Templates Compliance Regulatory Vendor Due Diligence Questionnaire - California
California Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Ready to Edit
Vendor Due Diligence Questionnaire - California - Free Editor

VENDOR DUE DILIGENCE QUESTIONNAIRE

TABLE OF CONTENTS

  1. Instructions and Scope
  2. Vendor Profile and Ownership
  3. Sanctions/PEP/Adverse Media
  4. Services, Data, and Locations
  5. Security Controls
  6. Privacy and Data Subject Rights
  7. Subprocessors and Fourth Parties
  8. Incident Response and Breach History
  9. Business Continuity and Disaster Recovery
  10. Certifications and Testing
  11. Insurance
  12. Legal/Regulatory Matters
  13. Financial Viability
  14. ESG and Ethics
  15. Required Artifacts Checklist
  16. Attestations and Signoff
  17. California Privacy (CPRA) Supplement

1. INSTRUCTIONS AND SCOPE

  • Complete all sections; note "N/A" where not applicable.
  • Attach evidence requested; ensure answers reflect actual controls.
  • Critical/high-risk vendors must provide supporting artifacts.

2. VENDOR PROFILE AND OWNERSHIP

  • Legal name, address, formation jurisdiction, registration numbers.
  • Ultimate parent, subsidiaries involved, beneficial owners >=10%, board/officers.
  • Contacts: business, security, privacy, incident, billing.

3. SANCTIONS/PEP/ADVERSE MEDIA

  • Confirm screening against major lists (OFAC, UN, EU, UK, local).
  • PEP status of owners/officers; adverse media findings; remediation steps if any.

4. SERVICES, DATA, AND LOCATIONS

  • Services provided; criticality to our operations.
  • Data types handled (PII, PHI, PCI, trade secrets); volume; data residency and storage/processing locations.
  • Cross-border transfers and transfer mechanisms (SCCs/IDTA/other).

5. SECURITY CONTROLS

  • Access controls (MFA, RBAC), encryption (in transit/at rest), key management.
  • Network security, vulnerability management, patching cadence, secure SDLC, logging/monitoring, segregation of duties.
  • Physical security for data centers/offices.
  • Endpoint protection, mobile/BYOD controls.
  • Penetration testing frequency and remediation approach.

6. PRIVACY AND DATA SUBJECT RIGHTS

  • Lawful bases (where applicable), notices, consents, and purpose limitation.
  • Data minimization, retention periods, deletion procedures, return/transfer on termination.
  • DSR handling (access, deletion, correction, portability), timelines, and verification steps.

7. SUBPROCESSORS AND FOURTH PARTIES

  • List subprocessors; services provided; locations; data types; onboarding diligence.
  • Change notification process and approval rights.

8. INCIDENT RESPONSE AND BREACH HISTORY

  • Incident response plan, timelines, and notification commitments.
  • Breach history (last 3 years): dates, nature, data impacted, remediation.
  • Forensic partners and playbooks.

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

  • RTO/RPO targets; DR testing frequency and results; backup strategy and media; single points of failure; pandemic/geo disruption planning.

10. CERTIFICATIONS AND TESTING

  • Current certifications: SOC 2 (Type I/II), ISO 27001, HITRUST, PCI DSS, others.
  • Last audit dates and exceptions; penetration test reports (summary) and remediation status.

11. INSURANCE

  • Coverage types/limits: cyber, E&O, GL, professional, crime; expiration dates; carriers.

12. LEGAL/REGULATORY MATTERS

  • Required licenses/registrations; regulatory exams; consent decrees/settlements; pending litigation related to services.
  • Export controls classification and licensing (if applicable).

13. FINANCIAL VIABILITY

  • Provide recent financials or SOC section on going-concern; key revenue concentration risks; material adverse changes.

14. ESG AND ETHICS

  • Code of conduct/ethics; anti-corruption program; whistleblower channel; modern slavery/forced labor policies; environmental commitments (if applicable).

15. REQUIRED ARTIFACTS CHECKLIST

  • Policies: security, privacy, incident response, business continuity.
  • Certifications/reports: SOC/ISO/PCI; recent pen test summary.
  • Subprocessor list; data flow diagram; DPIA (if available); insurance certificates.
  • Sample contract terms (DPA, security addendum), breach notification commitments.

16. ATTESTATIONS AND SIGNOFF

  • Authorized representative attests accuracy as of [DATE].
  • Name, title, signature, contact; date signed.

17. CALIFORNIA PRIVACY (CPRA) SUPPLEMENT

  • Confirm ability to act as a CPRA service provider/contractor and comply with restrictions on use, retention, and disclosure.
  • Identify any sale or sharing of personal information; confirm ability to support "Do Not Sell or Share" and "Limit Sensitive PI" requirements if applicable.
  • Describe processes for CPRA consumer requests and timelines, including deletion, correction, and access.
  • Provide details on data retention schedules and deletion certification upon termination.
  • Confirm breach notification procedures align with California requirements and include notice timelines.
AI Legal Assistant

Vendor Due Diligence Questionnaire - California

Download this template free, or draft it 10x faster with Ezel.

Stop spending hours on:

  • Searching for the right case law
  • Manually tracking changes in Word
  • Checking citations one by one
  • Hunting through emails for client documents

Ezel is the complete legal workspace:

  • Case Law Search — All 50 states + federal, natural language
  • Document Editor — Word-compatible track changes
  • Citation Checking — Verify every case before you file
  • Matters — Organize everything by client or case