Checklist

This is a draft and outlines what we can consider from a third party vendor also this will require us to design complete detailed policy needs to be made around this and needs to be proved to the auditor with actually providing them with evid. Also rolling out a super strict policy is also not advised as this can make us reject cost friendly options ahead due to our strict compliance and would make us to go to an expensive option,

1. Certifications & Compliance

• SOC2 Type 2 / ISO 27001 / GDPR / CCPA compliance (as applicable)
• PCI DSS (if payment data handled)

2. Data Handling

• Data Processing Agreement (DPA) signed (just like what posthog does)
• Data residency/location disclosed
• Data deletion/export supported
• No data resale/misuse policy

3. Access & Authentication

• SSO/SAML/SCIM supported
• Role-based access control (RBAC) support in the system
• Access logs & monitoring available for the system
• Easy access revocation

4. Incident Response

• Documented incident response plan
• Breach notification SLA (≤72 hrs)
• Uptime/security status page

5. Contracts & Legal

• Right-to-audit or compliance reports shared
• Sub-processor list disclosed
• Data return/deletion on termination

6. Integrations & Technical

• Secure APIs (OAuth2, TLS)
• Clear API/SDK documentation
• Alerts for integration failures

7. Ongoing Monitoring

• Annual vendor risk review scheduled (on their end)
• Continuous monitoring (if possible)
• Quarterly access reviews (if possible)