Vendor/Supplier Security Questionnaire – Document Builder 👷♂️ Please enable JavaScript in your browser to complete this form.Please enable JavaScript in your browser to complete this form.Generator Prompt 🌍 Jurisdiction & Basics Country, language, and the governing region for this questionnaire. Country *Select your countryUnited StatesAustraliaBrazilCanadaChinaFranceGermanyIndiaItalyJapanMexicoNetherlandsNew ZealandNigeriaRussiaSingaporeSouth AfricaSouth KoreaSpainUnited Arab EmiratesUnited KingdomLanguage of the completed document *Select languageEnglishAfrikaansArabicDutchFrenchGermanHindiItalianJapaneseKoreanMandarin ChineseRussianSpanishZuluGoverning State/Province/Region *E.g., California, Gauteng, OntarioVendor Legal Name / Company *Primary Contact Email *Primary Contact Name *Primary Contact Title/RoleQuestionnaire Date *DateTimeDocument TypeSource URL 🏢 Vendor Overview Basic company details, services provided, and delivery model. Business Registration / Company NumberTax/VAT Number (if applicable)Head Office Address *Countries/Regions Where Services Are DeliveredList countries/regions where systems or staff operate.Service Type *SelectSaaS / Cloud softwareProfessional services / ConsultingManaged servicesHosting / InfrastructurePayment/Financial servicesOtherIf 'Other', describeDelivery Model *SelectVendor-hosted (multi-tenant)Vendor-hosted (single-tenant)Customer-hosted / On-premHybridService Description / Scope *Briefly describe what you provide and what systems/processes are in scope. 🔐 Data Handling & Privacy Personal data, sensitive data, retention, and privacy obligations. Will you process personal data on behalf of the customer? *NoYesPersonal Data Categories (select all that apply)Identification data (name, ID, address)Contact data (email, phone)Account/login dataFinancial/payment dataUsage/analytics dataEmployee/HR dataChildren’s dataSpecial categories (health, biometrics, etc.)OtherIf 'Other', describeData Flow SummaryWhere data comes from, where it goes, and what systems store/process it.Do you transfer/store customer data outside the customer's country/region? *NoYesIf yes, list countries/regions and safeguards (e.g., SCCs)Do you have a Data Processing Addendum (DPA) available? *NoYesUpload DPA (optional) Drag & Drop Files, Choose Files to Upload 🛡️ Security Controls Access control, encryption, monitoring, and secure development practices. Authentication & Access (select) *MFA enforced for admin accessRole-based access control (RBAC)Least privilege / access reviewsSSO/SAML availablePrivileged access management (PAM)Encryption (select) *Encryption in transit (TLS)Encryption at restKey management (KMS/HSM)Customer-managed keys supportedMonitoring & Vulnerability Management (select) *Centralized logging and monitoringSecurity alerts/incident triage processRegular vulnerability scanningPatch management SLAsAnnual penetration testingDo you have security certifications / audit reports? *NoYesCertifications/Reports (select all that apply)ISO 27001SOC 2 Type IIPCI DSSCSA STAROtherIf 'Other', describeUpload evidence (optional) Drag & Drop Files, Choose Files to Upload 🚨 Incident Response & Continuity Incident handling, breach notification, and business continuity. Do you have a documented incident response plan? *NoYesUpload incident response plan (optional) Drag & Drop Files, Choose Files to Upload Breach notification timeline you can meet (choose best fit) *Within 24 hoursWithin 48 hoursWithin 72 hoursWithin 5 business daysOtherIf 'Other', specifyDo you have a Business Continuity / Disaster Recovery (BC/DR) plan? *NoYesLast BC/DR Test Date (optional)DateTimeRTO (Recovery Time Objective) (optional)RPO (Recovery Point Objective) (optional) 🤝 Subprocessors & Supply Chain Third parties, flow-down obligations, and change notification. Do you use subprocessors/third parties to deliver the service? *NoYesList subprocessors (name, service, country, purpose)Do you have a subprocessor change notification process? *NoYesNotification period (days) (optional)Flow-down Controls (select)Contracts require equivalent security/privacyDue diligence performed before onboardingOngoing monitoring/auditsRight to terminate for subprocessor breach ⚖️ Compliance & Assurance Regulatory alignment, insurance, and internal assurance controls. Compliance Frameworks (select all that apply)GDPRUK GDPR / Data Protection ActCCPA/CPRAHIPAA (health data)OtherIf 'Other', describeIf HIPAA applies: Will you sign a Business Associate Agreement (BAA)?NoYesDo you carry cyber liability insurance? *NoYesInsurance provider and coverage limits (optional)Upload insurance certificate (optional) Drag & Drop Files, Choose Files to Upload Background/Access Controls (select)Employee background checks (where legal)Security awareness trainingConfidentiality agreements in placeSegregation of duties ✍️ Acknowledgements & Signatures Confirm accuracy and provide a typed signature. Acknowledgements (must check all) *Information provided is accurate to the best of my knowledgeWe will notify customers of material security incidents per agreed timelinesWe will maintain appropriate security controls for the term of servicesAuthorized Signatory Name (type) *Authorized Signatory Title *Sign Date *DateTimeUpload supporting documents (optional) Drag & Drop Files, Choose Files to Upload PhoneGenerate Questionnaire
