Vendor and Processor Checklist

Audience: founders, ops, product, compliance-minded teams · Last reviewed: March 2026

If third parties touch personal data, they should not be treated as a procurement footnote. Vendor review is part of competent operational privacy hygiene.

What to review

• Which vendors touch personal data at all
• What categories of data they can access
• Why they need that access
• Whether internal teams actually understand the workflow

Practical checklist

1. List core vendors touching user/customer data
2. Check whether access scope is clear and still justified
3. Review contracts, handoffs, and operational ownership
4. Flag high-risk tools or shadow usage patterns