Under GDPR Article 28, you are responsible for every third-party processor that handles personal data on your behalf. If a vendor you use suffers a data breach, you must notify the supervisory authority and affected individuals. A proper vendor risk assessment isn't optional โ it's a core GDPR requirement.
What Is a Vendor Risk Assessment?
A vendor risk assessment evaluates the data protection practices of third-party services that process personal data on your behalf. This includes your hosting provider, analytics service, CRM, email platform, payment processor, chat widget, and any other service that touches user data.
Which Vendors Need Assessment?
Any third-party that processes personal data from your users needs evaluation. Common categories:
| Category | Examples | Data Processed |
|---|---|---|
| Hosting | AWS, Vercel, Cloudflare | IP addresses, access logs, all site data |
| Analytics | Google Analytics, Mixpanel, Hotjar | Page views, behavior, demographics |
| SendGrid, Mailchimp, Postmark | Email addresses, engagement data | |
| Payments | Stripe, PayPal, Adyen | Payment details, billing addresses |
| Chat | Intercom, Crisp, Zendesk | Names, emails, conversation content |
| Advertising | Google Ads, Meta Pixel, LinkedIn | Browsing behavior, conversion events |
| CDN | Cloudflare, Fastly, Akamai | IP addresses, geo-location data |
| CRM | HubSpot, Salesforce, Pipedrive | Contact info, interaction history |
The Assessment Framework
For each vendor, evaluate the following areas:
1. Data Processing Agreement (DPA)
- Does the vendor provide a GDPR-compliant DPA?
- Does it specify processing purposes and duration?
- Does it list sub-processors and require notification of changes?
- Does it include breach notification obligations (within 72 hours)?
2. Data Location and Transfers
- Where is data stored? (EU, US, other)
- If outside the EU, what transfer mechanisms are used? (Standard Contractual Clauses, adequacy decision)
- Post-Schrems II: Are supplementary measures in place for US transfers?
3. Security Measures
- Is data encrypted at rest and in transit?
- Does the vendor have SOC 2, ISO 27001, or equivalent certification?
- What access controls are in place?
- How are security incidents handled?
4. Data Retention and Deletion
- How long does the vendor retain data after contract termination?
- Can you request data deletion, and how quickly is it executed?
- Are backups also purged?
5. Sub-Processors
- Does the vendor use sub-processors?
- Is there a list of current sub-processors?
- Are you notified when sub-processors change?
- Do sub-processors have their own DPAs?
Risk Scoring Matrix
| Factor | Low Risk | Medium Risk | High Risk |
|---|---|---|---|
| Data type | Anonymized, aggregated | Pseudonymized personal data | Directly identifiable, sensitive data |
| Data location | EU/EEA only | Adequacy countries | US or non-adequate countries |
| Certifications | SOC 2 + ISO 27001 | One certification | No certifications |
| DPA quality | Comprehensive, customizable | Standard but adequate | Missing or incomplete |
| Breach history | No known breaches | Minor breaches, well-handled | Major breaches or poor response |
Automated Vendor Discovery
You don't always know which vendors are on your website. Marketing teams add tracking pixels, developers add libraries, CMS plugins load external scripts โ all without a central inventory.
PrivacyChecker automatically discovers all third-party services on your website, identifies the vendors behind them, and flags those processing personal data without proper security measures.
Vendor Assessment Checklist
| Step | Action | Document |
|---|---|---|
| 1 | Scan website for all third-party services | Vendor inventory |
| 2 | Request DPA from each vendor | DPA register |
| 3 | Verify data transfer mechanisms | Transfer impact assessment |
| 4 | Check security certifications | Risk assessment |
| 5 | Review sub-processor lists | Sub-processor register |
| 6 | Document findings and risk level | Vendor risk register |
| 7 | Schedule annual reassessment | Review calendar |
Start with a free scan to discover all third-party vendors on your website. Pro+ includes a Vendor Risk module that automatically assesses the privacy and security posture of detected third-party services.