Your nonprofit uses cloud services, payment processors, email providers, website hosting, and many other vendors who access or store your data. Each vendor represents a potential security risk. If a vendor is breached, your data could be exposed. If a vendor has weak security, attackers might breach you through them. Vendor risk management—assessing and managing the security of vendors who touch your data—is an increasingly important part of nonprofit cybersecurity. This article addresses how to evaluate vendors, contract with them responsibly, and maintain oversight to ensure they protect your data.

Vendor risk doesn't require paranoia or treating all vendors as threats. It requires reasonable assessment of risk based on the sensitivity of data they handle and their security practices. A vendor storing your email has access to sensitive information; evaluate them carefully. A vendor providing general website hosting has less access to sensitive data; evaluate them appropriately. Risk assessment allows you to focus effort on vendors handling your most sensitive information.

Assessing Vendor Security: Questions to Ask

Before using a vendor, assess their security practices. This doesn't require becoming a security expert. Ask vendors directly about their practices. Many vendors providing services to organizations publish security documentation (sometimes called SOC 2 reports) summarizing their security practices. Request this if available. Ask direct questions: How do they protect data encryption? What security certifications do they have? How do they handle data breaches? What's their incident response process?

Look for security certifications and standards. SOC 2 Type II certification demonstrates third-party assessment of security controls. ISO 27001 certification shows compliance with information security standards. These aren't perfect guarantees of security, but they show vendors invest in security practices. Don't require certifications from small vendors, but expect them from major vendors handling sensitive data.

Ask about data residency and jurisdiction. Where is your data stored? Is it in the US, EU, or elsewhere? Where can law enforcement access it? This matters for compliance with data protection laws. If you have EU data, understand where it's stored and whether it complies with GDPR requirements.

Ask about data retention. When you delete data, when does the vendor delete it? Some vendors keep copies for their backups longer than you'd like. Clarify expectations before using the vendor. This is especially important for sensitive data like donor information.

Evaluate vendor reviews and incidents. Search for security incidents involving vendors. Have they been breached? How did they respond? What public complaints exist about their security? Recent security incidents don't automatically disqualify a vendor, but how they respond matters. Did they disclose quickly? Did they remediate quickly? Did they take responsibility?

Contracting and Agreements: Protecting Your Data Legally

Once you decide to use a vendor, your contract should address security and data protection. Most vendors provide standard terms of service. These often favor the vendor, limiting their liability. You should negotiate data processing agreements (DPA) or addendums specifically addressing how they handle your data.

Key contract elements include: definition of what data they'll process and how, requirement that they use data only for specified purposes, requirement that they implement reasonable security measures, requirement that they notify you of breaches, requirement that they cooperate with incident investigation, requirement that they delete or return data when the contract ends, and requirement that they maintain privacy and won't share data with unauthorized parties.

For vendors handling sensitive data (payment processors, email, donor databases), insist on a data processing agreement if the vendor will provide one. Don't accept vendor agreements that say they're not responsible for security or not liable if your data is breached. Negotiate language that makes them responsible for reasonable security and notifies you of breaches. Many vendors will negotiate if you ask.

Review who has access to your data. Can the vendor's employees access it? For what purposes? Do they need unlimited access or should access be restricted? Different vendors provide different levels of transparency. Understand what access exists and whether it's necessary.

Ongoing Oversight: Monitoring Vendors After Signing

Vendor assessment doesn't end at signing the contract. Maintain ongoing oversight to ensure vendors continue protecting your data. This doesn't require constant auditing; reasonable oversight is enough. Stay aware of vendor incidents, review their security practices periodically, and ensure they comply with your contracts.

Subscribe to vendor security announcements. Major vendors publish security advisories when they have vulnerabilities. Subscribe to these so you're aware of issues. If a vendor you use has a major breach, you'll see it in the news, but other issues might be less obvious. Staying informed helps you evaluate whether to continue using the vendor.

Maintain a vendor inventory. Document which vendors access or store your data, what data they have access to, when your contract ends, and whether you've reviewed their security practices. This inventory helps you remember which vendors matter most for security. Review your inventory annually. Are there vendors you no longer use? Can you reduce data access?

Exit plans: Before signing with a vendor, clarify how you'll get your data back if you stop using them. Can you export your data? How long will they provide access after your contract ends? What format will data be in? This matters when switching vendors or ending a relationship.

Frequently Asked Questions

Should we use cloud services or keep data on our own servers?

Cloud services are often more secure for nonprofits than on-premises servers. Cloud providers invest heavily in security that most nonprofits can't match. They handle updates, backups, and security monitoring. On-premises servers require you to do all this yourself, which is harder. Unless you have IT expertise and budget, cloud services (Gmail, Salesforce, Donorperfect) are typically better. Evaluate vendors carefully, but don't avoid cloud just because you lose direct control. Cloud vendors with good security are better than on-premises systems you manage yourself and get wrong.

What if a vendor won't sign a data processing agreement?

Ask again, emphasizing that your organization needs basic protections. Many vendors will negotiate. If they refuse, evaluate whether to use them. If they're handling sensitive data and won't agree to standard data protection terms, they're likely not a trustworthy vendor. If they're a minor service with limited data access, you might accept their terms. Be strategic; some negotiations are worth having, others aren't.

How do we respond if a vendor is breached?

First, notify your incident response team. What data was exposed? Were donors or constituents affected? Did it involve payment information? Second, contact the vendor to understand details. Third, assess whether breach notification is required. If sensitive personal information was exposed, you likely must notify affected parties even if your organization wasn't directly hacked. Fourth, consider whether to continue using the vendor. If they have a serious unpatched vulnerability, leaving makes sense. If they got breached but responded well, you might continue using them.

Vendor risk management requires assessing vendor security, negotiating contracts that protect your data, and maintaining ongoing oversight. You don't need to be paranoid about every vendor, but you do need to be thoughtful about vendors handling sensitive information. Your nonprofit's security extends to vendors who access your data.