GDPR

GDPR Vendor Due Diligence Checklist

7 min readUpdated 13 May 2026

Every vendor you use who processes personal data on your behalf is a data processor under GDPR. As the controller, you are responsible for ensuring your processors provide sufficient guarantees — and that means conducting due diligence before you onboard a vendor and maintaining oversight throughout the relationship.

This checklist covers what to check, what to ask, and what documentation to require.

Why Vendor Due Diligence Is a Legal Obligation

Article 28(1) states that controllers "shall only use processors providing sufficient guarantees to implement appropriate technical and organisational measures." This is not a discretionary best practice — it is a mandatory obligation.

The CJEU has confirmed that a controller cannot escape liability simply by using a processor. If your processor suffers a breach or processes data unlawfully, you share accountability. Conducting documented due diligence is both a compliance requirement and a risk management tool.

Step 1: Identify Which Vendors Are Processors

Not every vendor relationship involves personal data processing. A processor is a vendor who processes personal data on your instructions and on your behalf.

Processors (require full due diligence + DPA):

  • Cloud hosting and infrastructure (AWS, GCP, Azure)
  • CRM and sales tools (Salesforce, HubSpot)
  • Email delivery (Postmark, Mailchimp, SendGrid)
  • Analytics (Mixpanel, Amplitude)
  • Support tools (Intercom, Zendesk)
  • Error monitoring (Sentry, Datadog)
  • HR and payroll platforms
  • Document management tools

Controllers in their own right (not your processors — different relationship):

  • Payment processors (Stripe, Mollie — they have their own compliance obligations for payment data)
  • LinkedIn, Google (for advertising — they are controllers for their own platforms)

When in doubt, ask: is this vendor processing personal data under my instruction, or are they operating as an independent controller? If the former, they are your processor.

Step 2: Pre-Onboarding Due Diligence Checklist

Before signing a contract with a new processor:

Security and Compliance

  • Do they hold a relevant security certification? (ISO 27001, SOC 2 Type II, CSA STAR)
  • Is their ISO/SOC certification current and in scope for the services you are using?
  • Have they had any significant data breaches in the past 3 years? If yes, how were they handled?
  • Do they conduct regular penetration testing? Are reports available on request?
  • What encryption standards do they apply at rest and in transit?
  • Do they have a documented vulnerability management programme?

Data Location and Transfers

  • Where is data stored? Which countries? Which data centres?
  • Do they store or process data outside the EU/EEA?
  • If yes, what transfer mechanism do they rely on? (Adequacy, DPF, SCCs)
  • Is their SCCs/DPF status current?

Sub-processors

  • Do they use sub-processors? Who are they?
  • Is their sub-processor list publicly available?
  • Are all sub-processors bound by equivalent data protection obligations?

Incident Response

  • What is their breach notification commitment? (Standard GDPR is 72 hours to DPA; many enterprise contracts require 24-hour notification to the controller)
  • Do they have a documented incident response plan?
  • How do they communicate incidents to customers?

Contractual

  • Do they offer a GDPR-compliant DPA?
  • Does the DPA meet Article 28(3) requirements?
  • Do they accept processor audit rights?
  • What are the data deletion/return commitments on contract termination?

Step 3: Required Documentation

Before processing begins, obtain and file:

  • Signed DPA — executed copy in your records (not just a link to their terms page)
  • Security certification — current certificate (ISO 27001, SOC 2)
  • Sub-processor list — their current list
  • Transfer mechanism documentation — SCCs (executed), DPF certification record, or adequacy country confirmation
  • Privacy policy / data handling documentation — their published policy
  • TOMs annex — technical and organisational security measures (usually part of the DPA)

Step 4: Ongoing Monitoring

Due diligence is not a one-time exercise. Maintain ongoing oversight:

Annually:

  • Verify security certifications are renewed and in scope
  • Review sub-processor lists for changes (you should be notified per your DPA, but verify)
  • Confirm transfer mechanisms are still valid
  • Review any published security incident disclosures

On vendor notification:

  • Review and approve (or object to) sub-processor additions within the notice period specified in your DPA
  • Review security incident notifications and assess whether your breach notification obligations are triggered

On contract renewal:

  • Re-run the pre-onboarding checklist — circumstances change
  • Verify the DPA is still current and appropriate

Vendor Assessment Template

For each processor, maintain a record:

Vendor: [name]
Service: [what they do for us]
Data processed: [categories]
Data location: [countries/regions]
Transfer mechanism: [adequacy / DPF / SCCs — and date executed]

Security certifications:
- [ ] ISO 27001 — Expiry: [date]
- [ ] SOC 2 Type II — Report date: [date]
- [ ] Other: [specify]

DPA:
- Status: Signed / Not required / Outstanding
- Date signed: [date]
- Version: [version or date of their DPA terms]

Sub-processors:
- List location: [URL or document]
- Last reviewed: [date]
- Any concerns: [notes]

Breach notification commitment: [hours]

Last reviewed: [date]
Next review: [date]
Notes: [any concerns or outstanding items]

Red Flags During Vendor Assessment

Treat these as blockers unless resolved:

Red flagWhy it matters
No DPA available or refuses to signArticle 28 makes a DPA mandatory — no DPA = unlawful processing
Security certification expired or out of scopeA lapsed cert provides no assurance — request current documentation
Data stored in non-adequate, non-SCC country without transfer mechanismUnlawful transfer
Breach history with poor handlingIndicates systemic security culture issues
No sub-processor list availableYou cannot audit sub-processing without knowing who sub-processes
Unlimited sub-processor changes without noticeYour DPA should give you advance notice rights
No audit rightsArticle 28(3)(h) requires audit rights — a vendor who refuses has a problem

SaaS-Specific Note: Your Sub-Processor Due Diligence Affects Your Customers

When you conduct due diligence on your processors, you are also protecting your customers. If one of your sub-processors suffers a breach affecting your customers' user data, you are liable — and your customers will look to you.

Publishing a transparent sub-processor list, maintaining current DPAs with all processors, and conducting documented due diligence is increasingly a competitive differentiator in enterprise sales — not just a compliance obligation.

ComplyOne generates your GDPR documentation — RoPA, DPA, privacy notices, and gap assessment — in one workflow.

Run your GDPR gap check →

Related guides

Do You Need a DPO? GDPR Decision Tree for SMEs

Most SaaS companies don't need a Data Protection Officer — but the mandatory appointment criteria are broader than many founders realise. This guide explains when a DPO is required, what the role involves, and what to do instead.

GDPR Article 28 Explained for Startup Founders

Article 28 governs controller-processor relationships under GDPR. This guide explains what a Data Processing Agreement must contain, who needs one, and the common mistakes that cause compliance failures in enterprise deals.

GDPR Cookie Compliance in Germany (2026 Guide)

Germany has the strictest cookie compliance requirements in the EU. This guide covers the GDPR and TTDSG framework, what valid consent looks like, cookie banner requirements, and practical steps to comply.

View all guides in this module