TODO.LAW™ DPO CENTRAL
DocsSign In

Vendor Management

Maintain a complete register of third-party vendors and processors. Track contracts, send privacy questionnaires, monitor risk tiers, and ensure your supply chain meets your privacy standards.

Vendor Register

Your vendor register is the central record of all third parties that process personal data on your behalf. Each vendor entry captures contact details, processing purposes, contract status, and risk tier.

ACTIVE

Vendor is approved and actively processing data

UNDER REVIEW

Vendor is being evaluated or re-assessed

SUSPENDED

Processing suspended pending issue resolution

OFFBOARDED

Vendor relationship terminated, data return/deletion confirmed

Risk Tiers

Vendors are classified into risk tiers based on the volume and sensitivity of data they process, their security posture, and geographic considerations.

LOW

MEDIUM

HIGH

CRITICAL

Higher-risk vendors require more frequent reviews, stronger contractual safeguards, and may trigger a vendor risk assessment.

Vendor Dashboard

Get an overview of your vendor landscape at a glance.

24

Total Vendors

18

Active

3

High Risk

5

Pending Review

Contract Management

Track Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs), and other contractual documents for each vendor. Set renewal reminders and monitor expiration dates.

Key Contract Documents

Data Processing Agreement (DPA)Defines processing terms under GDPR Article 28
Standard Contractual Clauses (SCCs)Safeguards for international data transfers
Sub-processor AgreementTerms for the vendor's own sub-processors
Security AddendumTechnical and organizational measures

Privacy Questionnaires

Send privacy and security questionnaires to vendors to assess their data protection practices. Track responses and flag areas of concern for follow-up.

Questionnaire Topics

Data processing scope
Security measures
Incident response
Sub-processor management
Data retention policies
Cross-border transfers
Employee training
Certification & audits

Vendor Review Process

The vendor review lifecycle from onboarding to ongoing monitoring.

1

Onboarding

Initial assessment

2

Questionnaire

Privacy review

3

Contract

DPA execution

4

Approved

Active vendor

5

Periodic Review

Annual reassessment

Adding and Reviewing a Vendor

1

Add Vendor to Register

DPO

Navigate to the Vendor Management module and click 'Add Vendor'. Enter the vendor name, contact details, and processing purpose.

2

Send Questionnaire

DPO

Select a privacy questionnaire template and send it to the vendor contact. The system tracks response status and deadlines.

3

Review Responses

Privacy Officer

Evaluate the vendor's questionnaire responses. Flag any areas of concern and assign a preliminary risk tier.

  • Check security certifications (ISO 27001, SOC 2, etc.)
  • Review sub-processor arrangements
  • Evaluate data transfer mechanisms
4

Execute Contracts

Legal

Upload and track the Data Processing Agreement (DPA) and any additional contractual documents.

5

Approve and Monitor

DPO

Approve the vendor for active use. Set up periodic review reminders based on the vendor's risk tier.