Questions to Ask Vendors About Data Security

When working with third-party vendors, safeguarding sensitive donor information is critical. A single breach can damage trust and lead to legal consequences. To ensure your vendor prioritizes security, focus on these key areas:

• Certifications and Compliance: Verify adherence to standards like SOC 2, ISO 27001, GDPR, HIPAA, or PCI DSS. Request audit reports and confirm ongoing compliance.
• Data Protection: Ask about encryption methods, storage practices, and access controls. Ensure they use tools like two-factor authentication and follow the principle of least privilege.
• Risk Management: Evaluate their security testing, vulnerability assessments, and incident response plans. Confirm they handle breaches transparently and quickly.
• Access Policies: Ensure strict controls over who can access data, with regular reviews and updates. Check for device encryption and secure asset management.

What Are Vendor Security Assessments And Their Importance? - SecurityFirstCorp.com

sbb-itb-deea482

Compliance and Certifications

Before finalizing any agreement with a vendor, ensure they adhere to established security standards. Certifications are a key indicator that a vendor's security practices have been independently audited. Common frameworks include SOC 2 (Type 1 and 2), ISO/IEC 27001, GDPR, HIPAA (for healthcare data), PCI DSS (for payment processing), and CCPA. Each framework focuses on different aspects of data security, and the right mix will depend on your nonprofit's needs.

"Compliance frameworks like ISO/IEC 27001, SOC 2, and GDPR show a vendor is in line with a common security standard." – Shannon DeLange, Vanta

It's important to understand the distinctions between these standards. For instance, SOC 2 is a voluntary assessment widely recognized in the United States, focusing on how organizations manage personally identifiable information (PII). In contrast, GDPR is a legally binding regulation that governs data from EU citizens. Noncompliance with GDPR can result in fines of up to €20 million or 4% of annual global revenue, whichever is higher. These differences are especially critical if you're processing international donations or handling sensitive health data. Below are some key questions to help evaluate a vendor's certifications and compliance practices.

Questions About Certifications and Standards

Start by directly asking vendors: "What certifications and compliance standards does your organization adhere to, and how are they maintained?" Request specifics. Vendors should clarify if they hold credentials like SOC 2 Type 2 or ISO 27001, and explain how often they undergo audits to maintain compliance. If they handle credit card transactions, they must meet PCI DSS standards. Similarly, for health-related data, HIPAA compliance is non-negotiable.

Beyond certifications, dig deeper into their practices. Ask: "How do you stay updated with changes in data security regulations and ensure ongoing compliance?" Vendors that prioritize security will often use real-time monitoring to address issues as they arise. Some even offer tools like a "Trust Portal", where you can access SOC 2 reports, ISO documents, and compliance updates without having to fill out lengthy questionnaires. Be cautious if a vendor relies solely on manual processes or struggles to explain their compliance strategy - this could be a red flag.

How to Verify Certification Documents

Verification is just as important as asking about certifications. Request documentation by asking: "Can you provide evidence of your compliance, including audit reports or third-party assessments?" A trustworthy vendor will willingly share their most recent SOC 2 report, ISO 27001 certificate, or at least an executive summary of their audit findings. If a vendor hesitates or avoids providing this information, it’s a clear warning sign.

"If the company can't or won't answer these questions, they are asking you to trust them based on very little evidence: this is not a good sign." – Cooper Quintin and Soraya Okuda, Electronic Frontier Foundation

Don't just take their word for it - verify the details. Check the audit date and confirm the assessment was conducted by an independent, external firm. Also, ask how frequently they undergo re-audits; annual reviews are generally expected. For nonprofits with specific legal requirements - like HIPAA or FERPA - ask how often they reassess compliance with those standards. Finally, ensure your contract includes clauses requiring the vendor to maintain their certifications throughout your partnership and allows you to request updated documentation as needed.

Data Privacy and Protection

After verifying a vendor's certifications, the next step is understanding how they protect your data on a daily basis. Encryption and storage practices play a significant role in determining whether donor information is secure or vulnerable. Nonprofits often handle sensitive details - credit card numbers, home addresses, and donation histories - so it's essential that vendors demonstrate robust safeguards at every stage.

Encryption and Privacy Settings

Once certifications are confirmed, dig deeper into the vendor's day-to-day data protection measures. Start with the basics: "What encryption methods do you use to secure donor and organizational data, both in transit and at rest?" Ensure that data in transit is protected via HTTPS and that stored data is encrypted. Additionally, confirm whether all employee devices have full-disk encryption enabled.

Be cautious of vague or exaggerated claims, such as "NSA-Proof" encryption. As Cooper Quintin and Soraya Okuda from the Electronic Frontier Foundation caution:

"If a vendor makes claims like 'NSA-Proof' or 'Military Grade Encryption' without stating what the security limitations of the product are, this can be a sign that the vendor is overconfident in the security of their product".

Reputable vendors are transparent about what their encryption can’t protect against.

You should also assess account security features. Confirm whether the vendor supports two-factor authentication (2FA) for user accounts, with a preference for authenticator apps or security keys over SMS-based methods. Request audit summaries to validate their encryption claims and ensure they’ve undergone recent independent security assessments.

Data Storage and Handling Practices

Ask direct questions like: "Where is donor data stored, and who maintains ownership of it?". If your organization raises funds from EU citizens or serves them, compliance with GDPR is required, even if you’re based in the U.S.. Similarly, if you handle health-related data, HIPAA compliance is necessary.

Verify that the vendor adheres to U.S. privacy laws, including breach notification requirements and data disposal rules, as well as regulatory standards like the FTC Safeguards Rule. Don’t rely on verbal assurances - ask for written documentation of their security practices and review their most recent audit reports.

Inquire whether the vendor operates under a written Information Security Policy that governs administrative, technical, and physical safeguards. Ensure they manage data in line with legal and contractual obligations. Another critical question: "Will the vendor notify us of any legal demands for our data before complying?". It’s also important to understand how long your data, including backups, will remain in the vendor’s system after you terminate the contract.

Lastly, confirm access restrictions. Vendors should follow the principle of least privilege, ensuring that only staff members who need access to specific data for their job functions can access it. For temporary projects, access should be granted on a "need-to-know" basis and only for the necessary duration. The National Cybersecurity Alliance emphasizes:

"If you partner with a third party that takes a lax approach to cybersecurity, it puts the data of your company, and your customers, at risk".

Up next, take a closer look at the vendor's testing protocols and risk management strategies.

Security Testing and Risk Management

Strong certifications and encryption practices are essential, but they’re just the beginning. A vendor's commitment to regular security testing and proactive risk management is what truly sets them apart. Vendors who consistently monitor and test their systems can stay ahead of potential threats, while others may only act after damage has already occurred.

Questions About Vulnerability Assessments

When evaluating a vendor, ask, "What types of security testing do you perform regularly, such as penetration testing or vulnerability scans, and how often are these conducted?" Both internal and external vulnerability tests are crucial to uncover system weaknesses. Jim Searl, Manager of Product Solutions at AuditBoard, explains:

"Penetration testing involves simulated cyberattacks on the vendor's systems to identify vulnerabilities".

Advanced vendors often utilize methods like SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and dependency scanning. Additionally, formal risk assessments should be carried out annually to address emerging vulnerabilities.

You can request documentation by asking, "Can you provide a copy of your most recent security audit results or an executive summary?". Vendors using third-party infrastructure, such as AWS or Google Cloud Platform, may conduct vulnerability assessments or audits instead of full penetration tests. Be prepared to sign a Non-Disclosure Agreement if you wish to review sensitive reports like SOC 2 documentation.

Another key indicator of a vendor’s security posture is whether they have a bug bounty program. Vendors with such programs actively encourage external security researchers to report vulnerabilities, demonstrating a proactive approach to security. On the other hand, the Electronic Frontier Foundation warns that vendors who are hostile toward independent researchers might be a cause for concern.

Once vulnerabilities are identified, ensure the vendor has a strong risk management process in place to address them effectively.

Questions About Risk Management Practices

While testing is critical, it’s only part of the equation. Continuous risk management is equally important for maintaining long-term security. Ask questions like, "Can you provide details about your risk management process, including how you identify, assess, and mitigate potential security risks?". Look for vendors who follow standardized frameworks like the Consensus Assessments Initiative Questionnaire (CAIQ) or the Standardized Information Gathering (SIG) questionnaire to ensure thorough coverage.

Timely patch management is another key factor. The best vendors deploy critical updates within 48 hours and high-severity patches within five business days. You can ask, "How often do you scan for out-of-date software, and what's your timeline for deploying patches based on severity levels?".

Continuous monitoring tools like SIEM (Security Information and Event Management) and IDS/IPS (Intrusion Detection/Prevention Systems) are also essential for identifying and addressing threats in real time.

Supply chain attacks are on the rise, with projections estimating a 15% annual increase through 2031. The SolarWinds cyberattack serves as a cautionary tale - it took the company 14 months to discover that malicious code had been added to their platform. A strong vendor risk management strategy not only protects your data but also reinforces trust and strengthens business relationships.

Finally, confirm whether the vendor has a dedicated internal security team or relies on an external audit firm for compliance reviews. It’s also worth asking about their incident response plans and business continuity testing. Effective risk management doesn’t stop at prevention - it should include robust recovery strategies for addressing incidents after they occur.

Access Control and Internal Security Measures

Once external vulnerabilities are addressed, it's crucial to focus on internal controls that restrict data access to only those who are authorized. Even the strongest risk management strategies fall short if a vendor doesn't have strict measures in place to control who can access your sensitive information. Internal security measures ensure that only the right people - those with proper permissions - can view or handle your data, preventing unauthorized access by anyone on the vendor's team.

Questions About Access Policies

"What access control measures do you have in place to ensure that only authorized personnel can access sensitive data?" The Federal Trade Commission (FTC) advises limiting access based on the "need-to-know" principle. This means employees should only have the minimum permissions necessary to perform their specific tasks. This approach, known as the principle of least privilege, is a core security standard that every trustworthy vendor should adhere to.

Another layer of protection is multi-factor authentication (MFA), which is essential for systems containing customer data. MFA methods that rely on authenticator apps or physical security keys are preferred over SMS-based codes, which are less secure. The FTC also suggests that passwords should be at least 12 characters long and include a mix of numbers, symbols, and both uppercase and lowercase letters. Additionally, check whether the vendor has safeguards like limiting unsuccessful login attempts to defend against brute-force attacks.

It's equally important that access permissions are reviewed and updated regularly. As employees' roles evolve, their access levels should be adjusted to match their responsibilities. Vendors should also have formal processes for immediately revoking access for former employees or contractors. This includes offboarding procedures, conducting background checks, and requiring signed Non-Disclosure Agreements (NDAs).

Questions About System Security and Asset Management

Controlling access is just one piece of the puzzle - securing the devices that connect to your data is another critical aspect. Ask vendors, "Do you maintain an inventory of technology assets, and are all workstations encrypted and secured?" A reliable vendor should keep track of all devices accessing sensitive information using a formal asset management system.

Every workstation, not just servers, should have full-disk encryption to protect your data in case a device is stolen or accessed without authorization. Vendors should also deploy Endpoint Detection and Response (EDR) tools or anti-malware software to identify and respond to compromised devices, even if account credentials remain secure. For vendors with physical servers or office spaces, ask whether they have a documented Physical Security Plan to prevent unauthorized access to their hardware.

Incident Response and Transparency

Even the best security systems can fail; what truly matters is how quickly and effectively a vendor responds when things go wrong. After ensuring a vendor has strong internal controls, the next step is assessing their readiness to handle security incidents. A reliable vendor should have a documented Incident Response Plan (IRP) that outlines every stage of managing an incident, from detection to recovery.

Questions About Incident Response Plans

Start by asking, "What is your incident response plan, and how quickly can you detect, contain, and resolve a data breach or security incident?" A thorough incident response strategy includes preparation, detection, analysis, containment, eradication, recovery, and post-incident review. Vendors should have 24/7/365 detection capabilities to catch attacks, even outside regular business hours.

Containment measures should address various threats, such as phishing, malware, and ransomware. Once contained, the vendor must completely remove the threat, ensuring no remnants of the attack remain. Afterward, conducting a post-mortem is critical to identify weaknesses - whether technical, procedural, or human errors - and to prevent similar incidents in the future.

Establish clear notification timelines. Some vendors commit to notifying affected parties within 72 hours, while others recommend communication within 24 hours of a confirmed incident impacting your organization. Make sure your contract specifies a timeline to avoid being left in the dark. Additionally, ask if the vendor has a dedicated on-call team available to respond to incidents at any time.

"The notification timeline commitment begins when the official security incident declaration occurs. Upon declaring a security incident, the notification process occurs as expeditiously as possible, without undue delay." – Microsoft

Request a copy of the vendor's Incident Management Policy or Incident Response Plan, and confirm that it undergoes annual reviews and testing. Also, ask for documentation showing timely incident reviews and post-mortem analyses. This will give you a clearer picture of how proactive and effective the vendor is when responding to security issues.

Questions About Breach History

A history of security breaches doesn't automatically disqualify a vendor, but it does call for closer scrutiny. Ask, "Can you share details about your history of security breaches, including how they were handled and what steps were taken to prevent future incidents?" Vendors should disclose if they've experienced any breaches in the past five years and provide an executive summary of recent security audits.

"The biggest predictor of a future breach is a past breach. However, if the vendor was breached in the last 5 years, pay attention to their response. Many companies are breached, but few respond well." – Personified

Evaluate how the vendor managed any past incidents. Did they act swiftly to fix vulnerabilities, communicate openly with affected clients, and implement meaningful changes? For instance, in October 2024, Laboratory Services Cooperative detected unauthorized network access affecting 1.6 million individuals. They responded by bringing in third-party forensics and providing extended credit monitoring.

Ask about technical improvements following a breach, such as deploying full-disk encryption or Endpoint Detection and Response (EDR) tools. To stay informed independently, consider setting up alerts (e.g., Google Alerts) for keywords like "[Vendor Name] data breach flaw vulnerability". Vendors should address vulnerabilities promptly to prevent future issues.

Finally, formalize your expectations in the Service Level Agreement (SLA) or contract. Include specific security requirements and notification timelines to ensure accountability. A vendor's openness about past incidents and commitment to learning from them speaks volumes about their ability to protect your nonprofit's data in the future.

Conclusion

When selecting vendors, prioritize those who demonstrate a strong commitment to securely managing sensitive donor data. A data breach doesn't just expose personal information - it can lead to legal consequences and erode the trust your donors place in your organization. By asking the right questions, you can systematically evaluate whether a vendor takes security seriously.

Look for vendors with well-documented security practices. If a vendor hesitates to provide clear evidence of their protocols, consider it a warning sign. Before signing any agreements, ensure that key details are outlined, such as data ownership, access permissions, breach notification timelines, and data deletion policies. These expectations should be clearly defined in your Service Level Agreement (SLA) to guarantee accountability if issues arise.

Cybersecurity is not a one-time task - it demands ongoing attention. Regularly monitor your vendors, review their practices, and update contracts to address new and evolving threats.

"Cybersecurity is an ongoing effort, and working with vendors who prioritize it will help safeguard your business and your customers' trust in the long run." – StaySafeOnline, National Cybersecurity Alliance

Strong vendor security measures protect more than just data - they safeguard your mission and the trust of your donors. By following these guidelines, you can ensure that your vendor relationships are rooted in transparency and solid security practices. At Share Services, we are dedicated to maintaining the highest standards of data protection to support your organization's goals and preserve donor confidence. Keep asking the tough questions - it’s the foundation of secure and trustworthy partnerships.

FAQs

What steps can I take to confirm a vendor's data security certifications?

When working with vendors, ask for their latest audit reports or certifications, like SOC 2 or ISO 27001. Take the time to thoroughly examine these documents to confirm they’re up-to-date, valid, and address the required scope. If feasible, reach out directly to the issuing auditor or certification body to verify the legitimacy of the provided information.

What encryption methods should vendors use to keep my data secure?

When choosing a vendor, make sure they prioritize encryption to protect your data both when it's being transmitted and when it's stored. For data in transit, they should rely on protocols like TLS (Transport Layer Security) to secure information as it moves through networks. For data at rest, look for the use of strong encryption methods, such as AES (Advanced Encryption Standard) with keys that are at least 256 bits long.

These measures play a critical role in minimizing the chances of unauthorized access to your sensitive data.

How soon should a vendor inform me if there’s a data breach?

When vendors detect a data breach, they should inform you quickly. Ideally, this notification should come within a few days of discovering the issue, without unnecessary delays. Fast communication gives you the chance to act immediately, safeguarding sensitive information and reducing potential risks.

Related Blog Posts

• Checklist for Integrating Payment Gateways
• How Text-to-Give Campaigns Work for Churches
• Ultimate Guide to Donor Data Encryption
• How to Prevent Data Breaches in Digital Fundraising