Supplier due diligence
Vendor risk assessment questionnaire
Use this questionnaire before vendor approval, renewal, or AI rollout to request the evidence your team needs for security, privacy, subprocessors, integrations, and risk decisions.
Best useBefore approval
Ask for evidence first, then score the vendor. Do not approve AI vendors, broad integrations, or regulated data processors from a short yes/no form.
Questionnaire sections
Use these sections to keep supplier review focused on evidence, not generic assurances.
Supplier questions and evidence to request
Each question should result in proof a reviewer can open, inspect, and reuse.
| Question | Evidence to request |
|---|---|
| What data will the vendor access, store, process, or only view? | Data inventory, data flow summary, environment scope, data residency note, and retention statement. |
| Which subprocessors or fourth parties can touch the data? | Public subprocessor list, DPA, region, purpose, criticality tier, and change-notification process. |
| What security evidence can the vendor provide? | SOC 2, ISO 27001, CAIQ, SIG, penetration test summary, security overview, access control policy, and incident response summary. |
| How are privileged actions and support access controlled? | SSO/MFA proof, RBAC model, admin access procedure, support access logging, offboarding process, and access review evidence. |
| What integrations, OAuth scopes, or API permissions are requested? | Scope list, minimum-scope justification, token storage, token revocation runbook, and scope-change approval owner. |
| Does the vendor use AI, agents, MCP servers, or automated decisions? | Model provider list, data-use terms, training/retention posture, prompt injection controls, human review, audit log sample, and disable path. |
| How does the vendor handle incidents and customer notification? | Incident response policy, notification timeline, escalation contacts, customer communication process, and evidence retention process. |
Risk tier after the questionnaire
Use the answers to decide review depth instead of treating every vendor as the same risk.
Low
Public or low-sensitivity data, no production access, current evidence available, standard review cadence.
Medium
Business data or limited personal data, narrow integration scopes, partial evidence, or moderate operational dependency.
High
Customer data, confidential data, broad read/write access, AI processing, stale evidence, or contractual commitments.
Critical
Regulated data, production admin access, mission-critical operations, missing evidence, or high-impact automated decisions.
Extra AI vendor questions
Ask these when the vendor uses AI, agents, MCP, browser automation, or broad integrations.
- Which model providers, gateways, or AI subprocessors process prompts, outputs, embeddings, logs, or evaluation traces?
- Can customer data be used for model training, fine-tuning, evaluation, or human review?
- What data is retained, where is it stored, and how can it be deleted or excluded from processing?
- Which tools, MCP servers, browser extensions, or integrations can the vendor call on behalf of users?
- What per-request audit trail exists for model calls, tool calls, denied actions, reviewers, and admin policy changes?
- Who can revoke tokens, disable the AI workflow, reduce scopes, or pause vendor use after an incident?
Next steps
Turn questionnaire answers into scored risk decisions and reusable evidence.
Download the vendor risk template
Use the spreadsheet structure when the supplier questionnaire produces enough evidence to score.
Map evidence to customer answers
Reuse approved vendor evidence in customer security questionnaires and answer libraries.
Add privacy review fields
Use privacy fields when vendors process personal data, PHI, sensitive data, or AI prompts.
Review MCP and tool access
Use the MCP gateway checklist when vendors connect agents, tools, OAuth scopes, or token passthrough.
Vendor risk questionnaire FAQ
Short answers for teams designing supplier intake and evidence review.
What is a vendor risk assessment questionnaire?
It is a supplier due diligence questionnaire that collects security, privacy, data access, AI use, evidence, and mitigation details before a vendor is approved, renewed, or escalated.
Is a vendor risk assessment questionnaire the same as a vendor risk assessment template?
No. The questionnaire asks the supplier for answers and proof. The template scores those answers, records the decision, assigns owners, and tracks mitigation.
What should an AI vendor questionnaire include?
It should include model providers, customer-data use, training posture, retention, deletion, subprocessors, OAuth scopes, tool permissions, human review, audit logs, and emergency disablement.
Should every vendor answer the same questionnaire?
No. Low-risk vendors can use a short questionnaire, while vendors with customer data, regulated data, AI processing, broad integrations, or production access need deeper evidence.
Need a shortlist for your workflow?
Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.