# Vendor Security Review

> Use this template to security and privacy review for third-party vendors.

## Template Metadata

| Field | Details |
|-------|---------|
| Category | Cybersecurity & Privacy |
| Owner | [Team or owner] |
| Version | [Version number] |
| Effective Date | [Date] |
| Review Cycle | [Monthly / Quarterly / Annual / Event-based] |
| Status | [Draft / In Review / Approved] |

## Vendor Overview

Describe the service, business owner, use case, and contract status.

| Item | Details | Owner | Status |
|------|---------|-------|--------|
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |

### Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

## Data Processed

Identify data categories, sensitivity, residency, retention, and subprocessors.

| Item | Details | Owner | Status |
|------|---------|-------|--------|
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |

### Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

## Security Controls

Assess authentication, encryption, logging, vulnerability management, and access control.

| Item | Details | Owner | Status |
|------|---------|-------|--------|
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |

### Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

## Compliance

Summarize SOC 2, ISO 27001, GDPR, HIPAA, or other relevant attestations.

| Item | Details | Owner | Status |
|------|---------|-------|--------|
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |

### Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

## Risks

List security, privacy, operational, and contractual risks with severity.

| Item | Details | Owner | Status |
|------|---------|-------|--------|
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |

### Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]

## Approval Decision

State approved, conditionally approved, or rejected with required actions. Use concise evidence-based findings and note missing documentation clearly.

| Item | Details | Owner | Status |
|------|---------|-------|--------|
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |
| [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] |

### Notes

[Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.]