New: Privacy Analytics — measure your site without cookies or a consent banner. Start free →
TA
TechEdAnalyst
Log inRun the free scan
Dr. Tennyson Johnson

Before You Sign: A Vendor Data Risk Checklist for SMBs

Every SaaS tool your business adds is a new data relationship. Most small businesses never ask the right questions before signing up. Here's the list.

Before You Sign: A Vendor Data Risk Checklist for SMBs

Every new SaaS tool is a data relationship. You are sending information to someone else's infrastructure, under someone else's terms, stored in ways you may not fully understand. Most small businesses evaluate vendors on features and price. Fewer evaluate them on data practices until something goes wrong.

This checklist is not legal advice. It is a set of questions worth asking before you add a vendor that will handle business or customer data.

1. What data does this vendor collect?

Not what their marketing page says — what their signup flow, onboarding, and integrations actually collect. Name the categories: contact information, financial records, customer content, employee data, usage telemetry.

2. Where is it stored?

Geography matters for some businesses. So does whether data stays in the vendor's cloud or passes through sub-processors you have never heard of. Ask directly. Accept "we'll get back to you" as a yellow flag.

3. Is it used to train models?

This question matters more every quarter. Some tools train on user inputs by default. Some offer opt-out. Some never train. The answer should be in writing, not inferred from a FAQ page written for consumers.

4. What is the deletion policy?

When you cancel, what happens to your data? Immediate deletion, 30-day retention, indefinite archival? If you cannot get a clear answer, assume the least favorable interpretation and plan accordingly.

5. Who owns the outputs?

If the tool generates content from your inputs — drafts, summaries, reports — who owns that output under the terms of service? For client work product, ambiguity here is a business risk, not just a legal one.

6. What is the breach notification process?

You may never need it. If you do, you need to know how the vendor notifies you, how quickly, and what information they provide. "We take security seriously" is not a process.

What to do with the answers

You do not need perfect answers for every tool. You need documented answers for the tools that handle your most sensitive data. Store them in your vendor inventory — same place you track renewals and owners.

The Vendor Vetting Process workflow on TechEd Analyst structures this as a working document. Run through it before your next SaaS signup, not after the annual renewal when switching costs are highest.

Try the product on your own workflow

Run an interactive demo (no account), or book 20 minutes with TechEd Analyst to walk through your workflow, AI readiness, or next operational move.

Book a consultation
Do Not Sell My Data