Vendor & Third-Party Risk Questions Before You Sign
A short due-diligence checklist to run before you trust a new app, supplier or contractor with your data or systems.
When to use
Before signing up for new software or SaaS, onboarding a supplier or contractor who'll touch your data or systems, or when someone asks "is this tool safe to use?".
Steps
1. Ask where your data is stored (in Australia or overseas), who can access it, and whether it's encrypted both in transit and at rest. 2. Check they support MFA and, ideally, single sign-on, and that you can set different permission levels for different staff. 3. Ask about their backups, uptime and what happens during an outage. 4. Ask whether they've ever had a security breach, and whether they'll notify you promptly if your data is affected. 5. Look for recognised security credentials (for example ISO 27001, SOC 2, or IRAP for government-related work) - not proof on their own, but a good sign. 6. Confirm what happens to your data if you leave: can you export it, and will they delete it on request? 7. Read the privacy policy and contract terms for who owns the data and how it may be used. 8. Apply least privilege - give the vendor, and any integration you connect, only the access it genuinely needs and nothing more. 9. Keep a simple vendor register listing each supplier, what data they hold, and what access they have.
When to call a professional
For contract, data-processing or privacy terms, ask your legal professional; for integrations and access scopes, ask your IT provider or MSP.
ACSC reference: Aligns with ACSC cyber supply chain risk management guidance and the least-privilege principle behind Essential Eight (restrict administrative privileges) (cyber.gov.au/smallbusiness).
Want your agent to fetch skills itself? The Academy MCP serves this whole library.
Connect via MCP