Templates Compliance Regulatory Vendor Due Diligence Questionnaire - Alabama
Alabama Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO

Vendor Due Diligence Questionnaire - Alabama

Ready to Edit

VENDOR DUE DILIGENCE QUESTIONNAIRE — ALABAMA

Issuing Organization: [________________________________]
Date Issued: [__/__/____]
Due Date for Completion: [__/__/____]
Vendor Risk Tier: ☐ Critical | ☐ High | ☐ Medium | ☐ Low

TABLE OF CONTENTS

  1. Instructions and Scope
  2. Vendor Profile and Ownership
  3. Sanctions, PEP, and Adverse Media Screening
  4. Services, Data, and Locations
  5. Information Security Controls
  6. Privacy and Data Subject Rights
  7. Subprocessors and Fourth Parties
  8. Incident Response and Breach History
  9. Business Continuity and Disaster Recovery
  10. Certifications, Audits, and Testing
  11. Insurance Coverage
  12. Legal and Regulatory Matters
  13. Financial Viability
  14. ESG, Ethics, and Anti-Corruption
  15. Alabama-Specific Compliance Requirements
  16. Required Artifacts Checklist
  17. Attestation and Signoff

1. INSTRUCTIONS AND SCOPE

1.1 Purpose

This Vendor Due Diligence Questionnaire ("VDQ") is designed to evaluate the risk posture of prospective and existing vendors, service providers, and third parties operating in or handling data of Alabama residents. This questionnaire addresses obligations under the Alabama Data Breach Notification Act (Ala. Code § 8-38-1 et seq.), including the requirement to implement and maintain reasonable security measures under Ala. Code § 8-38-3 and the 45-day breach notification timeline under Ala. Code § 8-38-5.

1.2 Completion Instructions

  • Complete all sections; enter "N/A" with a brief explanation where not applicable.
  • Attach all requested evidence and supporting documentation.
  • Responses must reflect the vendor's actual, current controls and practices.
  • Critical-tier and High-tier vendors must provide independent evidence (e.g., SOC 2 reports, penetration test summaries).

1.3 Confidentiality

All information provided will be treated as confidential and used solely for due diligence and risk management purposes.

2. VENDOR PROFILE AND OWNERSHIP

2.1 Corporate Information

Field Response
Legal Entity Name [________________________________]
Doing Business As (DBA) [________________________________]
Date of Incorporation/Formation [__/__/____]
Jurisdiction of Incorporation [________________________________]
Principal Business Address [________________________________]
Alabama Business Address (if any) [________________________________]
Website [________________________________]
Tax Identification Number (EIN) [________________________________]
Alabama Business License No. [________________________________]
Entity Type ☐ Corporation ☐ LLC ☐ Partnership ☐ Sole Proprietorship ☐ Other: [____]

2.2 Ownership Structure

Field Response
Ultimate Parent Company [________________________________]
Parent Company Jurisdiction [________________________________]
Is the vendor publicly traded? ☐ Yes ☐ No
If yes, stock exchange and ticker [________________________________]

Beneficial Owners (10% or greater ownership interest):

Name Title/Role Ownership % Country of Residence
[________________________________] [________________] [____]% [________________]
[________________________________] [________________] [____]% [________________]

2.3 Key Contacts

Role Name Email Phone
Primary Business Contact [________________] [________________] [________________]
Information Security Lead [________________] [________________] [________________]
Privacy Officer [________________] [________________] [________________]
Incident Response Contact [________________] [________________] [________________]
Billing/Finance Contact [________________] [________________] [________________]

3. SANCTIONS, PEP, AND ADVERSE MEDIA SCREENING

3.1 Sanctions Screening

☐ Vendor confirms screening against OFAC SDN, UN, EU, and UK sanctions lists.

Sanctions List Screened Match Found
OFAC Specially Designated Nationals (SDN) ☐ Yes ☐ No ☐ Yes ☐ No
OFAC Consolidated Sanctions List ☐ Yes ☐ No ☐ Yes ☐ No
UN Security Council Consolidated List ☐ Yes ☐ No ☐ Yes ☐ No
EU Consolidated Financial Sanctions List ☐ Yes ☐ No ☐ Yes ☐ No
UK HM Treasury Sanctions List ☐ Yes ☐ No ☐ Yes ☐ No

3.2 Politically Exposed Persons (PEP)

Do any beneficial owners, officers, or directors qualify as a PEP? ☐ Yes ☐ No

If yes, provide details: [________________________________]

3.3 Adverse Media

Has the vendor been the subject of adverse media, enforcement actions, or litigation in the past five years? ☐ Yes ☐ No

If yes, provide details: [________________________________]

4. SERVICES, DATA, AND LOCATIONS

4.1 Services Description

Field Response
Description of services to be provided [________________________________]
Criticality to our operations ☐ Critical ☐ High ☐ Medium ☐ Low
Will the vendor interact with our customers? ☐ Yes ☐ No
Will the vendor have access to our systems? ☐ Yes ☐ No

4.2 Data Categories Handled

☐ Sensitive Personally Identifying Information (as defined in Ala. Code § 8-38-2(6))
☐ Social Security Numbers
☐ Financial account numbers (with access codes/PINs)
☐ Driver's license / state ID numbers
☐ Medical/health information
☐ Tax identification numbers
☐ Other PII
☐ Payment Card Industry Data (PCI)
☐ Trade secrets or confidential business information
☐ Other: [________________________________]

Estimated volume of records: ☐ <1,000 ☐ 1,000–10,000 ☐ 10,000–100,000 ☐ 100,000–1M ☐ >1M

4.3 Data Processing and Storage Locations

Location Type of Activity Data Categories
[________________________________] ☐ Processing ☐ Storage ☐ Both [________________]
[________________________________] ☐ Processing ☐ Storage ☐ Both [________________]

4.4 Cross-Border Transfers

Will data be transferred outside the United States? ☐ Yes ☐ No

If yes, describe transfer mechanisms: [________________________________]

5. INFORMATION SECURITY CONTROLS

5.1 Access Controls

# Control Area Response Details
5.1.1 Is MFA required for remote access? ☐ Yes ☐ No [________________]
5.1.2 Is MFA required for access to systems processing our data? ☐ Yes ☐ No [________________]
5.1.3 Is RBAC implemented? ☐ Yes ☐ No [________________]
5.1.4 Is least privilege enforced? ☐ Yes ☐ No ☐ Partial [________________]
5.1.5 Are access rights reviewed periodically? ☐ Yes ☐ No Frequency: [____]
5.1.6 Is access terminated within 24 hours of departure? ☐ Yes ☐ No SLA: [____]

5.2 Encryption and Key Management

# Control Area Response Details
5.2.1 Is data encrypted at rest? ☐ Yes ☐ No Algorithm: [____]
5.2.2 Is data encrypted in transit? ☐ Yes ☐ No Protocol: [____]
5.2.3 Are encryption keys managed separately from data? ☐ Yes ☐ No [________________]

5.3 Network and Infrastructure Security

# Control Area Response Details
5.3.1 Are firewalls deployed? ☐ Yes ☐ No [________________]
5.3.2 Is IDS/IPS deployed? ☐ Yes ☐ No [________________]
5.3.3 Is network segmentation implemented? ☐ Yes ☐ No [________________]
5.3.4 Is there a patch management program? ☐ Yes ☐ No SLA: [____]
5.3.5 Are vulnerability scans conducted regularly? ☐ Yes ☐ No Frequency: [____]

5.4 Endpoint and Physical Security

# Control Area Response Details
5.4.1 Is EDR deployed? ☐ Yes ☐ No Product: [____]
5.4.2 Are endpoints encrypted? ☐ Yes ☐ No [________________]
5.4.3 Are physical access controls at data centers? ☐ Yes ☐ No [________________]

5.5 Logging and Monitoring

# Control Area Response Details
5.5.1 Are security events centrally logged? ☐ Yes ☐ No SIEM: [____]
5.5.2 Minimum log retention period [____] months [________________]
5.5.3 Is a SOC maintained? ☐ Yes ☐ No ☐ In-house ☐ MSSP

6. PRIVACY AND DATA SUBJECT RIGHTS

6.1 Privacy Program

# Control Area Response
6.1.1 Is there a designated privacy officer? ☐ Yes ☐ No
6.1.2 Is there a written privacy policy? ☐ Yes ☐ No
6.1.3 Is privacy training provided? ☐ Yes ☐ No

6.2 Data Handling

# Control Area Response
6.2.1 Are data retention schedules documented? ☐ Yes ☐ No
6.2.2 Are secure deletion procedures in place? ☐ Yes ☐ No
6.2.3 Will the vendor certify deletion in writing upon termination? ☐ Yes ☐ No

7. SUBPROCESSORS AND FOURTH PARTIES

Does the vendor use subprocessors? ☐ Yes ☐ No

Subprocessor Name Services Location Data Types
[________________________________] [________________] [________________] [________________]
[________________________________] [________________] [________________] [________________]
# Control Area Response
7.1 Are subprocessors subject to due diligence? ☐ Yes ☐ No
7.2 Are subprocessor agreements with equivalent terms in place? ☐ Yes ☐ No
7.3 Will we be notified of new subprocessors? ☐ Yes ☐ No
7.4 Advance notice period for subprocessor changes [____] days

8. INCIDENT RESPONSE AND BREACH HISTORY

8.1 Incident Response

# Control Area Response Details
8.1.1 Is there a documented incident response plan? ☐ Yes ☐ No [________________]
8.1.2 Is 24/7 incident response maintained? ☐ Yes ☐ No [________________]
8.1.3 Customer breach notification SLA [____] hours [________________]
8.1.4 Is the IRP tested annually? ☐ Yes ☐ No Last test: [__/__/____]

8.2 Breach History (Last 3 Years)

Has the vendor experienced breaches or security incidents? ☐ Yes ☐ No

Date Nature Data Impacted Remediation
[__/__/____] [________________] [________________] [________________]

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

# Control Area Response Details
9.1 Documented BCP? ☐ Yes ☐ No [________________]
9.2 Documented DRP? ☐ Yes ☐ No [________________]
9.3 RTO [____] hours [________________]
9.4 RPO [____] hours [________________]
9.5 Regular backups? ☐ Yes ☐ No Frequency: [____]
9.6 Backups offsite? ☐ Yes ☐ No [________________]
9.7 DRP tested annually? ☐ Yes ☐ No Last test: [__/__/____]

10. CERTIFICATIONS, AUDITS, AND TESTING

Certification Maintained Covers Our Services Expiration
SOC 2 Type II ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
ISO 27001 ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
PCI DSS ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
HITRUST ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
Other: [____] ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]

Penetration Testing:

Field Response
Frequency ☐ Annual ☐ Semi-Annual ☐ Other: [____]
Last test date [__/__/____]
Critical/high findings remediated? ☐ Yes ☐ No ☐ In Progress

11. INSURANCE COVERAGE

Coverage Type Carrier Limit Expiration
Cyber/Technology E&O [________________] $[________________] [__/__/____]
General Liability [________________] $[________________] [__/__/____]
Professional Liability [________________] $[________________] [__/__/____]

12. LEGAL AND REGULATORY MATTERS

# Question Response
12.1 Does the vendor hold all required licenses? ☐ Yes ☐ No ☐ N/A
12.2 Regulatory examinations in the past 3 years? ☐ Yes ☐ No
12.3 Pending or resolved enforcement actions? ☐ Yes ☐ No
12.4 Pending litigation related to services? ☐ Yes ☐ No
12.5 M&A activity in the past 24 months? ☐ Yes ☐ No

13. FINANCIAL VIABILITY

# Question Response
13.1 Willing to provide financial statements? ☐ Yes ☐ No
13.2 Material adverse changes in past 12 months? ☐ Yes ☐ No
13.3 Any single client >25% of revenue? ☐ Yes ☐ No

14. ESG, ETHICS, AND ANTI-CORRUPTION

# Control Area Response
14.1 Written code of conduct? ☐ Yes ☐ No
14.2 Anti-corruption/anti-bribery program? ☐ Yes ☐ No
14.3 Whistleblower hotline? ☐ Yes ☐ No
14.4 Modern slavery/forced labor policy? ☐ Yes ☐ No

15. ALABAMA-SPECIFIC COMPLIANCE REQUIREMENTS

This section addresses obligations specific to vendors handling sensitive personally identifying information of Alabama residents under the Alabama Data Breach Notification Act (Ala. Code § 8-38-1 et seq.), effective June 1, 2018.

15.1 Reasonable Security Measures (Ala. Code § 8-38-3)

The Alabama Data Breach Notification Act requires entities that acquire or use sensitive personally identifying information to implement and maintain "reasonable security measures" to protect such information. These measures must be appropriate to the nature of the data and the size/complexity of the vendor's operations.

# Requirement Response Details
15.1.1 Has the vendor implemented reasonable security measures to protect sensitive personally identifying information as defined under Ala. Code § 8-38-2(6)? ☐ Yes ☐ No [________________]
15.1.2 Does the vendor maintain administrative safeguards (policies, training, access controls)? ☐ Yes ☐ No [________________]
15.1.3 Does the vendor maintain technical safeguards (encryption, firewalls, monitoring)? ☐ Yes ☐ No [________________]
15.1.4 Does the vendor maintain physical safeguards (facility security, media disposal)? ☐ Yes ☐ No [________________]
15.1.5 Are security measures reviewed and updated at least annually? ☐ Yes ☐ No Last review: [__/__/____]

15.2 Breach Notification Compliance (Ala. Code § 8-38-5)

Under the Alabama Data Breach Notification Act, covered entities must provide notification to affected Alabama residents within 45 days of the determination that a breach has occurred. The Alabama Attorney General must be notified if the breach affects more than 1,000 Alabama residents.

# Requirement Response Details
15.2.1 Can the vendor notify our organization of a breach involving Alabama resident data within the contractually agreed timeframe? ☐ Yes ☐ No SLA: [____] hours
15.2.2 Does the vendor understand the 45-day notification deadline to affected individuals under Alabama law? ☐ Yes ☐ No [________________]
15.2.3 Can the vendor support identification of affected Alabama residents? ☐ Yes ☐ No [________________]
15.2.4 Can the vendor support notification to the Alabama Attorney General when >1,000 residents are affected (Ala. Code § 8-38-5(c))? ☐ Yes ☐ No [________________]
15.2.5 Can the vendor provide required breach notification content including: (a) date of breach, (b) description of information compromised, (c) contact information, (d) toll-free numbers for credit reporting agencies? ☐ Yes ☐ No [________________]
15.2.6 Does the vendor have procedures for substitute notice (publication + website posting) if direct notice is not feasible? ☐ Yes ☐ No [________________]

15.3 Sensitive Personally Identifying Information (Ala. Code § 8-38-2(6))

Alabama law defines "sensitive personally identifying information" as a person's first name or initial and last name in combination with one or more of the following: Social Security number, driver's license or state ID number, financial account number with access codes, medical/health information, health insurance information, or a username/email with a password or security question answer.

# Requirement Response Details
15.3.1 Does the vendor process any data elements defined as sensitive personally identifying information under Alabama law? ☐ Yes ☐ No Types: [________________]
15.3.2 If yes, are enhanced controls applied to such data? ☐ Yes ☐ No ☐ N/A [________________]
15.3.3 Is access to sensitive personally identifying information restricted to authorized personnel only? ☐ Yes ☐ No [________________]

15.4 Third-Party Service Provider Obligations (Ala. Code § 8-38-8)

Under Ala. Code § 8-38-8, a third-party agent that maintains, stores, or processes sensitive personally identifying information on behalf of a covered entity must notify that entity of a breach within 10 days of discovery.

# Requirement Response Details
15.4.1 Does the vendor acknowledge its obligation to notify us within 10 days of discovering a breach under Ala. Code § 8-38-8? ☐ Yes ☐ No [________________]
15.4.2 Will the vendor cooperate with breach investigation and remediation? ☐ Yes ☐ No [________________]
15.4.3 Will the vendor provide reasonable assistance with consumer notifications? ☐ Yes ☐ No [________________]

15.5 Data Retention and Disposal

# Requirement Response Details
15.5.1 Does the vendor have data retention schedules for Alabama resident data? ☐ Yes ☐ No Period: [________________]
15.5.2 Does the vendor have secure disposal procedures for sensitive information? ☐ Yes ☐ No Method: [________________]
15.5.3 Will the vendor provide written certification of destruction upon termination? ☐ Yes ☐ No [________________]

16. REQUIRED ARTIFACTS CHECKLIST

# Document Provided N/A
16.1 Information Security Policy
16.2 Privacy Policy
16.3 Incident Response Plan (summary)
16.4 Business Continuity/DR Plan (summary)
16.5 SOC 2 Type II Report (or bridge letter)
16.6 ISO 27001 Certificate
16.7 Penetration Test Summary
16.8 Subprocessor List
16.9 Data Flow Diagram
16.10 Insurance Certificate(s)
16.11 Sample DPA / Security Addendum
16.12 Alabama Breach Notification Procedures

17. ATTESTATION AND SIGNOFF

I, the undersigned, certify that the information provided in this questionnaire is true, complete, and accurate as of the date below. I commit to notifying the issuing organization within ten (10) business days of any material changes.

Field Information
Name [________________________________]
Title [________________________________]
Email [________________________________]
Phone [________________________________]
Signature [________________________________]
Date [__/__/____]

SOURCES AND REFERENCES

  • Alabama Data Breach Notification Act, Ala. Code § 8-38-1 et seq. (2018)
  • Ala. Code § 8-38-2(6) (Definition of Sensitive Personally Identifying Information)
  • Ala. Code § 8-38-5 (Individual Notification Within 45 Days)
  • Ala. Code § 8-38-5(c) (AG Notification When >1,000 Affected)
  • Ala. Code § 8-38-3 (Reasonable Security Measures)
  • Ala. Code § 8-38-7 (Notice to Consumer Reporting Agencies)
  • Ala. Code § 8-38-8 (Third-Party Agent Notification Within 10 Days)
  • Ala. Code § 8-38-10 (Disposal of Records)
  • OCC Bulletin 2023-17, "Third-Party Relationships: Risk Management Guidance" (June 6, 2023)
  • FFIEC IT Examination Handbook, "Outsourcing Technology Services"
  • NIST SP 800-161 Rev. 1, "Cybersecurity Supply Chain Risk Management Practices" (May 2022)

This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.

Ezel AI
Hi! Want this done for you? Tell me your situation and I'll fill in every section and tailor it to your state.
You get the finished Word & PDF in about 5 minutes. $49 for this document, or $249/mo for ongoing access. Want me to start?
AI Legal Assistant
Ezel AI
Hi! Want this done for you? Tell me your situation and I'll fill in every section and tailor it to your state.
You get the finished Word & PDF in about 5 minutes. $49 for this document, or $249/mo for ongoing access. Want me to start?

Insert Image

Insert Table

Watch Ezel in action (sample case)

All changes saved
Save
Export
Export as DOCX
Export as PDF
Generating PDF...
vendor_due_diligence_questionnaire_al.pdf
Ready to export as PDF or Word
AI is editing...
Chat
Review

Get your finished document

Filled in for your situation. Drafting from scratch takes hours; finish yours in about 5 minutes for $49.

  • Deep Legal Knowledge
    Understands case law, statutes, and legal doctrine specific to Alabama.
  • Court-Ready Formatting
    Proper captions and local-rule compliance.
  • AI-Powered Editing
    Tailor every section to your case.
  • Export as PDF & Word
    Ready to file or send.
Secure checkout via Stripe
Need to customize this document?

Related Legal Templates

Available in Other Jurisdictions

Vendor Due Diligence Questionnaire Universal Vendor Due Diligence Questionnaire - California CA Vendor Due Diligence Questionnaire - Florida FL Vendor Due Diligence Questionnaire - New York NY Vendor Due Diligence Questionnaire - Texas TX

More Compliance Regulatory Templates

Code of Conduct - Alabama AL Corporate Compliance Manual - Alabama AL Data Processing Addendum (Short Form) — Alabama AL Data Protection Impact Assessment (DPIA) (AL) AL Privacy Policy - US Baseline (Alabama) AL ADA Compliance Audit Checklist - Physical Facilities Browse all

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: May 2026

Get your Vendor Due Diligence Questionnaire - Alabama, done and ready to use

Fill it in for your situation, adjust it for your state, and download the finished Word and PDF. Let the AI do it in about 5 minutes, or finish it yourself in the editor. Drafting this from scratch takes hours. Finish yours in about 5 minutes for $49, one time.