Data Privacy
The average small business uses between 20 and 40 software tools. Most of them touch customer data in some way. Most operators have no idea what those vendors do with that data once they have it. This guide gives you the questions to ask before you sign — or before you renew.
The three documents you should always request
Terms of service — the contract governing your relationship. Privacy policy — how the vendor handles data they collect. Data processing agreement (DPA) — the specific contract governing how the vendor processes personal data on your behalf. Reputable vendors have all three readily available. If a vendor does not have a DPA or has never heard the term, that tells you something.
Six questions for any vendor
1. Where is our data stored? (Country, cloud provider, encryption)
2. Do you use our data to train AI models or improve your product? (Common in free and low-cost tools — often buried in ToS)
3. Do you share or sell data with third parties?
4. What happens to our data if we cancel our subscription?
5. How do you notify us of a data breach?
6. Can we request deletion of all our data? What is the process?
Red flags in standard agreements
Data used for "product improvement" without an opt-out. Unilateral right to change terms without notice. Jurisdiction clauses that require disputes to be resolved in a location you cannot reach. Sub-processors listed as "our affiliates" with no specific names. Any clause that grants the vendor a license to your customers' data beyond what is needed to deliver the service.
What to do when a vendor does not meet your standards
You have three options: negotiate (large vendors rarely move, but asking is free), seek an alternative vendor that does meet your standards, or accept the risk consciously and document your decision. The worst outcome is not knowing the risk existed.
Build your complete vendor data inventory with the Data Privacy Baseline Workflow.