VND-002 Security Requirements in Vendor Contracts
Description
Contracts with all vendors who access, process, store or transmit organisational data include binding security and privacy requirements. These requirements address: information security obligations, incident notification timelines, audit rights, data handling and deletion, right to subcontract, applicable law, and exit provisions.
Rationale
Contractual requirements are the primary enforcement mechanism for vendor security obligations. Without written requirements, the organisation has no recourse if a vendor causes a breach.
Framework Mappings (7)
| STA-11 | Primary Service and Contractual Agreement | full |
| STA-12 | Supply Chain Agreement Review | partial |
| EU-AI-Art.25.2 | Value Chain Responsibilities — Supply Chain Agreements | partial |
| GDPR-Art.28.3 | Data Processing Agreement (DPA) Requirements | full |
| 5.20 | Addressing information security within supplier agreements | full |
| SR-3 | Supply Chain Controls and Processes | partial |
| P6.4 | Third-Party Agreements | full |
Evidence (2)
Executed vendor contracts or Master Services Agreements containing binding security, privacy and incident notification requirements.
Example: Executed MSA with a key SaaS vendor (e.g. Salesforce, Zendesk, AWS) — containing: information security obligations clause, data handling and deletion requirements, incident notification SLA (e.g. 24/48 hours), audit rights clause, sub-processor approval requirement, and exit/termination data return provisions
Test: Request contracts for 5 vendors with access to organisational or customer data. Verify each contract contains: (1) a binding information security obligations clause, (2) a defined incident notification timeline (acceptable: ≤72 hours), (3) a data handling and deletion clause specifying obligations on termination, (4) an audit right (direct audit or third-party certification acceptance), (5) a sub-processor approval clause, (6) applicable law and jurisdiction.
Executed Data Processing Agreements (DPAs) with all vendors who process personal data, satisfying GDPR Art.28.3 requirements.
Example: Executed DPAs (standalone documents or DPA appendices within MSAs) with all personal data processors — each covering the GDPR Art.28.3 mandatory clauses: processing only on instructions, confidentiality, security measures, sub-processing controls, data subject rights assistance, deletion/return of data, and audit cooperation
Test: Request DPAs for all vendors identified in the RoPA as processors. Verify: (1) a DPA is in place for every vendor that processes personal data, (2) each DPA includes all GDPR Art.28.3 mandatory clauses, (3) DPAs are signed by authorised representatives of both parties, (4) DPAs reference or annex appropriate technical and organisational measures.
Questions (2)
Do contracts with all vendors who access, process, store or transmit organisational data include binding security and privacy obligations?
Contracts should include at minimum: information security obligations, incident notification timelines (72 hours or less), audit rights, data handling and deletion requirements, sub-processor controls, and exit provisions.
Which of the following clauses are included as standard in your vendor contracts?
All eight clauses are expected in contracts with vendors processing personal or sensitive data. Absence of a DPA for any personal data processor is a direct GDPR compliance gap.