# Vendor diligence forms for privacy + security Last updated: 2023-03-01 URL for this page: https://hackmd.io/@investinopen/vendor-privacy-security URL for this site: https://hackmd.io/@investinopen/how-we-work --- **What is this?** An internal guide for IOI staff to ensure the [privacy and security](https://investinopen.org/ioi-privacy-policy/) of IOI's data accessed and/or processed by external vendors. Examples of external vendors include language translators, software developers, etc. Both the guide and the vendor questionnaires were designed by legal experts hired by IOI in 2022. **Who should use this?** Any IOI staff member who is in the initial stage of hiring an external vendor for a piece of work, particularly one involving data or personally sensitive information. Please use this guide to select the most appropriate questionnaire for your vendor. Templates for each questionnaire are stored in IOI's Google Doc template gallery in Google Workspace (internal access only). [Create](https://support.google.com/docs/answer/148833) a new questionnaire from the template gallery, then ask your vendor to complete the questionnaire document and return it to IOI. ## What types of data will vendor process? There are a few basic types of data that a Vendor may process for IOI, as follows: ### 1. No personal data Vendor will not process any Personal Data. Vendor does not need to complete any diligence questionnaires. ### 2. Basic personal data Vendor will process basic Personal Data (e.g, any information that directly or indirectly identifies a person or a device that is not Sensitive Personal Data as defined immediately below, such as name, email, address, phone number, unique device identifiers, IP address, and any information tied to any of these pieces of information). Will vendor require an online connection or other integration with IOI’s network or other systems to perform its services? 1. If no, please have the Vendor complete the *[Vendor Security Assessment (lite)](#Vendor-Security-Assessment-lite)*. This assessment is appropriate for vendors that only process limited types of personal data on IOI’s behalf and that do not have direct access to IOI’s systems. 2. If yes, please have the Vendor complete the *[Vendor Comprehensive Privacy and Security Questionnaire](#Vendor-Comprehensive-Privacy-and-Security-Questionnaire)*. This Questionnaire is appropriate for vendors that process more sensitive information or have access to IOI systems. ### 3. Sensitive personal data Vendor will process Sensitive Personal Data (e.g., health and wellness information, financial account information, social security numbers, government IDs, race, ethnicity, genetics information, biometrics information, children’s data, political views, religious beliefs, sexual orientation, trade union membership). - Please have the Vendor complete the *[Vendor Comprehensive Privacy and Security Questionnaire](#Vendor-Comprehensive-Privacy-and-Security-Questionnaire)*. This Questionnaire is appropriate for vendors that process more sensitive information or that have direct access to IOI systems. ### 4. Personal Data of IOI employees/contractors Vendor will process Personal Data of IOI employees or contractors (e.g. HR data).  - Please have the Vendor complete the *[Vendor Comprehensive Privacy and Security Questionnaire](#Vendor-Comprehensive-Privacy-and-Security-Questionnaire)*. This Questionnaire is appropriate for vendors that process more sensitive information or that have direct access to IOI systems. ### 5. Personal Data from Europe, Switzerland, UK Will vendor process personal data of individuals located in the European Economic Area, Switzerland, or the United Kingdom? 1. If no, there is no need to complete *Appendix 1 – Data Transfer Questions*. 2. If yes, will the vendor process personal data only in one of the following jurisdictions?  European Economic Area, United Kingdom, Switzerland, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Uruguay.   1. If yes, there is no need to complete *Appendix 1 – Data Transfer Questions*. 2. If no, and the vendor will process the personal data in other locations besides those named above, require vendor to complete *[Appendix 1 - Data Transfer Questions](#Appendix-1-Data-Transfer-Questions)*. --- ## Questionnaires for vendor ### Vendor Security Assessment (lite) This assessment is appropriate for vendors that only process limited types of personal data on IOI’s behalf and that do not have direct access to IOI’s systems. > <iframe width="100%" height="500" src="https://docs.google.com/document/d/15m9-IijpdjAMJeVj64C-4rsdoJYLEyIBJOw-Z_kh6Zg/edit?usp=sharing" frameborder="0"></iframe> --- ### Vendor Comprehensive Privacy and Security Questionnaire This Questionnaire is appropriate for vendors that process more sensitive information or that have direct access to IOI systems. > <iframe width="100%" height="500" src="https://docs.google.com/document/d/16fnRSBauZhdw2sCdb31TMPc8IvDHrxfz9ffrXpwq5d0/edit?usp=sharing" frameborder="0"></iframe> ### Appendix 1: Data Transfer Questions > <iframe width="100%" height="500" src="https://docs.google.com/document/d/1o_fH3VTxf1ukDc5uEeizZcLX2kouSUt3MnmaEoB7Pw8/edit?usp=sharing" frameborder="0"></iframe> --- ## See also * [IOI Privacy Policy](https://investinopen.org/ioi-privacy-policy/) * Archived copy of this page (via the Internet Archive's Wayback Machine): https://web.archive.org/web/*/https://hackmd.io/@investinopen/vendor-privacy-security --- This page first published: 2023-03-01 ###### tags: `about-us` `process` `onboarding`