Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



Vendor Contract Confidentiality and Security

CPE Credit Eligible
HubSpot Video

Vendor contract management is important, as well as security and confidentiality. 

Even though each vendor agreement includes different contractual terms, there are 5 security and confidentiality provisions which should always be addressed. Let's go through them.

You may also be interested in:

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Ashley Roberts and I am one of the In-House Paralegals here at Venminder. Today we are going to talk about entering into third party agreements. 

Third party vendor agreements can range anywhere from your:

  • core processor 
  • to the vendor that provides your internet services
  • to your janitorial services provider

Even though each agreement includes different contractual terms, there are 5 security and confidentiality provisions which should always be addressed. 

1. The agreement should first identify what constitutes “confidential information”. For example, customer names, addresses or bank and credit card account numbers. It should also specify proprietary information such as trade secrets or operational instructions.  

2. Second, the agreement should state how your confidential information, as well as your customer’s data, will be protected. The agreement should include the specific steps your vendor will take to safeguard this information such as:

    • Protection against destruction
    • Unauthorized access, or mishandling 
    • And how will they dispose of your data.

Did you know that as a part of the GLBA and the FTC, you are responsible for keeping your customers information secure? 

This bring us to the third Security and Confidentiality provision. 

3. If the vendor were to share your information or your customer's data to a third party such as a subcontractor or an auditor, is there something in place to protect this information? The agreement should also address the vendor's obligation to notify you prior to releasing any information. This will allow you the opportunity to dispute the release or to seek a protective order. 

4. The fourth provision is cyber, security and confidentiality threats. The agreement should require your vendor provide you the Incident Response Plan. This plan should include specific steps to be taken in the event that your vendor detects unauthorized access such as:

    • The timeframe in which they must notify you,
    • The steps taken to ensure the security breach has ceased,
    • How the vendor will investigate and report all findings,
    • The vendors responsible to identify what information was compromised and
    • The mitigation steps to prevent any future breach or intrusion.

On top of providing an Incident Response Plan, the agreement should also state that the vendor will: 

    • Monitor its systems and procedures to detect actual or attempted security attacks
    • Provide you with an annual vulnerability assessment and
    • Your right to audit the vendor on an annual basis or in the event of an intrusion incident 

This will ensure your third parties processes for identifying, investigating and escalating incidents meet your expectations and regulatory requirements. 

5. Finally, the agreement should include what remedies are available in the event of a security breach. The NAFCU released an article in 2015 called Economic and CU Monitor. It stated that institutions “spent an average of $226,000 and an estimate of 1,600 hours on debit and credit fraud issues resulting from merchant data breaches.”

To reduce your potential liability, the contract should state that the vendor is liable for costs and expenses in the event that a security breach is the result of or attributed to: 

    • the vendor,
    • its subcontractors or 
    • any third-party whom they discloses your confidential information or your customer’s data to

The agreement should provide the vendors responsibility for the following defaults:

    • Failures to perform security and confidentiality obligations
    • Mishandling confidential information
    • Breach of confidentiality or data security obligations

Inadequate security and confidentiality provisions can impact your customers, your business operations and expose your business to further liability.

Your vendor's security programs must be consistent with your business policies and practices regarding security and confidentiality.

Whether the vendor is critical or low risk, you have an obligation to safeguard and properly dispose of your customer's data. Entering into a contract without assessing your third party’s security and confidentiality provisions can negatively impact your business and your customers.

Again, I’m Ashley and thank you for watching! Don’t forget to subscribe to next week’s Third Party Thursday video.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo