(270) 506-5140 CONTACT US
Contract Management

6 Key Provisions to Know for Vendor Contracts

Aug 14, 2018 by Heather Garnett

When reviewing a new critical vendor contract, or negotiating terms for an existing one, you should be looking at specific provisions to ensure compliance with industry regulations and standards. The following are six key contractual standards to take a close look at:

  1. Clear definitions of the services the vendor will provide along with both parties' responsibilities:
  • Vendor should outline any services to be provided along with a time frame for conversions, implementation, training etc.
  • Provisions for modifying new and/or existing services
  • Vendor should identify its responsibilities
  • Key responsibilities identified, such as: data integrity/security; cost related to purchasing/maintaining software or hardware and minimum system requirements to support the services offered

  1. Adequate and measurable service levels:
  • Standards by which the services(s) will be measured
  • Functionality and availability the vendor is committed to providing
  • Reporting methods and frequency of such reports
  • Rights and remedies for failure to meet standards

  1. Due diligence documents and audit reports:
  • Vendor should provide routine due diligence as well as, when needed, processes and procedures for security breach/incident response and business continuity/disaster recovery – updated as appropriate
  • Provide an annual SOC Report or equivalent internal controls audit
  • Provide certificate of insurance
  • Provide financial reports
  • Agree to provide any other due diligence items based on the product or service being outsourced, as well as the level of risk

  1. Information security and confidentiality of your data:
  • Vendor should maintain policies and procedures to meet the data security objectives of the GLBA
  • Ensure security of non-public personal information (NPPI)
  • Protect against unauthorized access and have mitigation plans in place in the event of security breach
  • Provisions for proper disposal or return of confidential information and data
  • Any post-termination rights to use confidential information, particularly customer data

  1. Business continuity/disaster recovery:
  • Vendor should maintain policies and procedures in compliance with Appendix J
  • Vendor should have independent testing requirements that demonstrate ability to meet sufficient recovery objectives
  • Established recovery times for the return of critical business functions
  • Cyber resilience

  1. Identifying sub-contractors and primary service providers:
  • Vendor should identify any sub-contractors and ensure the relationships are in accordance with industry guidance and with your own standards
  • Vendor should remain responsible for all contractual obligations
  • Vendor should monitor and provide oversight of their sub-contractor’s operations (your fourth parties)
  • Vendor should provide their sub-contractor’s due diligence documents upon request

By including these key provisions within the contract, you are helping to ensure your organization and customers are both protected, and the contract is in compliance.

A well-managed process for handling all agreements with third parties from start to finish is essential. Download our helpful ebook now where we'll help you create an effective contract management system.

Creating an Effective Vendor Contract Management System eBook

Heather Garnett

Written by Heather Garnett

Heather Garnett is an on-site paralegal with Venminder. Prior to joining Venminder, Heather spent two and half years working in the Middle East as a Legal Secretary for Edinburgh International and as Senior Contract Compliance Manager for a Alastora Private Security Company. During this time she successfully negotiated multi-million dollar contracts with many international companies within the oil and gas industry. Before traveling overseas, Heather worked for private law firms gaining 11 years legal and contractual experience. She received her Paralegal Certification from Murray State University.

Follow Heather Garnett

Subscribe to the Venminder Blog