> For the complete documentation index, see [llms.txt](https://docs.sprinto.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sprinto.com/data-library/vendors/vendor-due-diligence-documents-and-security-questionnaires.md).

# Vendor Due Diligence Documents & Security Questionnaires

Most SaaS companies work with several vendors for their day-to-day downstream activities, such as AWS, Zoom, Slack, etc. 

While using services from other vendors, you would also share some critical customer data with them. It is then very important that these vendors also have a good security posture to protect your data.

As per most compliance frameworks, you would need to review and upload your vendors' most recent due diligence document at least once yearly, especially for high-risk vendors. A high-risk vendor can be classified based on two parameters:

1. If you share critical customer data with them.
2. If their services go down, so will yours. 

The due diligence documents for some of the most common high-risk vendors can be found using the links provided below:

**Index:**

* [1. Amazon Web Services](https://sprinto.freshdesk.com/support/solutions/articles/72000593486#1.-Amazon-Web-Services%3A-For-AWS-GovCloud,-AWS-CodeCommit,-and-AWS.)
* [2. GCP](https://sprinto.freshdesk.com/support/solutions/articles/72000593486#2.-GCP)
* [3. Microsoft: For Azure and Azure DevOps](https://sprinto.freshdesk.com/support/solutions/articles/72000593486#3.-Microsoft%3A-For-Azure-and-Azure-DevOps)
* [4. Heroku](https://sprinto.freshdesk.com/support/solutions/articles/72000593486#4.-Heroku)
* [5. Mongo Atlas](https://sprinto.freshdesk.com/support/solutions/articles/72000593486#5.-Mongo-Atlas)
* [6. Data Processing Addendum](https://sprinto.freshdesk.com/support/solutions/articles/72000593486#%C2%A06.-Data-Processing-Addendum)
* [7. Security Questionnaire](https://sprinto.freshdesk.com/support/solutions/articles/72000593486#7.-Security-Questionnaire)

#### **1. Amazon Web Services: For AWS GovCloud, AWS CodeCommit, and AWS.** <a href="#id-1.-amazon-web-services-for-aws-govcloud-aws-codecommit-and-aws" id="id-1.-amazon-web-services-for-aws-govcloud-aws-codecommit-and-aws"></a>

1. **Soc 2 Type 1:** [**https://aws.amazon.com/artifact/getting-started/**](https://aws.amazon.com/artifact/getting-started/)
2. **Soc 2 Type 2:** [**https://aws.amazon.com/artifact/getting-started/**](https://aws.amazon.com/artifact/getting-started/)

#### **2. GCP** <a href="#id-2.-gcp" id="id-2.-gcp"></a>

* **Soc 2 Type 1:** [**https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Audit\_Report,Vendor\_Risk\_Assessment**](https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Audit_Report,Vendor_Risk_Assessment)
* **Soc 2 Type 2:** [**https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Audit\_Report,Vendor\_Risk\_Assessment**](https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Audit_Report,Vendor_Risk_Assessment)
* **ISO:** [**https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Certificate**](https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Certificate)
* **GDPR:** [**https://cloud.google.com/privacy/gdpr**](https://cloud.google.com/privacy/gdpr)
* **HIPAA:** [**https://cloud.google.com/security/compliance/hipaa**](https://cloud.google.com/security/compliance/hipaa)
* **PCI DSS:** [**https://cloud.google.com/security/compliance/pci-dss**](https://cloud.google.com/security/compliance/pci-dss)
* **Security Paper:** [**https://cloud.google.com/docs/security**](https://cloud.google.com/docs/security)

#### **3. Microsoft: For Azure and Azure DevOps** <a href="#id-3.-microsoft-for-azure-and-azure-devops" id="id-3.-microsoft-for-azure-and-azure-devops"></a>

* **Soc 2 Type 2:** [**https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2**](https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2)
* **ISO:** [**https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-iso-27001**](https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-iso-27001)
* **GDPR:** [**https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted**](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted)
* **HIPAA:** [**https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us**](https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us)
* **PCI DSS:** [**https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-pci-dss**](https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-pci-dss)
* **Security Paper:** [**https://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf**](https://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf)

#### **4. Heroku** <a href="#id-4.-heroku" id="id-4.-heroku"></a>

* **Soc 2 Type 1:** [**https://compliance.salesforce.com/en/documents/a005A00000kFeKeQAK**](https://compliance.salesforce.com/en/documents/a005A00000kFeKeQAK)
* **Soc 2 Type 2:** [**https://compliance.salesforce.com/en/documents/a005A00000kFeKeQAK**](https://compliance.salesforce.com/en/documents/a005A00000kFeKeQAK)
* **GDPR:** [**https://devcenter.heroku.com/articles/gdpr**](https://devcenter.heroku.com/articles/gdpr)

#### **5. Mongo Atlas** <a href="#id-5.-mongo-atlas" id="id-5.-mongo-atlas"></a>

* **Soc 2 Type 1:** [**https://www.mongodb.com/cloud/trust/compliance/soc**](https://www.mongodb.com/cloud/trust/compliance/soc)
* **Soc 2 Type 2:** [**https://www.mongodb.com/cloud/trust/compliance/soc**](https://www.mongodb.com/cloud/trust/compliance/soc)
* **GDPR:** [**https://www.mongodb.com/cloud/trust/compliance/gdpr**](https://www.mongodb.com/cloud/trust/compliance/gdpr)
* **HIPAA:** [**https://www.mongodb.com/cloud/trust/compliance/hipaa**](https://www.mongodb.com/cloud/trust/compliance/hipaa)
* **PCI DSS:** [**https://www.mongodb.com/cloud/trust/compliance/pci-dss**](https://www.mongodb.com/cloud/trust/compliance/pci-dss)

#### **6. Data Processing Addendum** <a href="#id-6.-data-processing-addendum" id="id-6.-data-processing-addendum"></a>

* **AWS DPA:**  [**https://d1.awsstatic.com/legal/aws-gdpr/AWS\_GDPR\_DPA.pdf**](https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf)
* **GCP DPA:** [**https://cloud.google.com/terms/data-processing-addendum**](https://cloud.google.com/terms/data-processing-addendum)
* **Github DPA:** [**https://github.com/customer-terms/github-data-protection-agreement**](https://github.com/customer-terms/github-data-protection-agreement)
* **Google Workspace DPA:** [**https://cloud.google.com/terms/data-processing-addendum**](https://cloud.google.com/terms/data-processing-addendum)
* **Office365/Microsoft DPA:** [**https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA**](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA)
* **Gitlab DPA:** [**https://gitlab.com/gitlab-com/legal-and-compliance/-/raw/master/Customer\_DPA\_\_3.1.23\_.pdf**](https://gitlab.com/gitlab-com/legal-and-compliance/-/raw/master/Customer_DPA__3.1.23_.pdf)
* **Bitbucket DPA:** [**https://www.atlassian.com/legal/data-processing-addendum**](https://www.atlassian.com/legal/data-processing-addendum)
* **SalesforceDPA:** [**https://www.salesforce.com/content/dam/web/en\_us/www/documents/legal/Agreements/data-processing-addendum.pdf**](https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf)
* **GoDaddy DPA:** [**https://www.godaddy.com/en-in/legal/agreements/data-processing-addendum**](https://www.godaddy.com/en-in/legal/agreements/data-processing-addendum)

#### **7. Security Questionnaire**

* [**Security Questionnaire (Large)** ](https://docs.google.com/spreadsheets/d/1WsmX2Evsbm7QRMk4SrUatfDdNlnV-XWzCVxeBhdMS9g/edit#gid=0)
* [**Security Questionnaire Generic (Basic)**](https://docs.google.com/spreadsheets/d/1IuXg5SwuZpo357VWvfYWcTBV2GJwTbH-/edit#gid=1123335616)
* [**Security Questionnaire (Basic)**](https://docs.google.com/spreadsheets/d/1JXqUjYIBdaG4XTEJqCCoQ0X3oReHizsk/edit#gid=1123335616)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sprinto.com/data-library/vendors/vendor-due-diligence-documents-and-security-questionnaires.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.