Templates Compliance Regulatory Vendor Due Diligence Questionnaire - Alabama
Alabama Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Ready to Edit
Vendor Due Diligence Questionnaire - Alabama - Free Editor

VENDOR DUE DILIGENCE QUESTIONNAIRE

TABLE OF CONTENTS

  1. Instructions and Scope
  2. Vendor Profile and Ownership
  3. Sanctions/PEP/Adverse Media
  4. Services, Data, and Locations
  5. Security Controls
  6. Privacy and Data Subject Rights
  7. Subprocessors and Fourth Parties
  8. Incident Response and Breach History
  9. Business Continuity and Disaster Recovery
  10. Certifications and Testing
  11. Insurance
  12. Legal/Regulatory Matters
  13. Financial Viability
  14. ESG and Ethics
  15. Required Artifacts Checklist
  16. Attestations and Signoff
  17. Alabama Data Security Supplement

1. INSTRUCTIONS AND SCOPE

  • Complete all sections; note "N/A" where not applicable.
  • Attach evidence requested; ensure answers reflect actual controls.
  • Critical/high-risk vendors must provide supporting artifacts.

2. VENDOR PROFILE AND OWNERSHIP

  • Legal name, address, formation jurisdiction, registration numbers.
  • Ultimate parent, subsidiaries involved, beneficial owners >=10%, board/officers.
  • Contacts: business, security, privacy, incident, billing.

3. SANCTIONS/PEP/ADVERSE MEDIA

  • Confirm screening against major lists (OFAC, UN, EU, UK, local).
  • PEP status of owners/officers; adverse media findings; remediation steps if any.

4. SERVICES, DATA, AND LOCATIONS

  • Services provided; criticality to our operations.
  • Data types handled (PII, PHI, PCI, trade secrets); volume; data residency and storage/processing locations.
  • Cross-border transfers and transfer mechanisms (SCCs/IDTA/other).

5. SECURITY CONTROLS

  • Access controls (MFA, RBAC), encryption (in transit/at rest), key management.
  • Network security, vulnerability management, patching cadence, secure SDLC, logging/monitoring, segregation of duties.
  • Physical security for data centers/offices.
  • Endpoint protection, mobile/BYOD controls.
  • Penetration testing frequency and remediation approach.

6. PRIVACY AND DATA SUBJECT RIGHTS

  • Lawful bases (where applicable), notices, consents, and purpose limitation.
  • Data minimization, retention periods, deletion procedures, return/transfer on termination.
  • DSR handling (access, deletion, correction, portability), timelines, and verification steps.

7. SUBPROCESSORS AND FOURTH PARTIES

  • List subprocessors; services provided; locations; data types; onboarding diligence.
  • Change notification process and approval rights.

8. INCIDENT RESPONSE AND BREACH HISTORY

  • Incident response plan, timelines, and notification commitments.
  • Breach history (last 3 years): dates, nature, data impacted, remediation.
  • Forensic partners and playbooks.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

  • RTO/RPO targets; DR testing frequency and results; backup strategy and media; single points of failure; pandemic/geo disruption planning.

10. CERTIFICATIONS AND TESTING

  • Current certifications: SOC 2 (Type I/II), ISO 27001, HITRUST, PCI DSS, others.
  • Last audit dates and exceptions; penetration test reports (summary) and remediation status.

11. INSURANCE

  • Coverage types/limits: cyber, E&O, GL, professional, crime; expiration dates; carriers.

12. LEGAL/REGULATORY MATTERS

  • Required licenses/registrations; regulatory exams; consent decrees/settlements; pending litigation related to services.
  • Export controls classification and licensing (if applicable).

13. FINANCIAL VIABILITY

  • Provide recent financials or SOC section on going-concern; key revenue concentration risks; material adverse changes.

14. ESG AND ETHICS

  • Code of conduct/ethics; anti-corruption program; whistleblower channel; modern slavery/forced labor policies; environmental commitments (if applicable).

15. REQUIRED ARTIFACTS CHECKLIST

  • Policies: security, privacy, incident response, business continuity.
  • Certifications/reports: SOC/ISO/PCI; recent pen test summary.
  • Subprocessor list; data flow diagram; DPIA (if available); insurance certificates.
  • Sample contract terms (DPA, security addendum), breach notification commitments.

16. ATTESTATIONS AND SIGNOFF

  • Authorized representative attests accuracy as of [DATE].
  • Name, title, signature, contact; date signed.

17. ALABAMA DATA SECURITY SUPPLEMENT

  • Confirm ability to comply with Alabama's Data Breach Notification Act (Ala. Code Section 8-38-1 et seq.) including 45-day notification timeline.
  • Describe processes for notifying our company of any breach affecting Alabama residents.
  • Confirm implementation of reasonable security measures for sensitive personally identifying information as required by Alabama law.
  • Provide details on data retention schedules and deletion certification upon termination.
  • Confirm breach notification procedures align with Alabama requirements and include notice timelines.
AI Legal Assistant

Vendor Due Diligence Questionnaire - Alabama

Download this template free, or draft it 10x faster with Ezel.

Stop spending hours on:

  • Searching for the right case law
  • Manually tracking changes in Word
  • Checking citations one by one
  • Hunting through emails for client documents

Ezel is the complete legal workspace:

  • Case Law Search — All 50 states + federal, natural language
  • Document Editor — Word-compatible track changes
  • Citation Checking — Verify every case before you file
  • Matters — Organize everything by client or case