Supplier audit checklist

Why this matters

Every supplier is a trust boundary. One compromised dependency or misconfigured API key from a vendor can undo months of internal hardening. This checklist turns supplier review from a gut-feel conversation into a structured, evidence-based gate.

Pre-engagement

• Request SOC 2 Type II report or equivalent attestation.
• Verify the report's date range covers the last 12 months.
• Check for subprocessor disclosures — who do they rely on?
• Confirm data residency: where does customer data live at rest?

Technical review

• Inspect their public bug bounty or VDP. No program = red flag.
• Review recent CVEs. How fast was the patch turnaround?
• Test their API auth model: short-lived tokens, scoped keys, no long-lived secrets in query strings.
• Confirm they support SSO with your IdP (SAML or OIDC).

Operational fit

• What is their incident notification SLA? Get it in writing.
• Do they publish a public status page with historical uptime?
• Run a trial integration in a sandbox before signing.
• Document your offboarding plan: export formats, retention windows, API key revocation.

Decision gate

Score each category pass/fail. Require a pass in all three before granting production access. Archive the completed checklist with the vendor contract — it becomes audit evidence later.