Third-party risk assessment (TPRA) template — SaaS vendor evaluation

Updated

TPRA template for evaluating SaaS vendors before signing. Required by most SOC 2 / ISO 27001 audits + GDPR sub-processor due diligence. Re-evaluate quarterly.

How to use

Run before contracting any vendor that handles customer data; re-evaluate quarterly per vendor inventory.

Template (markdown)

copy-paste, replace {{PLACEHOLDERS}}
# Third-Party Risk Assessment — {{VENDOR_NAME}}
**Assessor:** {{NAME}} · **Date:** {{DATE}} · **Re-evaluation:** Quarterly

## 1. Vendor profile
- **Name:** {{VENDOR_NAME}}
- **Service provided:** {{SERVICE_DESCRIPTION}}
- **Data categories shared:** {{DATA_CATEGORIES}}
- **Sub-processor (per GDPR)?:** {{YES_NO}}
- **Annual spend:** USD {{ANNUAL_SPEND}}
- **Contract type:** {{ANNUAL_OR_MONTHLY}}

## 2. Compliance + certifications
- [ ] SOC 2 Type 2 — date: {{DATE_OR_NA}}
- [ ] ISO 27001 — date: {{DATE_OR_NA}}
- [ ] HIPAA BAA — applicable: {{YES_NO}}; signed: {{DATE_OR_NA}}
- [ ] PCI-DSS — applicable: {{YES_NO}}; SAQ level: {{LEVEL_OR_NA}}
- [ ] GDPR DPA — signed: {{DATE_OR_NA}}
- [ ] FedRAMP — level: {{LEVEL_OR_NA}}

## 3. Security posture review
| Control | Vendor's stance | Source | Risk |
|---|---|---|---|
| Encryption at rest | {{YES_NO_HOW}} | {{SOURCE}} | {{LOW_MED_HIGH}} |
| Encryption in transit | {{YES_NO_HOW}} | {{SOURCE}} | {{LOW_MED_HIGH}} |
| Access control + MFA | {{DETAIL}} | {{SOURCE}} | {{LOW_MED_HIGH}} |
| Vulnerability management | {{DETAIL}} | {{SOURCE}} | {{LOW_MED_HIGH}} |
| Incident response | {{DETAIL}} | {{SOURCE}} | {{LOW_MED_HIGH}} |
| Backup + DR | {{DETAIL}} | {{SOURCE}} | {{LOW_MED_HIGH}} |
| Change management | {{DETAIL}} | {{SOURCE}} | {{LOW_MED_HIGH}} |
| Secure SDLC | {{DETAIL}} | {{SOURCE}} | {{LOW_MED_HIGH}} |

## 4. Data flow
- **Direction:** {{INBOUND_OR_OUTBOUND_OR_BOTH}}
- **Data categories transferred:** {{LIST}}
- **Transfer mechanism:** {{API_SDK_S3_ETC}}
- **Storage region(s):** {{REGIONS}}
- **Encryption in transit:** {{TLS_VERSION}}

## 5. Operational risk
- **Critical to operations?** {{YES_NO}} (if yes — what's the BCP / fallback?)
- **Single source of failure?** {{YES_NO}}
- **Vendor's own security incidents in past 12 months:** {{LIST_OR_NONE}}
- **Public reports of vendor stability issues:** {{LIST_OR_NONE}}

## 6. Sub-processor risk
- **Vendor uses sub-processors?** {{YES_NO}} — list at {{URL}}
- **Sub-processor change-notification policy:** {{DETAIL}}
- **High-risk sub-processors (e.g., outside EU/US, no SOC 2):** {{LIST_OR_NONE}}

## 7. Exit + continuity
- **Data portability — what export formats?** {{FORMATS}}
- **Data destruction on contract end — within how many days?** {{DAYS}}
- **Vendor's BCP / DR posture (if vendor goes down):** {{DETAIL}}

## 8. AI / ML specific (if vendor uses AI)
- [ ] Vendor publishes model card / AIBOM
- [ ] Vendor's training-data sources disclosed
- [ ] Vendor's prompt-injection defense disclosed
- [ ] Vendor offers data-processing-without-training (no opt-out-required)
- [ ] EU AI Act high-risk classification — applicable: {{YES_NO}}

## 9. Risk score
**Total risk:** ☐ Low  ☐ Medium  ☐ High

(Low: SOC 2 + GDPR DPA + clear sub-processor disclosure + no incidents.
Medium: missing one of the above OR sub-processor with weaker posture.
High: missing SOC 2 OR vendor has had a security incident in past 12 months.)

## 10. Approval + actions
- ☐ Approved as-is
- ☐ Approved with conditions: {{CONDITIONS}}
- ☐ Conditional pending: {{REQUIRED_ACTIONS_BEFORE_APPROVAL}}
- ☐ Rejected — alternative recommendation: {{ALTERNATIVE_VENDOR}}

**Approver:** {{NAME}}, {{ROLE}}, signed {{DATE}}
**Next review date:** {{REVIEW_DATE}} (quarterly cadence)