What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All templates

SOC 2 · ISO 27001 · FREE TEMPLATE

Vendor / Third-Party Risk Management Policy — Free Template

Third-party risk is the #1 source of breaches in 2024 (Verizon DBIR). SOC 2 CC9.2 and ISO 27001 A.5.19 / A.5.21 require a documented vendor-risk programme covering due diligence, contract terms, ongoing monitoring, and off-boarding. This template gives you each phase with the artifacts auditors sample.

Who needs it

Companies in SOC 2 or ISO 27001 scope with material vendor dependencies
Anyone whose customers ask 'how do you assess your sub-processors'
Procurement and security teams formalising vendor onboarding
Companies hit by a sub-processor breach (Okta, SolarWinds, MOVEit) wanting a stronger TPRM baseline

What's included

Policy purpose and scope
Vendor risk tiering criteria (Tier 1 / 2 / 3)
Pre-engagement due diligence requirements
Required contract clauses (DPA / BAA, security minimums, audit rights, notification SLAs)
Annual reassessment cadence by tier
Continuous monitoring (SOC reports, breach intel, financial health)
Sub-processor inventory
Off-boarding and data return
Exception process
Roles and responsibilities

Template — full text

1. Purpose

[Company Legal Name] ("Company") manages risks introduced by third parties that process Company or customer data, support critical operations, or have access to Company systems. This policy implements SOC 2 CC9.2 and ISO/IEC 27001:2022 A.5.19, A.5.20, A.5.21, and A.5.22.

2. Scope

This policy applies to every third-party that: (a) processes Company or customer personal data; (b) hosts or has logical access to Company production systems; (c) supports a critical business process; or (d) has a contractual relationship with annual spend above [Threshold] regardless of risk profile.

3. Vendor Risk Tiering

Each vendor is classified at onboarding:

Tier 1 (Critical) — Processes customer personal data, has production access, or supports a single-point-of-failure business process. Requires full due diligence, executed DPA/BAA, annual reassessment
Tier 2 (Important) — Internal data, financial data, or operational dependency. Requires standard due diligence, annual or biennial reassessment
Tier 3 (Standard) — Public data only, no system access, low spend. Requires lightweight due diligence and contract review

4. Pre-Engagement Due Diligence

Before contract execution, vendor must provide:

Tier 1 & 2: SOC 2 Type II within the last 12 months (or ISO 27001 certificate + Statement of Applicability); penetration test summary; security questionnaire (CAIQ / SIG Lite); evidence of incident response programme; sub-processor list
Tier 3: Public security page / trust centre review; completed lightweight questionnaire
Privacy review for any vendor processing personal data, including Transfer Impact Assessment for non-adequacy destinations
Documented residual-risk acceptance by the Business Owner and Security

5. Contract Requirements

All Tier 1 and Tier 2 vendor contracts include:

Data Processing Agreement (GDPR) or Business Associate Agreement (HIPAA) where applicable
Security minimums (encryption, MFA, vulnerability management, logging)
Sub-processor authorisation and notification rights
Incident notification SLA (≤72 hours from awareness; ≤48 hours for Tier 1)
Audit rights satisfied by a current SOC 2 / ISO 27001 report, with on-site rights for cause
Right to terminate on material security or compliance breach
Data return / deletion on termination

6. Ongoing Monitoring

Annual reassessment for Tier 1 (refresh SOC 2 / ISO, sub-processor list, breach disclosures)
Biennial reassessment for Tier 2
Continuous: monitor breach intel (Have I Been Pwned, vendor status pages, regulator actions); financial health for critical vendors
Track sub-processor changes; allow business owner to object within 30 days

7. Sub-Processor Inventory

Company maintains a public sub-processor list at [Sub-Processor List URL] in line with customer DPA commitments. Internal master inventory captures vendor name, tier, data categories, primary processing location, contract owner, last-assessment date, and next-due date.

8. Off-Boarding

On termination, contract owner ensures: (a) vendor returns or deletes Company data within agreed timeline; (b) all Company-issued credentials are revoked; (c) DNS, SAML, and IP allow-lists are updated; (d) sub-processor list is updated.

9. Exceptions

Exceptions require written approval from the Policy Owner, with documented compensating controls and a defined expiry (maximum 12 months). The exception register is reviewed quarterly.

10. Roles and Responsibilities

Procurement: gatekeeps new-vendor onboarding through the TPRM workflow
Security / Privacy: conducts due diligence, approves residual risk
Legal: negotiates DPA / BAA and contractual security terms
Business Owner: maintains relationship, owns annual reassessment, off-boards the vendor

11. Review

This policy is reviewed at least annually and after any material vendor-related incident. Next review: [Annual Review Date].

Disclaimer: This template is provided for general informational purposes only and does not constitute legal advice. Customise to your specific facts and have counsel review before execution.

Fields you customise

Spend threshold for Tier 3 captureSub-processor list URL (public-facing)TPRM workflow tool (e.g. Vendr, OneTrust, internal Jira project)Pen-test depth requirement (e.g. annual external test for Tier 1)

Want a branded, multi-framework, board-ready version?

The ComplianceIQ generator produces this document in your company name and brand, mapped across every framework you need (HIPAA + GDPR + SOC 2 + ISO simultaneously), exported as DOCX + PDF, and scored against the audit checklist. Pre-populated with your tenant-specific values so nothing is left in brackets.

Run free SOC2 audit Generate branded version

FAQ

Do I really need a SOC 2 from every Tier 1 vendor?

SOC 2 Type II is the de-facto baseline for Tier 1 vendors handling customer data. Acceptable substitutes: current ISO 27001 with SoA, recent independent pen-test plus a completed CAIQ. Document the basis for acceptance for each vendor — auditors will sample.

How do I assess a vendor that refuses to share their SOC 2?

Most reputable vendors share SOC 2 under NDA via their trust centre. If a Tier 1 vendor refuses entirely, that is itself a risk finding — escalate to leadership, require compensating evidence (pen test, questionnaire, on-site audit), and document the residual-risk acceptance.

Should the sub-processor list be public?

Yes if you process personal data on behalf of enterprise customers — GDPR Art. 28(2) requires general authorisation with notification rights, which is most cleanly satisfied with a public list customers can monitor. Update the list before adding a new sub-processor, not after.