# Vendor risk template

1. Vendor profile: category, owner, business purpose, and renewal date.
2. Data processed: customer data, employee data, financial data, secrets, or production access.
3. Evidence required: DPA, SOC 2, ISO 27001, subprocessors, privacy policy, and incident contact.
4. Risk review: inherent risk, mitigations, residual risk, and approval owner.
5. Cadence: initial review, annual review, expiry, and reassessment triggers.

Generated by PrivaBase. This template is educational and not legal advice.