Vendor Due Diligence Documents & Security Questionnaires

Most SaaS companies work with several vendors for their day-to-day downstream activities, such as AWS, Zoom, Slack, etc.

While using services from other vendors, you would also share some critical customer data with them. It is then very important that these vendors also have a good security posture to protect your data.

As per most compliance frameworks, you would need to review and upload your vendors' most recent due diligence document at least once yearly, especially for high-risk vendors. A high-risk vendor can be classified based on two parameters:

1. If you share critical customer data with them.

2. If their services go down, so will yours.

The due diligence documents for some of the most common high-risk vendors can be found using the links provided below:

Index:

• 1. Amazon Web Services

• 2. GCP

• 3. Microsoft: For Azure and Azure DevOps

• 4. Heroku

• 5. Mongo Atlas

• 6. Data Processing Addendum

• 7. Security Questionnaire

1. Amazon Web Services: For AWS GovCloud, AWS CodeCommit, and AWS.

1. Soc 2 Type 1: https://aws.amazon.com/artifact/getting-started/

2. Soc 2 Type 2: https://aws.amazon.com/artifact/getting-started/

2. GCP

• Soc 2 Type 1: https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Audit_Report,Vendor_Risk_Assessment

• Soc 2 Type 2: https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Audit_Report,Vendor_Risk_Assessment

• ISO: https://cloud.google.com/security/compliance/compliance-reports-manager#/ReportType=Certificate

• GDPR: https://cloud.google.com/privacy/gdpr

• HIPAA: https://cloud.google.com/security/compliance/hipaa

• PCI DSS: https://cloud.google.com/security/compliance/pci-dss

• Security Paper: https://cloud.google.com/docs/security

3. Microsoft: For Azure and Azure DevOps

• Soc 2 Type 2: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2

• ISO: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-iso-27001

• GDPR: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted

• HIPAA: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us

• PCI DSS: https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-pci-dss

• Security Paper: https://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf

4. Heroku

• Soc 2 Type 1: https://compliance.salesforce.com/en/documents/a005A00000kFeKeQAK

• Soc 2 Type 2: https://compliance.salesforce.com/en/documents/a005A00000kFeKeQAK

• GDPR: https://devcenter.heroku.com/articles/gdpr

5. Mongo Atlas

• Soc 2 Type 1: https://www.mongodb.com/cloud/trust/compliance/soc

• Soc 2 Type 2: https://www.mongodb.com/cloud/trust/compliance/soc

• GDPR: https://www.mongodb.com/cloud/trust/compliance/gdpr

• HIPAA: https://www.mongodb.com/cloud/trust/compliance/hipaa

• PCI DSS: https://www.mongodb.com/cloud/trust/compliance/pci-dss

6. Data Processing Addendum

• AWS DPA: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

• GCP DPA: https://cloud.google.com/terms/data-processing-addendum

• Github DPA: https://github.com/customer-terms/github-data-protection-agreement

• Google Workspace DPA: https://cloud.google.com/terms/data-processing-addendum

• Office365/Microsoft DPA: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

• Gitlab DPA: https://gitlab.com/gitlab-com/legal-and-compliance/-/raw/master/Customer_DPA__3.1.23_.pdf

• Bitbucket DPA: https://www.atlassian.com/legal/data-processing-addendum

• SalesforceDPA: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf

• GoDaddy DPA: https://www.godaddy.com/en-in/legal/agreements/data-processing-addendum

7. Security Questionnaire

• Security Questionnaire (Large)

• Security Questionnaire Generic (Basic)

• Security Questionnaire (Basic)