Supplier Risk Assessment

Vendor details

Information security

Contractual agreements

Data retention

UK GDPR

Evaluation

Vendor details

Vendor name

Date services commenced

Date services due to expire

Date last review performed

Reviewer

Nature of service

Key criteria for selection

Business criticality level

Rationale:

Type of information shared

1

Customer personal data
2

Sensitive staff personal data
3

Basic staff personal data
4

Sensitive commercial information
5

Third-party personal data

Information security

Relevant information security links:

Does the vendor have any of the following accreditations?

1

ISO 27001
2

ISO 27018
3

SOC 1 / ISAE 3402
4

SOC 2
5

SOC 3
6

Other relevant accreditation/s

If selected 'Other relevant accreditation' above, please list below:

What encryption methods are used by the vendor for data at rest?

1

AES-256
2

AES-192
3

AES-128
4

Other
5

None

Notes

What encryption methods are used by the vendor for data in transit?

1

TLS 1.3
2

TLS 1.2
3

TLS 1.1
4

TLS 1.0
5

Managed SSL certificates
6

IPSec tunnels
7

Istio
8

Other
9

None

Notes

Contractual agreements

What agreements does Yobota have in place to provide safeguards around the transfer of information between parties?

1

NDA
2

Contractual agreement with IP / Confidentiality clauses
3

Data Processing Addendum
4

Standard Contractual Clauses
5

General Terms of Business

All agreements should be saved down in the 'Management' Team Drive within the associated 'Suppliers' folder

In the opinion of the reviewer, is there adequate cover in place within the agreements to protect Yobota based upon the type of information that is being transferred?

Rationale:

Data retention

How long does the vendor retain Yobota's information for?

What is the basis for retaining Yobota's data for that period of time?

What is the process for returning / erasing the data at the end of the retention period?

Evaluation

Based on the risk assessment performed, vendors controls around Yobota's information has been determined as:

Rationale:

Follow-up actions required:

1

Due Diligence Questionnaire
2

GDPR Statement
3

NDA
4

Confidentiality Clauses
5

Data Processing Addendum
6

Standard Contractual Clauses

Notes

Browse all templates Edit in Process Street

Stay updated—subscribe to our blog!

More templates like this

Payroll Processing – User Guide

PROCEDURE PAYROLL PROCESSING-TSHEETS &QB-Payroll Processing

How to Build a Process from Resources (Copy)

2. Entrega de proyecto

12 Month Maintenance Schedule

Resource Based Economy Transition Team Support

View all Uncategorized templates