Vendor Security Review Process

New vendor adoption: security review.

Checklist

Every third-party vendor with access to your data, your infrastructure, or your customers introduces risk. Vendor security review is the discipline that evaluates that risk before the vendor is onboarded and continues evaluating it through the relationship. Done well, the review catches the integrations that should not happen and structures the ones that do. Done poorly, vendors get added without scrutiny and the supply-chain attack surface grows silently.

What every vendor security checklist must cover:

• SOC 2 Type 2 attestation.: The vendor has been audited against SOC 2 controls over a period (Type 2 covers a window, typically 6 to 12 months, demonstrating sustained control operation). A current SOC 2 Type 2 report is the baseline evidence of operational security maturity. Vendors without one are either small or unserious; either is a flag.
• BAA if PHI is involved.: Healthcare data triggers HIPAA. The vendor must sign a Business Associate Agreement and demonstrate HIPAA compliance. Without a BAA, sharing PHI with the vendor is a regulatory violation. The legal team handles the BAA; the security review confirms the vendor can comply.
• Encryption posture.: Data at rest encrypted with strong algorithms (AES-256 typical). Data in transit over TLS 1.2+ with strong cipher suites. Encryption keys managed in a way that the vendor's own staff cannot trivially decrypt customer data. The encryption story is documented and verifiable.
• Sub-processor list.: The vendor's own vendors. SaaS vendors typically use 5 to 50 sub-processors (analytics, email, hosting, support tooling). Each sub-processor has access to some slice of customer data; each sub-processor expands the trust perimeter. The list is reviewed; the additions are notified.
• Incident notification SLA.: The vendor commits to notifying you of security incidents that affect your data within a defined window (typically 72 hours, sometimes 24 for high-sensitivity contexts). The commitment is in writing in the contract; without it, the vendor can quietly handle breaches that affect you.
• Standard items.: The checklist is consistent across vendors. Inconsistency means some vendors get reviewed against a higher bar than others, which is a fairness problem and an audit issue. The bar is the same; the answers vary; the checklist makes the comparison visible.

The checklist is the structure that makes vendor reviews repeatable. Without it, each review is a custom exercise; with it, the review is a process that scales across the vendor portfolio.

Approval

The output of the review is an approval (or rejection). The approval is documented, audit-trailed, and tied to specific controls. The vendor that was approved has documented evidence that the approval was deliberate and informed.

• Security signs off explicitly.: The security team is the gate. Sales, procurement, or engineering cannot bypass the security review by going around the team. The vendor cannot be onboarded until security approves; the approval is recorded.
• Documented in writing.: The approval document captures: what was reviewed, what was found, what conditions apply (encryption requirements, data scope limits, contract clauses required), who approved, when. The document goes in the vendor folder; auditors find it later.
• Conditional approvals.: Sometimes a vendor is approved with conditions: "must rotate keys within 90 days of provisioning," "must restrict access to specific data shapes," "must use SSO for all admin access." The conditions are tracked; compliance with them is verified periodically.
• Audit trail for compliance.: SOC 2 and similar frameworks specifically ask "how do you evaluate vendors before onboarding." The approval documents are the literal answer. Auditors sample the documents; the program survives the audit when the documents exist.
• Rejection paths defined.: Sometimes a vendor fails review. The rejection is documented with the reason. The team that requested the vendor can either find an alternative or appeal with additional information. Rejection is rare but it has to be possible; otherwise the review is theatrical.

The approval discipline is what gives the review its weight. A review without approval consequences is a checkbox; a review where security can actually block onboarding is a real control.

Renewal

Vendor security postures change. The vendor that was solid two years ago might have changed leadership, consolidated infrastructure, deprioritized security investment. The renewal review re-examines the vendor against the current standard and against any specific concerns that have emerged.

• Annual re-review.: Every vendor with active production access is re-reviewed annually. The review covers the same checklist as the original plus any changes in the vendor's posture, the platform's posture, or the regulatory landscape. New requirements emerge; the renewal is when they get applied.
• Vendor posture changes.: The vendor may have lost their SOC 2 attestation, changed their sub-processor list, suffered a publicized security incident, or had a leadership change that affects the security function. Each of these warrants reassessment.
• Catch drift between renewals.: The renewal is the formal review point but security incidents involving the vendor or industry-wide threat shifts can trigger ad-hoc reassessment between annual reviews. The annual is the default; events trigger exceptions.
• Termination paths defined.: Sometimes the renewal review concludes that the vendor should not continue. The termination path is defined: notice period, data-return process, transition to alternative vendor. Doing this on schedule is much cleaner than doing it after a vendor security incident forces it.
• Renewal review documented same as initial.: The output is another approval document with the same structure as the initial. The audit trail extends; the historical view of the vendor relationship is reconstructable.

Vendor security review is one of those programs that requires sustained discipline rather than heroic effort. Nova AI Ops integrates with the vendor inventory, tracks renewal dates per vendor, surfaces the vendors approaching renewal or with stale attestations, and produces the audit-ready documentation that makes the program defensible to auditors and stakeholders.