Key Security Questions Every Vendor Needs to Answer

Selecting the right vendors is a critical decision for any organization, but the risks multiply when that vendor will have access to your sensitive data or systems. In today’s landscape of increasing cyber threats and data breaches, a thorough security assessment isn’t just a best practice—it’s essential risk management.

This guide walks you through the key security questions that can prevent costly mistakes and protect your organization’s data integrity. By systematically evaluating vendors using these criteria, you’ll not only reduce security risks but also identify partners who share your commitment to data protection and privacy.

Before you start, consider who will need to be part of the decision-making team that reviews these assessments and ultimately decides whether your organization will move forward with a vendor. Security concerns are often balanced against business utility and needs, so aligning ahead of time about which security items are required for your organization and for the specific project the vendor is working on can be a useful exercise.

Note that if a vendor is not hosting your data on their servers, or if they are not using a custom developed software product, some of these questions will not be relevant.

1. About the Vendor

Is the Vendor a US-Based Corporation?

Depending on where the vendor is incorporated, they will be required to comply with different cybersecurity and privacy standards. If the company is not based in the US, you want to make sure they are incorporated in a locality with stricter security and privacy standards, not looser ones (or none at all). 

For sensitive political data, we recommend choosing US-based corporations only.

2. How Will the Vendor Handle Our Organization’s Data?

Where will our user data be hosted?

This question gives you information about what kind of system will house your data. Ideally, the company will be using a secure cloud server, but you want to know if they are using dedicated servers, on-premise servers, etc.

Decide ahead of time whether there are any locations that would be required, or alternatively any locations that would be off-limits. We recommend that sensitive political data be hosted in the U.S.

If the Vendor uses  AWS, GCP, or Azure for hosting your user data, what zone will it be hosted in?

This gives you information about the physical location where your data is hosted. To our points above, sensitive political data should be hosted in the U.S.

Occasionally, only one zone of these cloud platforms will experience issues, and it’s nice to know where your data is hosted in those cases. 

Are there any scenarios where your data will leave the US (via third-party vendors, etc.)?

Figuring out what third-party companies the vendor will share your data with is important to being able to determine data security. We particularly highlight data leaving the US because of our recommendation that sensitive political data stay within the United States.

Upon cancellation, how long will data be stored in their systems before it is fully purged (including purged from their backup systems)?

Ideally, data is purged right away after deletion. You should be able to control your data footprint, and if the vendor can delete your data quickly, that is a good sign that they manage your data well. 

Depending on your company’s data retention policies, being unable to delete your own data could disqualify a vendor. 

Is there a way to delete your data without deleting your entire account?

If you would like to implement a retention policy for data housed in this vendor’s system, knowing that you can truly delete data from their platform is important. 

Depending on your company’s data retention policies, being unable to delete your own data could disqualify a vendor

Is there a Data Loss Prevention system in place for client data?

While you want to guarantee that you can delete data, you also want to ensure that data is not accidentally deleted or lost forever. The vendor should have a data loss prevention system, which can include cloud or offline backups as well as monitoring alerts for activities like mass deletions. 

3. Vendor Product Security Features

Does their system support 2 factor authentication for our user accounts? What methods of 2FA are supported? 

Supporting 2-factor authentication (2FA) is a critical account security minimum. Ideally the platform should support authenticator apps and/or security keys, not just SMS 2FA. 

4. Vendor IT security practices

Does the vendor have any independent Information Security Management certifications? 

If so, are they able to share a copy of these results? Examples include SOC2 Type 2, ISO27110, etc. 

SOC2 and ISO27110 are two very common cybersecurity standards. If a company has achieved compliance with one of these standards, it indicates that they have dedicated significant resources towards security compliance. They should be able to provide a public-facing report proving their compliance. 

For Personified, this is a minimum requirement if a vendor would be hosting data on their own infrastructure. 

Does the vendor comply with all legal and regulatory requirements they are subject to (e.g., HIPAA, SOX, PCI)?

You can adjust this question depending on relevant compliance and regulatory requirements that you or the vendor need to comply with. 

Does their organization maintain an Information Security Policy? 

Is this policy approved by leadership and reviewed annually? Does this apply to both contractors and employees?

Digital security policies should apply to anyone who might interact with your data through this vendor, including contractors. Leadership should be invested in this policy and review it regularly. 

How does the vendor describe its Access Control policy for its IT systems? 

The items listed here are minimum security requirements to be able to work with a vendor. Make sure you have answers to the following: 

• Is access to IT systems regularly reviewed? 
• Is there a password policy? 
• Is 2 factor authentication enforced on all systems containing customer data? If so, which methods are approved?

Does the vendor have controls in place to limit access to data to only that which is necessary to perform job functions?

This question checks for the vendor’s compliance with the principle of least privilege: each person should have the minimum permissions and access necessary to do their job. This ensures that as few people as possible have access to your company’s data. 

Principle of least privilege is a foundational digital security concept that the vendor should be familiar with. 

What are the vendor’s internal system hardening standards?

Sometimes vendors will not be able to perform penetration tests because they use infrastructure owned by other vendors. If they cannot do a full penetration test, they should conduct vulnerability assessments or audits. Ideally, a results document should be available to share with you.

The vendor should be able to answer “yes” to the following. These are the minimum security requirements you should have to be able to work with any vendor.

• Is full-disk encryption enforced on all workstations? 
• Is customer data encrypted in transit and at rest? 
• Are external vulnerability tests performed? 

Is a formal risk assessment performed annually?

Are identified risks remediated? Are there employees or an internal team dedicated to remediating these risks?

These questions may overlap with the question about external vulnerability tests, but this one gets at internal review processes rather than just external or third-party audits. 

Are the vendor’s technology assets inventoried and tracked?

Making sure that the vendor’s staff use tracked, managed devices is an important insight into their security practices.

Are assets protected with EDR (anti-malware) software?

If one of the vendor’s devices is compromised, anti-malware/EDR software would notify them and prompt the beginning of an incident response plan. Without EDR, there may be malware on a laptop that could compromise your data despite the vendor’s account security procedures.

Does the organization maintain a Business Continuity Plan that fulfills contractual obligations to their clients? 

Is this BCP tested annually? A Business Continuity Plan ensures that the vendor can still communicate with you (and ideally that their product continues to operate for you) even in cases of incidents, including security incidents, natural disasters, and other disruptions. 

Is there a documented and annually reviewed Incident Management Policy? 

If there are incidents impacting your organization, will they be communicated to you within 24 hours of the incident?

An Incident Response Plan specifically addresses security incidents. Open and clear communication about security incidents is essential. Having an incident response plan or incident management policy is critical. 

Has the company/organization had a data breach in the past 5 years?

The biggest predictor of a future breach is a past breach. However, if the vendor was breached in the last 5 years, pay attention to their response. Many companies are breached, but few respond well. If a company responded well, protected their users, and shared openly about their improvements to prevent a breach from happening again, then a past breach shouldn’t rule out working with them.

5. Vendor Operational Security Practices

How does the vendor describe their HR security measures?

Are background checks performed on employees? Are employees required to sign an NDA? Are sufficient processes around offboarding in place to ensure client security and continuity?

All companies should have HR processes in place to protect against insider threats. Ideally, employees should be invested in protecting your data. Background checks, NDAs, and strong offboarding procedures play a role in data security along with strong access controls and the principle of least privilege. 

What is the vendor’s change management policy? 

A defined change management process means that all employees are educated about and compliant with changes, including those related to security or privacy policies.

What is the vendor’s Physical Security Plan?

If the organization has an office or has physical servers, you want to ensure those are protected.

Make Vendor Selection a Security Priority 

Putting any vendor through this questionnaire and getting the answers you need is absolutely critical to ensuring your organization’s ongoing security. Personified understands the specific challenges and risks associated with nonprofit cybersecurity. Learn more about how we can help you to start securing your organization.