Your organisation processes personal data through dozens — sometimes hundreds — of third parties. The regulator does not care which one had the breach. The regulator looks at you, and asks whether you knew the vendor existed, whether the contract held, and whether the diligence was real. We build the program that lets you answer all three.
Of large enterprise data breaches over the past 36 months originated at a third-party processor or sub-processor — not the controller's own infrastructure.Industry breach analyses, 2023 — 2025
Controllers carry the obligation to use only processors who provide sufficient guarantees of appropriate technical and organisational measures. The clause has near-equivalents across KSA PDPL, UAE PDPL and India DPDP Act 2023.Mirrored: KSA PDPL Art. 31 · DPDP § 8
Under DPDP Act 2023, organisations notified as Significant Data Fiduciaries face explicit additional obligations on third-party engagement, breach notification, DPO appointment and audit. Vendor risk is a named pillar of compliance.India DPDP Act 2023 § 10
The deliverable is not a register that your DPO maintains alone, abandoned within six months. The deliverable is a working program — inventory, classification, diligence pack, contractual library, monitoring cadence, breach-response coordination, offboarding protocol — wired into your procurement and security workflows so it stays alive between audits.
Personal-data-touching vendor inventory built from procurement records, finance ledger, IT system mapping and DSR-flow analysis. Classified by risk tier with a documented methodology your DPO can apply consistently to new vendors.
Tiered diligence questionnaires — long-form for Tier 1 / 2 critical processors, short-form for Tier 3 / 4 minimal-data engagements. Diligence outputs flow into the register; gaps surface before contract execution.
Master Data Processing Addendum mapped to the regulators in scope, with jurisdiction-specific Schedule 4 processing-instruction templates and supplementary clauses for sensitive-category, child, or biometric data processing.
Per-vendor TIA where the corridor demands it. SCC selection (EU 2021/914 modules), India-specific contractual approach for restricted transfers, KSA PDPL approved mechanisms, intra-group BCR architecture for groups operating regionally.
Annual attestation cycle with re-diligence triggers (M&A, sub-processor change, breach event, control-environment shift). Surveillance window for high-risk Tier 1 vendors with quarterly check-ins instead of annual.
Vendor-side breach playbook — notification-receipt protocol, joint investigation governance, regulator notification call (which clock applies, who notifies whom), individual notification scoping where the controller obligation lands on you.
Every vendor that touches personal data moves through the same six-phase lifecycle. The discipline is not in inventing it — it is in actually applying it consistently to new vendors, and reapplying it when the relationship materially changes.
Find the vendor. Procurement record, ledger entry, IT integration log — every channel the relationship could have entered through.
Risk-tier the vendor. Data category, volume, jurisdiction, role (controller / processor / sub-processor), control surface.
Tier-appropriate diligence pack — Tier 1 / 2 long-form, Tier 3 / 4 short-form. Outputs feed the register and surface contract gaps.
DPA execution, Schedule 4 processing instructions, transfer mechanism, sub-processor consent terms. Master library applied; bespoke where the case demands.
Annual attestation cycle. Re-diligence on triggers (M&A, sub-processor change, breach). Tier 1 quarterly surveillance.
Documented offboarding — data return / deletion certification, sub-processor wind-down, register update, ongoing-confidentiality terms.
The vendor risk program treats vendors differently by tier. A SaaS HRIS holding payroll data does not get the same diligence as a coffee-machine-leasing supplier — both are "vendors", but only one is a privacy risk surface. The matrix below is the methodology applied at classification.
| Tier & profile | Diligence depth | Contractual controls | Monitoring cadence |
|---|---|---|---|
|
Tier 01
Critical processor
Critical
Sensitive-category data, large volume, primary processor (HRIS, EHR, payroll, customer database)
|
Long-form questionnaire. SOC 2 Type II / ISO 27701 evidence required. Sub-processor list reviewed. Optional on-site or video walk-through for novel critical engagements. | Full master DPA + jurisdiction-specific Schedule 4 + sensitive-category supplementary clauses. Sub-processor consent regime explicit. Transfer mechanism per corridor. | Quarterly surveillance window. Annual full re-diligence. Trigger re-diligence on any sub-processor change, M&A event, or material control-environment shift. |
|
Tier 02
Standard processor
High
Personal data at scale, non-sensitive primary use (CRM, marketing automation, support platform, analytics)
|
Long-form questionnaire. SOC 2 / ISO 27001 evidence preferred. Sub-processor list reviewed. Diligence reapplied at annual cycle. | Master DPA + jurisdiction-specific Schedule 4. Standard sub-processor consent terms. Transfer mechanism per corridor. | Annual attestation cycle. Trigger re-diligence on sub-processor or M&A change. No standing surveillance window. |
|
Tier 03
Sub-processor / occasional
Standard
Limited or occasional personal data exposure, secondary processor, or data-light operational tools
|
Short-form questionnaire. Self-attestation acceptable. Inheritable diligence from parent processor where applicable. | Standard DPA terms. Schedule 4 light. Sub-processor consent at parent level (where Tier 1 / 2 parent already covers). | Annual attestation only. Re-diligence on material change at parent processor. |
|
Tier 04
No-data & minimal
Minimal
Vendor relationship with no personal-data processing in scope, or de minimis incidental exposure
|
Self-attestation of no-data status. Spot-check during annual cycle. Reclassified up if a privacy-affecting service is added. | No-DPA confirmation language in standard procurement contract. Confidentiality terms baseline. | Annual self-attestation. Reclassification triggered by service-scope change. |
Tiering is set by the methodology, not the relationship. A long-standing vendor that handles sensitive-category data is Tier 01 regardless of how comfortable the procurement team is with them. A new vendor that does not touch personal data is Tier 04 regardless of how strategic the partnership is. The methodology is the methodology.
The full deliverable set at engagement closeout. Each artefact is built to be maintained by your in-house team — methodology documented, templates editable, decision logic explicit. The work survives the engagement.
Working register of every personal-data-touching vendor, with role, data categories, classification tier, jurisdiction, contract status, monitoring cadence and named owner.
Documented rules for assigning vendors to Tier 01 — 04 based on data sensitivity, volume, processor role and control surface. Decision tree with worked examples.
Master Data Processing Addendum mapped to KSA PDPL, India DPDP, UAE PDPL and GDPR. Jurisdiction-specific Schedule 4 templates. Sensitive-category supplementary clauses.
Long-form (Tier 01 — 02) and short-form (Tier 03 — 04) questionnaires. Mapped to control objectives. Self-attestation forms for Tier 04. Editable template format.
Per-corridor TIA templates — KSA → India, UAE → EU, India → US, intra-GCC. SCC module-mapping reference. Onward-transfer governance approach.
12-month attestation calendar with vendor-by-vendor schedule, attestation request templates, response evaluation criteria, escalation path for non-compliant or non-responsive vendors.
Vendor-breach response protocol — notification receipt, severity rating, joint-investigation governance, regulator notification decision tree, individual notification scoping.
Documented offboarding workflow — data return / deletion certification, sub-processor wind-down, register update, ongoing confidentiality, evidence retention for regulator review.
A working vendor inventory rarely contains fewer than 60 third parties for a mid-size enterprise, and often runs into the hundreds for groups operating across multiple jurisdictions. Below are the categories that consistently appear across the engagements we have run.
Tier 01 — Critical processor. Cross-border by default; SCCs required.
Tier 01 — 02. Often have sub-processors of their own.
Tier 02. High-volume processing; consent dependencies.
Tier 01. Sensitive-category data; full diligence pack.
Tier 02. Often involve cross-border BPO arrangements.
Tier 01. Regulated processors; financial-data overlay.
Tier 02 — 03. Customer address & tracking data.
Often missed in modern inventories. Hidden Tier 02 — 03.
Vendor risk work is delivered through one of three engagement shapes — depending on whether you need the program built, the program maintained, or specialist input on a one-off basis. We'll recommend the right shape at scoping; you can always change later.
If you need the full program built from zero — inventory, classification, DPA library, attestation framework. Finite scope, fixed-fee, milestone-billed against an SOW. The most common shape for first-time vendor risk programs.
If your program is already built and you need ongoing operational ownership — annual attestation cycle, new-vendor onboarding diligence, breach coordination, register maintenance. Wrapped into a DPOaaS retainer.
If your DPO runs the program in-house and just needs senior backup on the harder cases — novel cross-border configurations, vendor refusing standard DPA terms, M&A diligence spike. Block-hour retainer drawn down on demand.
The questions below come up consistently at scoping. If yours is not here, the contact form below is the right place — a senior member of the practice will respond within one working day.
A 30-minute scoping call costs nothing. We will tell you honestly what state your vendor risk program is in — and what the right next step is, whether that is a project to build it, a retainer to operate it, or specialist input on a specific vendor question.
Schedule a call