FundSvcs Community

 View Only
Expand all | Collapse all

Data Security Questionnaires for Vendors

  • 1.  Data Security Questionnaires for Vendors

    Posted 30 days ago
    Last year my org started requiring any vendors who will handle our donor data to complete a 20-page data security questionnaire that is reviewed alongside their MSAs/agreements. Most vendors have been accommodating but in the past 2 weeks two vendors have declined to complete them.

    One was a lockbox company that would only complete it if we paid a $3k (minimum) fee for them to do so, saying no other clients have ever asked this of them, even clients with millions of pieces of mail a year (way more than us). The other tech vendor yesterday said they will only complete a security questionnaire if the purchased services would be at minimum threshold of $30k (which our purchase will not reach), but that they are happy to share a number of security documents/audits in lieu of the form.

    Our gift team decided to go with another lockbox. For the tech vendor, they were one of two finalists and their tool is significantly cheaper than the other. I've gathered their MSA and security documents and will try to figure out if our legal team would make an exception if we wanted to go with them. 

    If you have any experience navigating this at your institution, I'd love to hear from you. My boss and I are trying to ascertain if the questionnaire is way outside of the norm of what other orgs are asking of their vendors so we can share feedback. Obviously the more vendors that decline this requirement means the less options our team has if our legal team won't budge on this requirement, which is concerning.

    Thanks in advance,

    Tracey Mullane
    Director, CRM Strategy and Operations
    Partners In Health

  • 2.  RE: Data Security Questionnaires for Vendors

    Posted 30 days ago
    We do have a list of questions on data security for our vendors but it's not 20 pages, maybe 10 questions total. They answer directly or share documents with us. I have asked maybe 5 vendors this year and all of them agreed to disclose the info, but some did ask for an NDA. I have not had anyone refuse or ask for money in order to disclose data security practices. 

  • 3.  RE: Data Security Questionnaires for Vendors

    Posted 30 days ago
    I cannot say that I have worked with any institution that has required such a lengthy questionnaire - this includes healthcare clients.

    However, I also do not get involved in data services vendor contract negotiations.

    What I do hear about are shorter confidentiality agreements that include protections and legal rights of the client to seek restitution should the vendor violate the terms of the confidentiality agreement.

    In other words, instead of asking a vendor precisely how they go about doing whatever it is they do, the vendor is put on notice that you expect them to adhere to every known federal and state data security and individual privacy law on the books now or in the future.  That could also include additional internal policies you have implemented.  And that failure to follow those rules and regulations is subject to legal and financial actions against them.


    John H. Taylor
    John H. Taylor Consulting, LLC
    2604 Sevier St.
    Durham, NC   27705
    919.816.5903 (cell/text)

    Serving the Advancement Community Since 1987

  • 4.  RE: Data Security Questionnaires for Vendors

    Posted 30 days ago
    I've never been presented with a security questionnaire of that length either, and my firm is involved with data services work, including HIPPA work. That said, I think more organizations should take a harder look at vendors, their data practices, and especially at their cyber insurance. Nevertheless, 20 pages might well be hours of work, and could require oversight from senior management. Sometimes, the companies that push back and set a price tag on that work are the companies that are taking the questionnaire most seriously, and answering the questions with rigor. It would be a shame to cull them from your available pool, in favor of companies that may be accommodating in filling out the forms, but not as diligent about the content.

    Thank you,
    Isaac Shalev
    Data Strategy Expert
    Sage70, Inc.
    (917) 859-0151

    Schedule a 30-minute consultation now:

  • 5.  RE: Data Security Questionnaires for Vendors

    Posted 27 days ago
    We have a list of question that we (the dept. buying the software) fill out based on our own reading of the contract/interaction with the vendor. Those include things like:

    • Does Lehigh retain all rights to our and our customer data?
    • Can we access and remove all of our data?
    • Is FERPA in scope?
    • Is HIPAA in scope?
    • Is GLBA in scope
    • Are they willing to submit a HECVAT survey?
    • Does the data leave the United States?
    • Is encryption enforced at rest and in transit?
    • Are data security controls spelled out in the contract? SOC2?
    • Do we have the ability to audit or view an independent audit of these controls?
    • Are are they required in contract to follow their security policy?
    So, our legal/IT folks certainly ask for specific information, but none of these things are required for every piece of software we buy/vendor we use. It really comes down to risk assessment. We'd be (and have been) a lot more strenuous on a full CRM system handling all donor data/financials then we would be a system that was just meant to hold constituent emails/names.

    So, in short, we certainly try to get ask much security info as we can, but it's not a requirement, just a part of the decision making process.

    I see that you're not in HE, but it still may be worth looking into something like HECVAT that's kind of a standard survey a vendor could use across many clients, rather than having them fill out a bespoke survey for each client.

    Good luck.


    Sean Shappell
    Asst. Vice President, Information Services
    Lehigh University