Your data doesn't live only with you. It lives with your CRM vendor, email vendor, payment processor, accounting software, backup service, and a dozen other vendors. If any of them get breached, your data might leak.

You can't control what vendors do. But you can assess them before hiring them, contractually require them to protect data, and audit them periodically. This lecture teaches you how.

The Vendor Risk Assessment

Before signing with a vendor, assess their security maturity. Create a simple questionnaire:

Basic Questions (ask all vendors)

  • Where do you store data (which country/data center)?
  • Is data encrypted in transit (HTTPS) and at rest?
  • What's your data retention policy if we leave?
  • How do you handle customer data if you get breached?
  • Do you have cybersecurity insurance?
  • Can we audit your security practices?
  • Do you have SOC 2 or ISO 27001 certification?

Advanced Questions (for vendors with sensitive data)

  • What's your incident response process?
  • Do you have a bug bounty program?
  • How do you vet your own vendors (does your vendor have vendors)?
  • What's your employee security training?
  • Do you have a security officer/team?

Red flags: vendor is evasive, claims "we're secure" without evidence, says encryption is optional, doesn't have insurance, never had a security audit.

The Data Processing Agreement

Your contract with the vendor should specify how they handle data. Most vendors have a DPA (Data Processing Agreement) you can review.

Key terms:

  • Vendor must implement reasonable security
  • Vendor must notify you immediately if breached
  • Vendor must not use your data for their own purposes
  • Vendor must delete or return data when you leave
  • You have right to audit their security practices
  • Vendor has cyber liability insurance

Don't sign contracts that allow vendors to sell your data, use it for marketing, or share it with anyone. If they push back, consider a different vendor.

Vendor Audit Checklist

For your most critical vendors (CRM, payment processor, accounting), conduct an audit annually:

  • Review their latest security audit report (SOC 2 or equivalent)
  • Confirm they're following your DPA terms (data encryption, retention, deletion)
  • Check if they've had breaches (search news, monitor their status page)
  • Request proof of cyber liability insurance (check amount and coverage)
  • Verify they've disclosed any subcontractors (vendors they use)

Document this annually. If a vendor fails audit, escalate: can they remediate? If not, plan to migrate to a different vendor.

Managing Multiple Vendors

Create a vendor inventory: what data does each vendor hold? How sensitive? How critical?

Vendor Data Held Sensitivity Critical?
HubSpot Donor names, emails, giving history High Yes
Stripe Payment info Very High Yes
Google Drive Documents (some confidential) Medium Yes

Audit critical vendors annually. Medium sensitivity vendors every 2 years. Low sensitivity vendors as needed.

Vendor Exit Plan

What happens if a vendor goes out of business or you need to switch?

  • Can you export all your data in standard format (CSV, JSON)?
  • How long does vendor keep data after you leave?
  • Is there a data deletion request process?
  • What's the transition timeline (90 days, 6 months)?

Get answers before you need them. A vendor going dark with your data is a nightmare.

Red Flag Vendors

Avoid or scrutinize closely:

  • No security certifications: SOC 2/ISO 27001 are standard. If they don't have it, why not?
  • Unclear data practices: "We're secure" without specifics means they probably aren't.
  • No cyber insurance: If they're not insured, they're not serious about security.
  • Refuses DPA: Legitimate vendors will sign a Data Processing Agreement. If they refuse, walk away.
  • Overseas data storage: Some countries have weak data protection. Ask where data is stored.

Incident: Vendor Gets Breached

A vendor notifies you that they were breached and your data might have leaked. Here's what you do:

  1. Get details: what data? How many people? When did they discover it?
  2. Review DPA: did they follow their obligations to notify you, investigate, etc.?
  3. Assess impact: is this a breach of your donors? If yes, you likely have to notify.
  4. Contact insurance: let them know.
  5. Plan notification: if your donor data was exposed, you notify your donors (not just the vendor notifies theirs).
  6. Consider vendor change: if this is the second breach, or if it was preventable negligence, evaluate moving to a different vendor.

You're liable to your donors even if the breach was a vendor's fault. This is why vendor choice and auditing matter.

Key Takeaway

Your vendors are extensions of your security posture. Assess them before hiring. Require contractual commitments to protect data. Audit them periodically. And have an exit plan. Your data is only as secure as your weakest vendor.

Frequently Asked Questions

Is SOC 2 certification required?

Not required, but it's the gold standard. SOC 2 Type II (not just Type I) means an independent auditor verified their security for at least 6 months. Most vendors you'd want to work with have it. If a vendor doesn't, ask why. They might be a startup (new vendors sometimes don't have it yet), which is okay if they have cyber insurance and a DPA.

Can we demand encryption before vendor signs with us?

You can ask, but don't make it a blocker. Most modern vendors encrypt. If a vendor specifically refuses encryption, that's suspicious. But don't reject a vendor because they don't offer end-to-end encryption (where even they can't see data). That sometimes breaks their ability to serve you. Data encrypted in transit and at rest is standard.

Should we pay more for a vendor with better security?

Yes, usually. A vendor charging $20/month with weak security is more expensive than a vendor charging $50/month with strong security. You're factoring in breach risk. That said, major vendors (Salesforce, Google, Stripe) have excellent security at reasonable prices. You don't need to overpay.

What if a vendor has had a breach in the past?

Not disqualifying. Everyone gets hacked eventually. What matters is how they responded: did they notify customers quickly? Did they fix the vulnerability? Did they improve security? A vendor that had one breach and fixed it is less risky than a vendor that's never been hacked (maybe just never been tested). Look at their incident response, not just the breach itself.

Do we need to conduct security assessments ourselves or hire someone?

For major vendors with SOC 2 certification, review their certificate and DPA. That's sufficient. For smaller vendors or vendors with sensitive data access, hire a third party (security consultant) to assess. Cost: $2K-5K, but worth it for critical vendors.