Templates Compliance Regulatory Vendor Due Diligence Questionnaire - California
California Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO

Vendor Due Diligence Questionnaire - California

Ready to Edit

VENDOR DUE DILIGENCE QUESTIONNAIRE — CALIFORNIA

Issuing Organization: [________________________________]
Date Issued: [__/__/____]
Due Date for Completion: [__/__/____]
Vendor Risk Tier: ☐ Critical | ☐ High | ☐ Medium | ☐ Low

TABLE OF CONTENTS

  1. Instructions and Scope
  2. Vendor Profile and Ownership
  3. Sanctions, PEP, and Adverse Media
  4. Services, Data, and Locations
  5. Information Security Controls
  6. Privacy and Data Subject Rights
  7. Subprocessors and Fourth Parties
  8. Incident Response and Breach History
  9. Business Continuity and Disaster Recovery
  10. Certifications, Audits, and Testing
  11. Insurance Coverage
  12. Legal and Regulatory Matters
  13. Financial Viability
  14. ESG, Ethics, and Anti-Corruption
  15. California-Specific Compliance Requirements
  16. Required Artifacts Checklist
  17. Attestation and Signoff

1. INSTRUCTIONS AND SCOPE

1.1 Purpose

This VDQ evaluates vendor risk with specific attention to California's comprehensive privacy framework under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) (Cal. Civ. Code § 1798.100 et seq.), including service provider and contractor obligations, the California data breach notification statute (Cal. Civ. Code § 1798.82), and the CPPA's final implementing regulations (11 CCR § 7050 et seq.). The CPRA enhanced requirements for service providers and contractors, including restrictions on use, retention, and disclosure of personal information.

1.2 Completion Instructions

  • Complete all sections; enter "N/A" where not applicable.
  • Attach all requested evidence. Critical/High-tier vendors must provide independent evidence.

2. VENDOR PROFILE AND OWNERSHIP

Field Response
Legal Entity Name [________________________________]
DBA [________________________________]
Date of Incorporation [__/__/____]
Jurisdiction [________________________________]
Principal Address [________________________________]
California Office (if any) [________________________________]
Website [________________________________]
EIN [________________________________]
CA SOS Entity No. [________________________________]
Entity Type ☐ Corporation ☐ LLC ☐ Partnership ☐ Other: [____]

Beneficial Owners (10%+):

Name Title Ownership % Residence
[________________________________] [________________] [____]% [________________]

Key Contacts:

Role Name Email Phone
Primary Business [________________] [________________] [________________]
Security Lead [________________] [________________] [________________]
Privacy Officer [________________] [________________] [________________]
Incident Response [________________] [________________] [________________]

3. SANCTIONS, PEP, AND ADVERSE MEDIA

List Screened Match
OFAC SDN ☐ Yes ☐ No ☐ Yes ☐ No
UN Consolidated ☐ Yes ☐ No ☐ Yes ☐ No
EU Consolidated ☐ Yes ☐ No ☐ Yes ☐ No

PEP among owners/officers? ☐ Yes ☐ No

Adverse media in past 5 years? ☐ Yes ☐ No

4. SERVICES, DATA, AND LOCATIONS

Field Response
Services description [________________________________]
Criticality ☐ Critical ☐ High ☐ Medium ☐ Low
System access ☐ Yes ☐ No
Access type ☐ Read-only ☐ Read/Write ☐ Admin ☐ N/A

Data Categories:

☐ Personal information (as defined in Cal. Civ. Code § 1798.140(v))
☐ Sensitive personal information (§ 1798.140(ae))
☐ SSN / government identifiers
☐ Financial account information
☐ Precise geolocation
☐ Racial/ethnic origin
☐ Religious/philosophical beliefs
☐ Union membership
☐ Genetic data
☐ Biometric data for identification
☐ Health information
☐ Sex life / sexual orientation
☐ Contents of mail, email, text messages (non-recipient)
☐ Children's data (under 16)
☐ PCI data
☐ PHI
☐ Other: [________________________________]

Volume: ☐ <1,000 ☐ 1,000–10,000 ☐ 10,000–100,000 ☐ 100,000–1M ☐ >1M

Locations:

Location Activity Data Types
[________________________________] ☐ Processing ☐ Storage ☐ Both [________________]

5. INFORMATION SECURITY CONTROLS

5.1 Access Controls

# Control Response Details
5.1.1 MFA for remote access? ☐ Yes ☐ No [________________]
5.1.2 MFA for data access? ☐ Yes ☐ No [________________]
5.1.3 RBAC? ☐ Yes ☐ No [________________]
5.1.4 Least privilege? ☐ Yes ☐ No ☐ Partial [________________]
5.1.5 Access reviews? ☐ Yes ☐ No Frequency: [____]

5.2 Encryption

# Control Response Details
5.2.1 At rest? ☐ Yes ☐ No Algorithm: [____]
5.2.2 In transit? ☐ Yes ☐ No Protocol: [____]

5.3 Network and Infrastructure

# Control Response Details
5.3.1 Firewalls? ☐ Yes ☐ No [________________]
5.3.2 IDS/IPS? ☐ Yes ☐ No [________________]
5.3.3 Patch management? ☐ Yes ☐ No SLA: [____]
5.3.4 Vulnerability scanning? ☐ Yes ☐ No Frequency: [____]

5.4 Endpoint, Physical, Logging

# Control Response Details
5.4.1 EDR? ☐ Yes ☐ No [________________]
5.4.2 Centralized logging/SIEM? ☐ Yes ☐ No [________________]
5.4.3 Physical security? ☐ Yes ☐ No [________________]

6. PRIVACY AND DATA SUBJECT RIGHTS

# Control Response
6.1 Privacy officer? ☐ Yes ☐ No
6.2 Privacy policy? ☐ Yes ☐ No
6.3 Data retention schedules? ☐ Yes ☐ No
6.4 Secure deletion? ☐ Yes ☐ No
6.5 Deletion certification? ☐ Yes ☐ No

7. SUBPROCESSORS

Uses subprocessors? ☐ Yes ☐ No

Subprocessor Services Location Data Types
[________________________________] [________________] [________________] [________________]
# Control Response
7.1 Due diligence? ☐ Yes ☐ No
7.2 Equivalent terms? ☐ Yes ☐ No
7.3 Change notification? ☐ Yes ☐ No

8. INCIDENT RESPONSE

# Control Response Details
8.1 Documented IRP? ☐ Yes ☐ No [________________]
8.2 24/7 response? ☐ Yes ☐ No [________________]
8.3 Customer notification SLA [____] hours

Breaches in past 3 years? ☐ Yes ☐ No

9. BC/DR

# Control Response
9.1 BCP? ☐ Yes ☐ No
9.2 DRP? ☐ Yes ☐ No
9.3 RTO [____] hours
9.4 RPO [____] hours

10. CERTIFICATIONS

Certification Maintained Covers Services Expiration
SOC 2 Type II ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
ISO 27001 ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
PCI DSS ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]

11. INSURANCE

Coverage Carrier Limit Expiration
Cyber/Tech E&O [________________] $[________________] [__/__/____]
General Liability [________________] $[________________] [__/__/____]

12. LEGAL AND REGULATORY

# Question Response
12.1 Required licenses? ☐ Yes ☐ No
12.2 Regulatory exams? ☐ Yes ☐ No
12.3 Enforcement actions? ☐ Yes ☐ No
12.4 Pending litigation? ☐ Yes ☐ No

13. FINANCIAL VIABILITY

# Question Response
13.1 Provide financials? ☐ Yes ☐ No
13.2 Material adverse changes? ☐ Yes ☐ No

14. ESG AND ETHICS

# Control Response
14.1 Code of conduct? ☐ Yes ☐ No
14.2 Anti-corruption? ☐ Yes ☐ No
14.3 Whistleblower channel? ☐ Yes ☐ No

15. CALIFORNIA-SPECIFIC COMPLIANCE REQUIREMENTS

15.1 CCPA/CPRA Service Provider and Contractor Obligations

Under the CPRA (Cal. Civ. Code § 1798.100(d)), a "service provider" or "contractor" receiving personal information from a business must: (1) not retain, use, or disclose personal information for purposes other than performing the contracted services; (2) not sell or share personal information; (3) not combine personal information with data from other sources except as permitted; (4) comply with CCPA obligations and allow audits; and (5) notify the business if it can no longer meet CCPA obligations.

# Requirement Response Details
15.1.1 Will the vendor enter into a CPRA-compliant service provider or contractor agreement (§ 1798.100(d))? ☐ Yes ☐ No [________________]
15.1.2 Does the vendor certify it will not retain, use, or disclose personal information for any purpose other than the contracted services (§ 1798.140(ag)(1)(A))? ☐ Yes ☐ No [________________]
15.1.3 Does the vendor certify it will not sell or share personal information (§ 1798.140(ag)(1)(B))? ☐ Yes ☐ No [________________]
15.1.4 Does the vendor certify it will not combine personal information from multiple businesses without authorization (§ 1798.140(ag)(1)(D))? ☐ Yes ☐ No [________________]
15.1.5 Will the vendor notify the business if it determines it can no longer meet CCPA obligations (§ 1798.100(d)(3))? ☐ Yes ☐ No [________________]
15.1.6 Will the vendor allow the business to take reasonable steps to ensure the vendor uses personal information consistently with CCPA, including audits (§ 1798.100(d)(1))? ☐ Yes ☐ No [________________]
15.1.7 Does the vendor flow down equivalent service provider/contractor restrictions to its subcontractors? ☐ Yes ☐ No [________________]

15.2 Consumer Rights Support

# Requirement Response Details
15.2.1 Can the vendor support Right to Know / Access requests (§ 1798.100)? ☐ Yes ☐ No Timeline: [____] days
15.2.2 Can the vendor support Right to Delete requests (§ 1798.105)? ☐ Yes ☐ No Timeline: [____] days
15.2.3 Can the vendor support Right to Correct requests (§ 1798.106)? ☐ Yes ☐ No Timeline: [____] days
15.2.4 Can the vendor support Right to Portability (§ 1798.100(d))? ☐ Yes ☐ No [________________]
15.2.5 Can the vendor support Opt-Out of Sale/Sharing (§ 1798.120)? ☐ Yes ☐ No [________________]
15.2.6 Can the vendor support Right to Limit Use of Sensitive PI (§ 1798.121)? ☐ Yes ☐ No [________________]
15.2.7 Can the vendor respond to verified consumer requests within 45 days (extendable by 45 days) (11 CCR § 7024)? ☐ Yes ☐ No [________________]
15.2.8 Does the vendor recognize Global Privacy Control (GPC) as a valid opt-out signal per § 1798.135 and 11 CCR § 7025? ☐ Yes ☐ No [________________]

15.3 Sensitive Personal Information (§ 1798.140(ae))

# Requirement Response Details
15.3.1 Does the vendor process sensitive personal information of California consumers? ☐ Yes ☐ No Types: [________________]
15.3.2 If yes, is processing limited to what is necessary and proportionate (§ 1798.121(a))? ☐ Yes ☐ No ☐ N/A [________________]
15.3.3 Does the vendor support the "Limit the Use of My Sensitive Personal Information" mechanism? ☐ Yes ☐ No ☐ N/A [________________]

15.4 Automated Decision-Making Technology (ADMT)

Per the CPPA's ADMT regulations (11 CCR § 7030 et seq., as adopted), businesses using ADMT for significant decisions must provide notice, access, and opt-out rights.

# Requirement Response Details
15.4.1 Does the vendor use automated decision-making technology in processing our data? ☐ Yes ☐ No [________________]
15.4.2 If yes, does the vendor support ADMT transparency, access, and opt-out obligations? ☐ Yes ☐ No ☐ N/A [________________]
15.4.3 Can the vendor support risk assessments for ADMT processing? ☐ Yes ☐ No ☐ N/A [________________]

15.5 Breach Notification (Cal. Civ. Code § 1798.82)

California requires notification "in the most expedient time possible and without unreasonable delay" to residents whose unencrypted personal information was acquired by an unauthorized person. If >500 California residents are affected, a sample notification must be submitted to the California AG.

# Requirement Response Details
15.5.1 Can the vendor notify us promptly to allow compliance with California's breach notification requirement? ☐ Yes ☐ No SLA: [____] hours
15.5.2 Can the vendor support AG notification when >500 CA residents are affected (§ 1798.82(f))? ☐ Yes ☐ No [________________]
15.5.3 Can the vendor provide notification content required under § 1798.82(d)? ☐ Yes ☐ No [________________]

15.6 Data Retention and Disposal

# Requirement Response Details
15.6.1 Are retention periods limited to what is reasonably necessary for the disclosed purpose (§ 1798.100(a)(3))? ☐ Yes ☐ No Period: [________________]
15.6.2 Will the vendor certify deletion of PI upon contract termination? ☐ Yes ☐ No [________________]

16. REQUIRED ARTIFACTS CHECKLIST

# Document Provided N/A
16.1 Information Security Policy
16.2 Privacy Policy
16.3 Incident Response Plan
16.4 BC/DR Plan
16.5 SOC 2 Report
16.6 Pen Test Summary
16.7 Subprocessor List
16.8 Insurance Certificate(s)
16.9 CPRA Service Provider/Contractor Agreement
16.10 DPA / Security Addendum

17. ATTESTATION AND SIGNOFF

I certify that the information provided is true, complete, and accurate. I commit to notifying the issuing organization within ten (10) business days of material changes.

Field Information
Name [________________________________]
Title [________________________________]
Signature [________________________________]
Date [__/__/____]

SOURCES AND REFERENCES

  • California Consumer Privacy Act / CPRA, Cal. Civ. Code § 1798.100 et seq.
  • Cal. Civ. Code § 1798.140(ag) (Service Provider Definition)
  • Cal. Civ. Code § 1798.140(ae) (Sensitive Personal Information)
  • Cal. Civ. Code § 1798.82 (Breach Notification)
  • CPPA Final Regulations, 11 CCR § 7050 et seq.
  • 11 CCR § 7025 (Opt-Out Preference Signals, Including GPC)
  • 11 CCR § 7030 et seq. (ADMT Regulations)
  • OCC Bulletin 2023-17, "Third-Party Relationships"

This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.

Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.
AI Legal Assistant
Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

Insert Image

Insert Table

Watch Ezel in action (sample case)

All changes saved
Save
Export
Export as DOCX
Export as PDF
Generating PDF...
vendor_due_diligence_questionnaire_ca.pdf
Ready to export as PDF or Word
AI is editing...
Chat
Review

Customize this document with Ezel

  • Deep Legal Knowledge
    Understands case law, statutes, and legal doctrine specific to California.
  • Court-Ready Formatting
    Proper captions, certificates of service, and local rule compliance.
  • AI-Powered Editing on Your Timeline
    Edit as many times as you need. Tailor every section to your specific case.
  • Export as PDF & Word
    Download your finished document in professional PDF or DOCX format, ready to file or send.
Secure checkout via Stripe
Need to customize this document?

Related Legal Templates

Available in Other Jurisdictions

Vendor Due Diligence Questionnaire Universal Vendor Due Diligence Questionnaire - Alabama AL Vendor Due Diligence Questionnaire - Florida FL Vendor Due Diligence Questionnaire - New York NY Vendor Due Diligence Questionnaire - Texas TX

More Compliance Regulatory Templates

AI Acceptable Use & Governance Policy - California CA California CCPA/CPRA Privacy Notice CA Code of Conduct - California CA Compliance Program Charter - California CA Compliance Risk Assessment Matrix - California CA Corporate Compliance Manual - California CA Browse all

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: April 2026