Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


What Is Collected on a Critical Core Vendor?

3 min read
Featured Image

The vendor due diligence process inherently means some heavy lifting when it comes to data collection… and with so many different moving parts, it can be easy to miss one or two (or let’s face it — a lot of) important pieces of information. Certain information may not be as necessary for your non-critical or lower risk vendors. But when it comes to the vendors you rely on every day, there are some key provisions you’ll need to consider and documents to collect.

So, what’s the most important?

Due Diligence You Need to Collect and Analyze for Critical Vendors

1. Foundational Documents/Baseline Due Diligence

A vendor’s set of foundational documents are not only used with upfront vetting, these are the core documents you’ll refer to throughout the ongoing oversight and monitoring. Aside from the basic information, you’ll need a MNDA, or a mutual non-disclosure agreement, as well as a credit report, site confirmation (Google map check), references and business ratings. It’s also a good idea to check on the ownership structure as well as prior aliases and the names of affiliated companies.

Some specific documents include:

  • Tax ID
  • Business license
  • State of incorporation
  • Secretary state check

2. Secondary Due Diligence

Your secondary documentation is just as important as your foundational research and encompasses several major categories, including financials, exams/reports, licensure, policies and procedures and insurance. It may also include doing biographic research, reports from on-site visits and requests for organizational charts or diagrams.

There is often a substantial amount of documentation to collect within each of these major categories, however some of the highlights include:

  1. Financial Statements
    • Annual report
    • 3 years of audited financials
    • Accountant statements

  2. Exam/Reports
    • Business continuity plan and testing
    • Information security penetration testing
    • Vulnerability testing
    • SSAE 18, SOC 1, 2 or 3
    • Internal/external audits
  3. Licenses, Professional Certifications, Policies and procedures
    • Any required license (e.g., state money transmitter license)
    • PCI and ISO certifications/QSA letter
    • Data protection
    • Hiring/background check
    • Media policies
    • Compliance policies
    • Data Protection policies
  4. Insurance
    • Liability
    • Cyber
    • Employee malfeasance

3. Contracts

Before signing on the dotted line, it’s crucial to review your vendor contracts and make sure they include several pieces of information — things like scope of service and minimum service level requirements, terms of renewal/termination, right-to-audit, pricing, among several others.

5 major questions and information that requires collecting during the contract phase are:

  • Does the vendor contract contain a measurable SLA?
  • Does the vendor contract have sufficient security and confidentially provisions?
  • Does your vendor contract identify sub-contractors or fourth parties?
  • Are there provisions for annual reporting?
  • Is there a business resumption or disaster recovery plan clause?

Of course, there are a lot more documents that could be included as the level of due diligence collection very much depends on your vendor’s type and the risk posed to the organization. However, this is a good list to get you started.

Your due diligence process should be based on the risk level of your vendor. Download this checklist to help.

New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo