risk assessments on you. The best preparation is running a rigorous VRM process yourself — it forces you to have the answers ready. Enterprise buyers typically ask:

  • Do you have a formal vendor risk management policy?
  • How do you assess your critical sub-processors?
  • Do you have DPAs with all vendors processing personal data?
  • Can you provide your sub-processor list?
  • What is your vendor notification and approval process for sub-processor changes?

Having documented answers — ideally backed by your own completed vendor questionnaire process — significantly accelerates enterprise sales cycles.

Build your vendor risk stack with ComplyKit

ComplyKit's free generators cover the document side of vendor risk management:

More guides