Templates Compliance Regulatory Vendor Due Diligence Questionnaire - Texas
Texas Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO

Vendor Due Diligence Questionnaire - Texas

Ready to Edit

VENDOR DUE DILIGENCE QUESTIONNAIRE — TEXAS

Issuing Organization: [________________________________]
Date Issued: [__/__/____]
Due Date for Completion: [__/__/____]
Vendor Risk Tier: ☐ Critical | ☐ High | ☐ Medium | ☐ Low

TABLE OF CONTENTS

  1. Instructions and Scope
  2. Vendor Profile and Ownership
  3. Sanctions, PEP, and Adverse Media
  4. Services, Data, and Locations
  5. Information Security Controls
  6. Privacy and Data Subject Rights
  7. Subprocessors and Fourth Parties
  8. Incident Response and Breach History
  9. Business Continuity and Disaster Recovery
  10. Certifications, Audits, and Testing
  11. Insurance Coverage
  12. Legal and Regulatory Matters
  13. Financial Viability
  14. ESG, Ethics, and Anti-Corruption
  15. Texas-Specific Compliance Requirements
  16. Required Artifacts Checklist
  17. Attestation and Signoff

1. INSTRUCTIONS AND SCOPE

1.1 Purpose

This VDQ evaluates vendor risk with attention to Texas's privacy and data security framework, including the Texas Data Privacy and Security Act (TDPSA) (Tex. Bus. & Com. Code Ch. 541, effective July 1, 2024), the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code § 521.053), and the Capture or Use of Biometric Identifier Act (CUBI) (Tex. Bus. & Com. Code § 503.001). The TDPSA establishes consumer privacy rights and processor obligations; the breach notification statute requires notice to affected Texas residents "as quickly as possible" without unreasonable delay, and no later than 60 days after breach determination.

1.2 Completion Instructions

  • Complete all sections; enter "N/A" with explanation where not applicable.
  • Attach requested evidence. Critical/High-tier vendors must provide independent evidence.

2. VENDOR PROFILE AND OWNERSHIP

Field Response
Legal Entity Name [________________________________]
DBA [________________________________]
Date of Incorporation [__/__/____]
Jurisdiction [________________________________]
Principal Address [________________________________]
Texas Office (if any) [________________________________]
Website [________________________________]
EIN [________________________________]
TX SOS Filing No. [________________________________]
Entity Type ☐ Corporation ☐ LLC ☐ Partnership ☐ Other: [____]

Beneficial Owners (10%+):

Name Title Ownership % Residence
[________________________________] [________________] [____]% [________________]

Key Contacts:

Role Name Email Phone
Primary Business [________________] [________________] [________________]
Security Lead [________________] [________________] [________________]
Privacy Officer [________________] [________________] [________________]
Incident Response [________________] [________________] [________________]

3. SANCTIONS, PEP, AND ADVERSE MEDIA

List Screened Match
OFAC SDN ☐ Yes ☐ No ☐ Yes ☐ No
UN Consolidated ☐ Yes ☐ No ☐ Yes ☐ No
EU Consolidated ☐ Yes ☐ No ☐ Yes ☐ No

PEP among owners/officers? ☐ Yes ☐ No

Adverse media in past 5 years? ☐ Yes ☐ No

4. SERVICES, DATA, AND LOCATIONS

Field Response
Services description [________________________________]
Criticality ☐ Critical ☐ High ☐ Medium ☐ Low
System access ☐ Yes ☐ No
Access type ☐ Read-only ☐ Read/Write ☐ Admin ☐ N/A

Data Categories:

☐ Personal data (as defined under TDPSA, Tex. Bus. & Com. Code § 541.001)
☐ Sensitive data (TDPSA: racial/ethnic origin, religious beliefs, health/mental health, sexuality, citizenship, genetic/biometric, children's data, precise geolocation)
☐ SSN
☐ Financial account numbers
☐ Driver's license numbers
☐ Biometric identifiers (CUBI, § 503.001)
☐ PCI data
☐ PHI
☐ Other: [________________________________]

Volume: ☐ <1,000 ☐ 1,000–10,000 ☐ 10,000–100,000 ☐ 100,000–1M ☐ >1M

Locations:

Location Activity Data Types
[________________________________] ☐ Processing ☐ Storage ☐ Both [________________]

5. INFORMATION SECURITY CONTROLS

5.1 Access Controls

# Control Response Details
5.1.1 MFA for remote access? ☐ Yes ☐ No [________________]
5.1.2 MFA for data access? ☐ Yes ☐ No [________________]
5.1.3 RBAC? ☐ Yes ☐ No [________________]
5.1.4 Least privilege? ☐ Yes ☐ No ☐ Partial [________________]
5.1.5 Access reviews? ☐ Yes ☐ No Frequency: [____]

5.2 Encryption

# Control Response Details
5.2.1 At rest? ☐ Yes ☐ No Algorithm: [____]
5.2.2 In transit? ☐ Yes ☐ No Protocol: [____]

5.3 Network and Infrastructure

# Control Response Details
5.3.1 Firewalls? ☐ Yes ☐ No [________________]
5.3.2 IDS/IPS? ☐ Yes ☐ No [________________]
5.3.3 Patch management? ☐ Yes ☐ No SLA: [____]
5.3.4 Vulnerability scanning? ☐ Yes ☐ No Frequency: [____]

5.4 Endpoint, Physical, Logging

# Control Response Details
5.4.1 EDR? ☐ Yes ☐ No [________________]
5.4.2 Centralized logging? ☐ Yes ☐ No [________________]
5.4.3 Physical security? ☐ Yes ☐ No [________________]

6. PRIVACY AND DATA SUBJECT RIGHTS

# Control Response
6.1 Privacy officer? ☐ Yes ☐ No
6.2 Privacy policy? ☐ Yes ☐ No
6.3 Data retention schedules? ☐ Yes ☐ No
6.4 Secure deletion? ☐ Yes ☐ No
6.5 Deletion certification? ☐ Yes ☐ No

7. SUBPROCESSORS

Uses subprocessors? ☐ Yes ☐ No

Subprocessor Services Location Data Types
[________________________________] [________________] [________________] [________________]
# Control Response
7.1 Due diligence on subprocessors? ☐ Yes ☐ No
7.2 Equivalent contractual terms? ☐ Yes ☐ No
7.3 Change notification? ☐ Yes ☐ No

8. INCIDENT RESPONSE AND BREACH HISTORY

# Control Response Details
8.1 Documented IRP? ☐ Yes ☐ No [________________]
8.2 24/7 response? ☐ Yes ☐ No [________________]
8.3 Customer notification SLA [____] hours
8.4 IRP tested annually? ☐ Yes ☐ No Last: [__/__/____]

Breaches in past 3 years? ☐ Yes ☐ No

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

# Control Response
9.1 BCP? ☐ Yes ☐ No
9.2 DRP? ☐ Yes ☐ No
9.3 RTO [____] hours
9.4 RPO [____] hours
9.5 DRP tested annually? ☐ Yes ☐ No

10. CERTIFICATIONS

Certification Maintained Covers Services Expiration
SOC 2 Type II ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
ISO 27001 ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]
PCI DSS ☐ Yes ☐ No ☐ Yes ☐ No [__/__/____]

11. INSURANCE

Coverage Carrier Limit Expiration
Cyber/Tech E&O [________________] $[________________] [__/__/____]
General Liability [________________] $[________________] [__/__/____]

12. LEGAL AND REGULATORY

# Question Response
12.1 Required licenses held? ☐ Yes ☐ No
12.2 Regulatory exams? ☐ Yes ☐ No
12.3 Enforcement actions? ☐ Yes ☐ No
12.4 Pending litigation? ☐ Yes ☐ No

13. FINANCIAL VIABILITY

# Question Response
13.1 Provide financials? ☐ Yes ☐ No
13.2 Material adverse changes? ☐ Yes ☐ No

14. ESG AND ETHICS

# Control Response
14.1 Code of conduct? ☐ Yes ☐ No
14.2 Anti-corruption program? ☐ Yes ☐ No
14.3 Whistleblower channel? ☐ Yes ☐ No

15. TEXAS-SPECIFIC COMPLIANCE REQUIREMENTS

15.1 Texas Data Privacy and Security Act (TDPSA) — Tex. Bus. & Com. Code Ch. 541

The TDPSA, effective July 1, 2024, applies to persons conducting business in Texas or producing products or services consumed by Texas residents, excluding small businesses as defined by the SBA (unless the entity sells sensitive data). The TDPSA establishes consumer rights and processor/controller obligations.

# Requirement Response Details
15.1.1 Does the vendor process personal data of Texas consumers as a "processor" under the TDPSA (§ 541.001(24))? ☐ Yes ☐ No [________________]
15.1.2 Does the vendor process personal data only on documented instructions from the controller, as required by § 541.105? ☐ Yes ☐ No [________________]
15.1.3 Can the vendor support the following Texas consumer rights requests: access, correction, deletion, data portability, opt-out of targeted advertising, opt-out of sale of personal data, opt-out of profiling (§ 541.051)? ☐ Yes ☐ No [________________]
15.1.4 Can the vendor respond to consumer rights requests within 45 days (extendable by 45 days with notice) (§ 541.055)? ☐ Yes ☐ No [________________]
15.1.5 Does the vendor recognize and honor universal opt-out mechanisms as required by TDPSA (§ 541.055(e))? ☐ Yes ☐ No [________________]
15.1.6 Can the vendor support data protection assessments for high-risk processing (targeted advertising, profiling, sale of personal data, sensitive data processing) (§ 541.105(b))? ☐ Yes ☐ No [________________]
15.1.7 Does the vendor implement appropriate technical and organizational security measures per § 541.105(a)(2)? ☐ Yes ☐ No [________________]
15.1.8 Will the vendor delete or return personal data at the controller's direction upon contract termination (§ 541.105(a)(4))? ☐ Yes ☐ No [________________]
15.1.9 Will the vendor allow and cooperate with reasonable assessments or audits (§ 541.105(a)(5))? ☐ Yes ☐ No [________________]

15.2 Sensitive Data Under TDPSA (§ 541.001(29))

# Requirement Response Details
15.2.1 Does the vendor process sensitive data of Texas consumers? ☐ Yes ☐ No Types: [________________]
15.2.2 If yes, does the vendor obtain consent before processing sensitive data (§ 541.101(b))? ☐ Yes ☐ No ☐ N/A [________________]
15.2.3 For children's data (<13): does the vendor comply with COPPA consent requirements (§ 541.101(b)(2))? ☐ Yes ☐ No ☐ N/A [________________]

15.3 Biometric Data — CUBI (Tex. Bus. & Com. Code § 503.001)

The Texas Capture or Use of Biometric Identifier Act (CUBI) requires informed consent before capturing biometric identifiers (retina/iris scan, fingerprint, voiceprint, hand/face geometry). Biometric identifiers must be destroyed within one year of the purpose for collection ceasing, and must not be sold, leased, or otherwise disclosed without consent.

# Requirement Response Details
15.3.1 Does the vendor capture, use, or possess biometric identifiers of Texas residents? ☐ Yes ☐ No Types: [________________]
15.3.2 If yes, does the vendor obtain informed consent before collection (§ 503.001(b))? ☐ Yes ☐ No ☐ N/A Method: [________________]
15.3.3 Does the vendor destroy biometric identifiers within one year of the purpose ceasing (§ 503.001(c)(3))? ☐ Yes ☐ No ☐ N/A [________________]
15.3.4 Does the vendor ensure biometric data is not sold, leased, or disclosed without consent (§ 503.001(c)(1))? ☐ Yes ☐ No ☐ N/A [________________]
15.3.5 Does the vendor store, transmit, and protect biometric identifiers using reasonable care and at least the same standard as other confidential information (§ 503.001(c)(2))? ☐ Yes ☐ No ☐ N/A [________________]

15.4 Breach Notification — Tex. Bus. & Com. Code § 521.053

Texas requires notification to affected individuals as quickly as possible and not later than 60 days after determination of a breach. If more than 250 Texas residents are affected, notice must also be given to the Texas Attorney General. As of September 1, 2023, HB 4 strengthened enforcement authority.

# Requirement Response Details
15.4.1 Can the vendor notify us within contractual SLA to allow compliance with 60-day notification deadline? ☐ Yes ☐ No SLA: [____] hours
15.4.2 Can the vendor support AG notification when >250 Texas residents are affected? ☐ Yes ☐ No [________________]
15.4.3 Can the vendor provide breach notification content required under § 521.053? ☐ Yes ☐ No [________________]

16. REQUIRED ARTIFACTS CHECKLIST

# Document Provided N/A
16.1 Information Security Policy
16.2 Privacy Policy
16.3 Incident Response Plan
16.4 BC/DR Plan
16.5 SOC 2 Report
16.6 Pen Test Summary
16.7 Subprocessor List
16.8 Insurance Certificate(s)
16.9 CUBI Consent Procedures (if biometrics)
16.10 DPA / Security Addendum

17. ATTESTATION AND SIGNOFF

I certify that the information provided is true, complete, and accurate. I commit to notifying the issuing organization within ten (10) business days of material changes.

Field Information
Name [________________________________]
Title [________________________________]
Signature [________________________________]
Date [__/__/____]

SOURCES AND REFERENCES

  • Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code Ch. 541 (eff. July 1, 2024)
  • Tex. Bus. & Com. Code § 521.053 (Breach Notification; 60-Day Deadline)
  • Tex. Bus. & Com. Code § 503.001 (Capture or Use of Biometric Identifier Act — CUBI)
  • HB 4 (88th Legislature, 2023) strengthening TX AG enforcement for data breaches
  • OCC Bulletin 2023-17, "Third-Party Relationships"
  • FFIEC IT Examination Handbook

This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.

Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.
AI Legal Assistant
Ezel AI
Hi! Need help customizing this document? I can tailor every section to your specific case in minutes.

Insert Image

Insert Table

Watch Ezel in action (sample case)

All changes saved
Save
Export
Export as DOCX
Export as PDF
Generating PDF...
vendor_due_diligence_questionnaire_tx.pdf
Ready to export as PDF or Word
AI is editing...
Chat
Review

Customize this document with Ezel

  • Deep Legal Knowledge
    Understands case law, statutes, and legal doctrine specific to Texas.
  • Court-Ready Formatting
    Proper captions, certificates of service, and local rule compliance.
  • AI-Powered Editing on Your Timeline
    Edit as many times as you need. Tailor every section to your specific case.
  • Export as PDF & Word
    Download your finished document in professional PDF or DOCX format, ready to file or send.
Secure checkout via Stripe
Need to customize this document?

Related Legal Templates

Available in Other Jurisdictions

Vendor Due Diligence Questionnaire Universal Vendor Due Diligence Questionnaire - Alabama AL Vendor Due Diligence Questionnaire - California CA Vendor Due Diligence Questionnaire - Florida FL Vendor Due Diligence Questionnaire - New York NY

More Compliance Regulatory Templates

AI Acceptable Use & Governance Policy - Texas TX Code of Conduct - Texas TX Compliance Program Charter - Texas TX Compliance Risk Assessment Matrix - Texas TX Corporate Compliance Manual - Texas TX Data Processing Addendum (Short Form) — Texas TX Browse all

About This Template

Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.

Important Notice

This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.

Last updated: April 2026