Templates Compliance Regulatory Vendor Due Diligence Questionnaire - Florida
Florida Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO

Vendor Due Diligence Questionnaire - Florida

Ready to Edit

VENDOR DUE DILIGENCE QUESTIONNAIRE — FLORIDA

Issuing Organization: [________________________________]
Date Issued: [__/__/____]
Due Date for Completion: [__/__/____]
Vendor Risk Tier: ☐ Critical | ☐ High | ☐ Medium | ☐ Low

TABLE OF CONTENTS

  1. Instructions and Scope
  2. Vendor Profile and Ownership
  3. Sanctions, PEP, and Adverse Media Screening
  4. Services, Data, and Locations
  5. Information Security Controls
  6. Privacy and Data Subject Rights
  7. Subprocessors and Fourth Parties
  8. Incident Response and Breach History
  9. Business Continuity and Disaster Recovery
  10. Certifications, Audits, and Testing
  11. Insurance Coverage
  12. Legal and Regulatory Matters
  13. Financial Viability
  14. ESG, Ethics, and Anti-Corruption
  15. Florida-Specific Compliance Requirements
  16. Required Artifacts Checklist
  17. Attestation and Signoff

1. INSTRUCTIONS AND SCOPE

1.1 Purpose

This VDQ evaluates vendor risk posture with specific attention to Florida's privacy and data security framework, including the Florida Information Protection Act (FIPA) (Fla. Stat. § 501.171) and the Florida Digital Bill of Rights (FDBR) (Fla. Stat. § 501.701 et seq., effective July 1, 2024). FIPA imposes a 30-day breach notification deadline and requires reasonable security measures for personal information. The FDBR establishes consumer privacy rights for organizations meeting specified revenue and data processing thresholds.

1.2 Completion Instructions

  • Complete all sections; enter "N/A" with an explanation where not applicable.
  • Attach all requested evidence. Critical/High-tier vendors must provide independent evidence.
  • Responses must reflect actual, current controls.

2. VENDOR PROFILE AND OWNERSHIP

2.1 Corporate Information

Field Response
Legal Entity Name [________________________________]
DBA [________________________________]
Date of Incorporation [__/__/____]
Jurisdiction of Incorporation [________________________________]
Principal Business Address [________________________________]
Florida Office Address (if any) [________________________________]
Website [________________________________]
EIN [________________________________]
Florida Sunbiz Registration No. [________________________________]
Entity Type ☐ Corporation ☐ LLC ☐ Partnership ☐ Sole Proprietorship ☐ Other: [____]

2.2 Ownership Structure

| Ultimate Parent Company | [________________________________] |
| Is vendor publicly traded? | ☐ Yes ☐ No |

Beneficial Owners (10%+ interest):

Name Title Ownership % Residence
[________________________________] [________________] [____]% [________________]
[________________________________] [________________] [____]% [________________]

2.3 Key Contacts

Role Name Email Phone
Primary Business Contact [________________] [________________] [________________]
Information Security Lead [________________] [________________] [________________]
Privacy Officer [________________] [________________] [________________]
Incident Response Contact [________________] [________________] [________________]

3. SANCTIONS, PEP, AND ADVERSE MEDIA SCREENING

Sanctions List Screened Match
OFAC SDN ☐ Yes ☐ No ☐ Yes ☐ No
OFAC Consolidated ☐ Yes ☐ No ☐ Yes ☐ No
UN Consolidated ☐ Yes ☐ No ☐ Yes ☐ No
EU Consolidated ☐ Yes ☐ No ☐ Yes ☐ No
UK HM Treasury ☐ Yes ☐ No ☐ Yes ☐ No

PEP status among owners/officers? ☐ Yes ☐ No — If yes: [________________________________]

Adverse media in past 5 years? ☐ Yes ☐ No — If yes: [________________________________]

4. SERVICES, DATA, AND LOCATIONS

4.1 Services

Field Response
Services description [________________________________]
Criticality ☐ Critical ☐ High ☐ Medium ☐ Low
Customer interaction ☐ Yes ☐ No
System access ☐ Yes ☐ No
Access type ☐ Read-only ☐ Read/Write ☐ Administrative ☐ N/A

4.2 Data Categories

☐ Personal information (as defined under FIPA, Fla. Stat. § 501.171(1)(g))
☐ Social Security Numbers
☐ Financial account numbers with access codes
☐ Driver's license / FL ID numbers
☐ Medical/health information
☐ Health insurance information
☐ Email with password/security answers
☐ Sensitive data (as defined under FDBR, Fla. Stat. § 501.702)
☐ Children's data (under 13)
☐ Biometric data
☐ PCI data
☐ Other: [________________________________]

Estimated volume: ☐ <1,000 ☐ 1,000–10,000 ☐ 10,000–100,000 ☐ 100,000–1M ☐ >1M

4.3 Data Locations

Location Activity Data Types
[________________________________] ☐ Processing ☐ Storage ☐ Both [________________]
[________________________________] ☐ Processing ☐ Storage ☐ Both [________________]

5. INFORMATION SECURITY CONTROLS

5.1 Access Controls

# Control Response Details
5.1.1 MFA for remote access? ☐ Yes ☐ No [________________]
5.1.2 MFA for data access? ☐ Yes ☐ No [________________]
5.1.3 RBAC implemented? ☐ Yes ☐ No [________________]
5.1.4 Least privilege enforced? ☐ Yes ☐ No ☐ Partial [________________]
5.1.5 Access reviews? ☐ Yes ☐ No Frequency: [____]
5.1.6 Timely termination of access? ☐ Yes ☐ No SLA: [____]

5.2 Encryption

# Control Response Details
5.2.1 Data encrypted at rest? ☐ Yes ☐ No Algorithm: [____]
5.2.2 Data encrypted in transit? ☐ Yes ☐ No Protocol: [____]
5.2.3 Separate key management? ☐ Yes ☐ No [________________]

5.3 Network Security

# Control Response Details
5.3.1 Firewalls? ☐ Yes ☐ No [________________]
5.3.2 IDS/IPS? ☐ Yes ☐ No [________________]
5.3.3 Network segmentation? ☐ Yes ☐ No [________________]
5.3.4 Patch management? ☐ Yes ☐ No SLA: [____]
5.3.5 Vulnerability scanning? ☐ Yes ☐ No Frequency: [____]

5.4 Endpoint and Physical

# Control Response Details
5.4.1 EDR deployed? ☐ Yes ☐ No Product: [____]
5.4.2 Endpoints encrypted? ☐ Yes ☐ No [________________]
5.4.3 Physical data center security? ☐ Yes ☐ No [________________]

5.5 Logging

# Control Response Details
5.5.1 Centralized logging? ☐ Yes ☐ No SIEM: [____]
5.5.2 Log retention ≥12 months? ☐ Yes ☐ No Period: [____]

6. PRIVACY AND DATA SUBJECT RIGHTS

# Control Response
6.1 Designated privacy officer? ☐ Yes ☐ No
6.2 Written privacy policy? ☐ Yes ☐ No
6.3 PIAs conducted for high-risk processing? ☐ Yes ☐ No
6.4 Data retention schedules documented? ☐ Yes ☐ No
6.5 Secure deletion procedures? ☐ Yes ☐ No
6.6 Written deletion certification on termination? ☐ Yes ☐ No

7. SUBPROCESSORS AND FOURTH PARTIES

Uses subprocessors? ☐ Yes ☐ No

Subprocessor Services Location Data Types
[________________________________] [________________] [________________] [________________]
# Control Response
7.1 Subprocessor due diligence? ☐ Yes ☐ No
7.2 Equivalent contractual terms? ☐ Yes ☐ No
7.3 Notification of changes? ☐ Yes ☐ No
7.4 Advance notice period [____] days

8. INCIDENT RESPONSE AND BREACH HISTORY

# Control Response Details
8.1 Documented IRP? ☐ Yes ☐ No [________________]
8.2 24/7 response capability? ☐ Yes ☐ No [________________]
8.3 Customer notification SLA [____] hours [________________]
8.4 IRP tested annually? ☐ Yes ☐ No Last: [__/__/____]

Breaches in past 3 years? ☐ Yes ☐ No

Date Nature Data Impacted Remediation
[__/__/____] [________________] [________________] [________________]

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

# Control Response Details
9.1 Documented BCP? ☐ Yes ☐ No [________________]
9.2 Documented DRP? ☐ Yes ☐ No [________________]
9.3 RTO [____] hours
9.4 RPO [____] hours
9.5 DRP tested annually? ☐ Yes ☐ No Last: [__/__/____]

10. CERTIFICATIONS, AUDITS, AND TESTING

Certification Maintained Covers Services Expiration
SOC 2 Type II ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
ISO 27001 ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
PCI DSS ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
Other: [____] ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]

Pen test frequency: ☐ Annual ☐ Semi-Annual ☐ Other: [____]
Last pen test: [__/__/____] | Critical findings remediated? ☐ Yes ☐ No ☐ In Progress

11. INSURANCE COVERAGE

Coverage Carrier Limit Expiration
Cyber/Tech E&O [________________] $[________________] [__/__/____]
General Liability [________________] $[________________] [__/__/____]
Professional Liability [________________] $[________________] [__/__/____]

12. LEGAL AND REGULATORY MATTERS

# Question Response
12.1 All required licenses held? ☐ Yes ☐ No ☐ N/A
12.2 Regulatory examinations in past 3 years? ☐ Yes ☐ No
12.3 Enforcement actions or settlements? ☐ Yes ☐ No
12.4 Pending litigation? ☐ Yes ☐ No

13. FINANCIAL VIABILITY

# Question Response
13.1 Willing to provide financials? ☐ Yes ☐ No
13.2 Material adverse changes? ☐ Yes ☐ No
13.3 Revenue concentration >25%? ☐ Yes ☐ No

14. ESG, ETHICS, AND ANTI-CORRUPTION

# Control Response
14.1 Code of conduct? ☐ Yes ☐ No
14.2 Anti-corruption program? ☐ Yes ☐ No
14.3 Whistleblower channel? ☐ Yes ☐ No

15. FLORIDA-SPECIFIC COMPLIANCE REQUIREMENTS

15.1 Florida Information Protection Act (FIPA) — Fla. Stat. § 501.171

FIPA requires entities maintaining personal information of Florida residents to implement reasonable security measures and notify affected individuals within 30 days of a breach determination. The Florida Department of Legal Affairs must be notified if a breach affects 500 or more Floridians.

# Requirement Response Details
15.1.1 Has the vendor implemented reasonable measures to protect and secure personal information in electronic form as required by Fla. Stat. § 501.171(2)? ☐ Yes ☐ No [________________]
15.1.2 Can the vendor notify us of a breach within the contractually agreed timeframe to allow compliance with FIPA's 30-day notification window? ☐ Yes ☐ No SLA: [____] hours
15.1.3 Does the vendor understand the requirement to notify the Florida Department of Legal Affairs when >500 residents are affected (Fla. Stat. § 501.171(3))? ☐ Yes ☐ No [________________]
15.1.4 Can the vendor provide breach notification content as required by Fla. Stat. § 501.171(4)(e), including date, description, and contact information? ☐ Yes ☐ No [________________]
15.1.5 Does the vendor maintain records of breaches for inspection as required under FIPA? ☐ Yes ☐ No [________________]
15.1.6 Can the vendor support substitute notice procedures if direct notice is not feasible (Fla. Stat. § 501.171(4)(f))? ☐ Yes ☐ No [________________]

15.2 Florida Digital Bill of Rights (FDBR) — Fla. Stat. § 501.701 et seq.

The FDBR, effective July 1, 2024, establishes consumer data rights for organizations that (a) conduct business in Florida, (b) have gross annual revenues exceeding $1 billion, and (c) meet one of three data-related thresholds. Note the FDBR's applicability thresholds are higher than most state privacy laws.

# Requirement Response Details
15.2.1 Does the vendor meet FDBR applicability thresholds (Fla. Stat. § 501.702)? ☐ Yes ☐ No ☐ Unknown [________________]
15.2.2 If applicable, can the vendor support FDBR consumer rights (access, deletion, correction, portability, opt-out of targeted advertising, opt-out of sale of personal data, opt-out of profiling)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.3 Can the vendor support data protection assessments for high-risk processing activities (Fla. Stat. § 501.715)? ☐ Yes ☐ No ☐ N/A [________________]
15.2.4 Does the vendor have mechanisms to obtain consent before processing sensitive data of Florida consumers (Fla. Stat. § 501.711(2))? ☐ Yes ☐ No ☐ N/A [________________]
15.2.5 For children's data: does the vendor comply with parental consent requirements under FDBR and COPPA for children under 13? ☐ Yes ☐ No ☐ N/A [________________]
15.2.6 Does the vendor recognize and honor universal opt-out mechanisms (Fla. Stat. § 501.711(5))? ☐ Yes ☐ No ☐ N/A [________________]

15.3 Sensitive Data Protections

# Requirement Response Details
15.3.1 Does the vendor process sensitive personal data of Florida residents (racial/ethnic origin, health data, biometric data, precise geolocation, children's data)? ☐ Yes ☐ No Types: [________________]
15.3.2 If yes, are heightened controls applied? ☐ Yes ☐ No ☐ N/A [________________]
15.3.3 Is consent obtained before processing sensitive data? ☐ Yes ☐ No ☐ N/A [________________]

15.4 Data Retention and Disposal

# Requirement Response Details
15.4.1 Data retention schedule for Florida resident data? ☐ Yes ☐ No Period: [________________]
15.4.2 Secure disposal procedures? ☐ Yes ☐ No Method: [________________]
15.4.3 Written destruction certification on termination? ☐ Yes ☐ No [________________]

16. REQUIRED ARTIFACTS CHECKLIST

# Document Provided N/A
16.1 Information Security Policy
16.2 Privacy Policy
16.3 Incident Response Plan
16.4 BC/DR Plan
16.5 SOC 2 Report (or bridge letter)
16.6 Pen Test Summary
16.7 Subprocessor List
16.8 Insurance Certificate(s)
16.9 Sample DPA
16.10 FIPA Breach Notification Procedures

17. ATTESTATION AND SIGNOFF

I certify that the information provided is true, complete, and accurate. I commit to notifying the issuing organization within ten (10) business days of material changes.

Field Information
Name [________________________________]
Title [________________________________]
Signature [________________________________]
Date [__/__/____]

SOURCES AND REFERENCES

  • Florida Information Protection Act (FIPA), Fla. Stat. § 501.171 (2014, as amended)
  • Florida Digital Bill of Rights (FDBR), Fla. Stat. § 501.701 et seq. (eff. July 1, 2024)
  • Fla. Stat. § 501.171(2) (Reasonable Security Measures)
  • Fla. Stat. § 501.171(3) (30-Day Notification; AG Notice for >500)
  • Fla. Stat. § 501.711 (FDBR Consumer Rights and Consent)
  • Fla. Stat. § 501.715 (Data Protection Assessments)
  • OCC Bulletin 2023-17, "Third-Party Relationships: Risk Management Guidance"
  • FFIEC IT Examination Handbook

This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.

Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.
AI Legal Assistant
Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

Insert Image

Insert Table

Watch Ezel in action (sample case)

All changes saved
Save
Export
Export as DOCX
Export as PDF
Generating PDF...
vendor_due_diligence_questionnaire_fl.pdf
Ready to export as PDF or Word
AI is editing...
Chat
Review

Customize this document with Ezel

  • Deep Legal Knowledge
    Understands case law, statutes, and legal doctrine specific to Florida.
  • Court-Ready Formatting
    Proper captions, certificates of service, and local rule compliance.
  • AI-Powered Editing on Your Timeline
    Edit as many times as you need. Tailor every section to your specific case.
  • Export as PDF & Word
    Download your finished document in professional PDF or DOCX format, ready to file or send.
Secure checkout via Stripe
Need to customize this document?

Related Legal Templates

Available in Other Jurisdictions

Vendor Due Diligence Questionnaire Universal Vendor Due Diligence Questionnaire - Alabama AL Vendor Due Diligence Questionnaire - California CA Vendor Due Diligence Questionnaire - New York NY Vendor Due Diligence Questionnaire - Texas TX

More Compliance Regulatory Templates

AI Acceptable Use & Governance Policy - Florida FL Code of Conduct - Florida FL Compliance Program Charter - Florida FL Compliance Risk Assessment Matrix - Florida FL Corporate Compliance Manual - Florida FL Data Processing Addendum (Short Form) — Florida FL Browse all

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: April 2026