How to Vet SaaS Vendors for Privacy and Cybersecurity Risk

How to Vet SaaS Vendors for Privacy and Cybersecurity Risk

Cybersecurity & Privacy By Valley Legal

General Information Only. This article is for general informational purposes and does not constitute legal advice. Laws may have changed since publication. Your situation may differ; consult a licensed Virginia attorney about your specific matter.

The information in this article is for general informational purposes only and does not constitute legal advice. Laws change and individual circumstances vary. Consult a licensed Virginia attorney about your specific situation. Reading this article does not create an attorney-client relationship nor does merely contacting our office through this website or any other means.

Most businesses in Virginia rely on a collection of cloud-based software tools to run their operations. Accounting platforms, customer relationship management systems, human resources software, email marketing tools, and industry-specific applications all typically involve uploading business data, customer information, or employee records to a third-party vendor’s infrastructure.

When one of those vendors experiences a breach, the consequences land on your business, not just theirs. Customers whose data was exposed will contact you. Regulators will look to you. Your cyber insurance policy will be triggered. And if you did not conduct reasonable due diligence before selecting the vendor or failed to establish appropriate contractual protections, your legal position may be significantly weaker than it would otherwise be.

For businesses in Christiansburg, Blacksburg, and the New River Valley that want to take vendor risk seriously without the resources of a large enterprise security team, a structured approach to vendor vetting is achievable.

Vendor risk management is often treated as a technical concern, delegated to IT staff or handled through a checkbox during procurement. But the legal dimensions of vendor relationships deserve attention at the same time.

Under the Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-571 et seq., a controller (a business that determines how personal data is used) must enter into a data processing agreement with any processor (a vendor that handles personal data on the controller’s behalf). That agreement must include specific provisions about the nature of the processing, the types of data involved, the vendor’s obligations regarding security, and the vendor’s obligations in the event of a breach.

If you share personal data with a SaaS vendor without a compliant data processing agreement, you may be in violation of the VCDPA even if the vendor handles the data appropriately.

Under HIPAA, healthcare providers, health plans, and their business associates must enter into Business Associate Agreements (BAAs) with vendors that receive, create, maintain, or transmit protected health information on their behalf. Using a vendor that handles PHI without a signed BAA is itself a HIPAA violation.

Beyond these regulatory requirements, your contracts with customers may include data protection commitments that require you to flow similar obligations down to your vendors. Failing to do so can create breach of contract liability that is entirely separate from regulatory exposure.

The Due Diligence Checklist

A structured vendor risk assessment should address the following areas.

Security Certifications and Testing

  • SOC 2 Type II report: A SOC 2 Type II report demonstrates that an independent auditor has evaluated the vendor’s controls for security, availability, processing integrity, confidentiality, and privacy over a period of time (typically six to twelve months). A SOC 2 Type II is meaningfully more rigorous than a Type I, which only reflects a point-in-time assessment. Request a copy of the report, not just a statement that the vendor “has SOC 2.”
  • Penetration testing: Ask whether the vendor conducts regular penetration testing by independent third parties and whether test results are available to customers (often in summary form under a non-disclosure agreement).
  • ISO 27001 or other frameworks: Some vendors maintain ISO 27001 certification or align to frameworks such as NIST SP 800-53. These certifications indicate a structured approach to information security management.
  • Vulnerability disclosure program: Vendors that operate a responsible disclosure program for security researchers demonstrate a commitment to identifying and remediating vulnerabilities.

Data Location and Subprocessors

  • Where is your data stored? Identify the specific geographic regions where your data will be stored and processed. For businesses handling EU resident data, this affects EU AI Act and GDPR compliance. For regulated industries, some requirements restrict where data may be held.
  • Who are the vendor’s subprocessors? Most SaaS vendors do not operate entirely on their own infrastructure. They use cloud hosting providers, content delivery networks, analytics tools, and support platforms that may also have access to your data. Ask for a list of subprocessors and evaluate whether those subprocessors introduce additional risk.
  • Subprocessor change notification: Your contract should require the vendor to notify you before adding a new subprocessor that will have access to your data, and give you the right to object.

Breach Notification Terms

  • How quickly will the vendor notify you? Virginia Code § 18.2-186.6 gives you 60 days to notify affected consumers, but you cannot begin that clock until you know about the breach. A vendor contract that allows 30 or 45 days to notify you compresses your response window significantly.
  • What triggers the notification obligation? Confirm that the contract’s definition of a reportable incident is consistent with Virginia law and any other applicable standards.
  • What information will the vendor provide? You will need to know what data was accessed, how many records were affected, and what the vendor’s forensic investigation found in order to satisfy your own notification obligations.

Right to Audit

  • Can you audit the vendor’s security practices? Enterprise contracts sometimes include a right to conduct security audits of the vendor’s systems, either directly or through a designated third party. For smaller businesses, this right may not be practically exercised, but having it in the contract establishes the expectation and may give you access to audit reports that the vendor commissions.

Service Level Agreements and Availability

  • What availability guarantees does the vendor provide? Review the service level agreement (SLA) carefully, including how availability is calculated and what remedies are available when the vendor misses its commitments.
  • Does the SLA include security-related commitments? Some SLAs address response times for security incidents or vulnerability patching.

Termination and Data Return

  • What happens to your data when you leave? Contracts should clearly specify that upon termination of the relationship, the vendor will return your data in a usable format and delete all copies from its systems within a defined period.
  • Is data deletion verifiable? Ask whether the vendor will provide a written confirmation of data deletion following termination.
  • Transition assistance: If you rely heavily on a particular vendor, your contract should address transition assistance in the event of termination to ensure you can retrieve and migrate your data without disruption.

Data Processing Agreements Under the VCDPA

The VCDPA requires data processing agreements to address specific topics. These include:

  • Instructions for processing personal data
  • The nature and purpose of the processing
  • The type of data subject to the processing and the duration of the processing
  • The rights and obligations of both parties
  • The processor’s obligation to delete or return personal data at the controller’s direction
  • The processor’s obligation to make available information necessary to demonstrate compliance with the VCDPA
  • The processor’s obligation to engage subprocessors only upon prior authorization from the controller

If your SaaS vendor offers a standard data processing agreement as part of its contract, review it against these requirements before signing. Some vendor DPAs are drafted primarily for GDPR compliance and may not address all VCDPA requirements.

Ongoing Monitoring

Vendor vetting is not a one-time exercise. Ongoing monitoring of your vendor relationships should include:

  • Annual review of security certifications: Confirm that the vendor’s SOC 2 and other certifications remain current.
  • Subprocessor change tracking: Monitor for notifications of new subprocessors and assess the associated risk.
  • News and breach monitoring: Follow public reporting about breaches and security incidents involving your vendors. If a vendor experiences a disclosed breach, proactively contact them to determine whether your data was affected.
  • Contract renewal review: Use contract renewals as an opportunity to update data processing agreements to reflect current legal requirements.

For businesses throughout Montgomery County and the New River Valley that want to build a vendor risk management program proportionate to their size, starting with a vendor inventory and prioritizing due diligence for vendors with access to the most sensitive data is a practical approach.

This article is general information only and is not legal advice. Do not rely on this article to make decisions about your specific situation. Contact Valley Legal or another licensed Virginia attorney to discuss your case. Attorney advertising.

Valley Legal, PLLC is located at 107 Pepper St SE, Christiansburg, Virginia 24073, and serves clients throughout the New River Valley of Virginia, including Montgomery County, Blacksburg, Radford, Pulaski, and surrounding communities.