Skip to main content

Vendor Security Best Practices

In security, asking the right questions matters more than checking boxes. This guide covers what to look for when evaluating a vendor's security and how to have meaningful conversations.

Written by Giuseppe Morgana
Updated over 2 weeks ago

A note on using this guide: These best practices are meant to help your organization ask the right questions, not to serve as a rigid checklist. Security is not one-size-fits-all. A well-run vendor may address a given risk in a way that looks different from what's listed here, and that's okay. What matters is whether they've thoughtfully identified their risks and put reasonable controls in place to manage them. Use this as a starting point for conversation, not a pass/fail scorecard. The goal is to find partners who take security seriously and can demonstrate it rather than ones who know how to fill out a form.

A thoughtful question, such as asking a potential partner to share a recent incident and how they responded to it, will go much further in allowing you to understand and gain trust in an organization rather than having them check boxes.

1. Access & Authentication

  • Multi-factor authentication (MFA) required for all accounts

  • Individual (non-shared) credentials for each team member

  • Role-based access controls (with minimum necessary access)

  • Regular access reviews and audit logs

  • Additional security measures to mitigate cases of elevated risk, such as hardware security keys

2. Personnel Security

  • Background checks for all staff with data access

  • Clear documentation of who has access to client data

  • Employee security training and awareness programs

  • NDA and confidentiality agreements

  • Onboarding and offboarding procedures

3. Data Protection

  • Inventory of systems with access to sensitive data

  • End-to-end encryption for data in transit and at rest

  • Geographic restrictions if needed

  • Clear data retention and deletion policies

  • Clear data ownership with process for data access and verified deletion upon contract termination

  • Clear terms describing how data is used for any purposes beyond serving your organization (e.g., model training)

4. Physical Security

  • Devices have encryption enabled with password protection

  • Devices are kept up-to-date

  • Documented approach to managing and protecting physical hardware, including BYOD

5. Operational Security

  • A pragmatic understanding of the most significant risks and plans to mitigate them

  • Integrated and, where feasible, automated security operations and assessments

  • Secure development practices and vulnerability management (for technology platforms)

  • Enablement of security features such as single sign-on (for technology platforms)

  • A clear approach to vetting the security of subprocessors

  • Business continuity and disaster recovery plans

  • Incident response and breach notification procedures

6. Compliance & Certifications (dependent on nature of service)

  • Evidence of a structured security program (such as SOC 2 Type II, ISO 27001, or a documented, thoughtful internal security framework)

  • GDPR/privacy law and other legal compliance

  • Independent reviews or third-party audits

  • Cyber insurance coverage

7. Vendor Transparency

  • Clear information about subcontractors and data locations

  • Willingness to answer security questions

  • Open communication about incidents and how they learned from them

  • Clear process for communicating material changes to their security

8. Track Record & Referrals

  • Verifiable client references, particularly from organizations with comparable security requirements

  • Demonstrated experience handling sensitive data

  • Any history of data breaches or security incidents with clear evidence of responsible responses

Did this answer your question?