Vendor Risk Management

Build a vendor security
questionnaire that fits

Right-sized for nonprofits. Grounded in SIG, CSA CAIQ, and HIPAA frameworks.
Answer five questions and get a questionnaire you can send today.

01 Describe your org and the vendor
02 Risk score calculated automatically
03 Preview and export your questionnaire
SIG / SIGLite CSA CAIQ VSA Lite HIPAA Security Rule
Do not enter protected health information (PHI) or patient data into this tool.
Start the Builder

Risk Tiers

Lite

Low-risk vendor — limited data access, no system connectivity

22–30 questions
Standard

Medium-risk vendor — stores data, supports key operations

45–65 questions
HIPAA Full

High-risk vendor — PHI access or privileged system access

70–95 questions

Questionnaire Builder

Step 1 of 5 — Organization Context

Step 1 of 5

Tell us about your organization and this review

This information will appear on the cover page of the questionnaire you send to the vendor.

What type of review is this?

Step 2 of 5

Tell us about the vendor

What best describes this vendor's role?

How is the service delivered?

Will this vendor store your organization's data on their systems?

Will this vendor connect to your internal systems or network?

Step 3 of 5

What data will this vendor handle?

These answers determine whether HIPAA-specific review applies.

Will this vendor create, receive, maintain, transmit, or otherwise access protected health information (PHI)?

What counts as PHI? PHI includes any individually identifiable health information in any format — names, dates, addresses, diagnoses, treatment records, billing codes, or health plan numbers — when tied to a patient or plan member.

Is a Business Associate Agreement (BAA) expected or required for this vendor?

What is a BAA? A Business Associate Agreement is a legally binding contract required by HIPAA between a Covered Entity (your org) and any vendor (Business Associate) that handles PHI on your behalf. Without a BAA, sharing PHI with a vendor may be a HIPAA violation.

Does this vendor use subcontractors or subprocessors that may also access your data?

Does this vendor handle regulated financial, donor, employee, or student data?

Step 4 of 5

How critical is this vendor to your operations?

Is this vendor operationally critical — would your team be unable to deliver services without them?

Would extended downtime from this vendor affect care delivery, donor operations, or finance?

Does this vendor have or require privileged or administrator access to your systems?

What is privileged access? Privileged access means the vendor can install software, modify system settings, access databases directly, or perform actions beyond normal user permissions on your infrastructure.

Step 5 of 5

Customize your questionnaire output

Email me this questionnaire

We'll send a copy you can forward to the vendor or share with your team. No account required.

We save your nonprofit's basic profile — org name, contact, and preferred settings. Do not enter PHI or patient information into this tool.

Common Questions

What is a vendor security questionnaire?

A vendor security questionnaire is a structured set of questions you send to a vendor to assess their security practices, data handling, and compliance posture before sharing data or granting system access. It is one of the most common tools in third-party risk management.

Which vendors need a questionnaire?

Any vendor that stores, processes, or has access to your organization's sensitive data. For HIPAA-regulated nonprofits, any vendor that may touch PHI should receive at least a baseline review and likely needs a Business Associate Agreement in place first.

When does HIPAA apply to a vendor review?

HIPAA applies when a vendor will create, receive, maintain, or transmit protected health information on your behalf. That vendor becomes a Business Associate and must sign a BAA before PHI is shared. This tool automatically adds HIPAA-specific questions and a BAA reminder when you indicate PHI access.

What is a Business Associate Agreement?

A BAA is a legally required contract between a HIPAA Covered Entity (your organization) and any vendor (Business Associate) that handles PHI. It documents each party's responsibilities for protecting PHI and outlines breach notification obligations. This tool is not a substitute for a BAA — confirm requirements with your legal or compliance team.

What frameworks is the question pool based on?

The question library draws from SIG (Standardized Information Gathering), SIGLite, CSA CAIQ (Cloud Security Alliance Consensus Assessments Initiative Questionnaire), VSA (Vendor Security Alliance), and HIPAA Security Rule control expectations. These are widely recognized frameworks used by security and compliance teams.

Do I need an account to use this?

No. You can complete the builder and export your questionnaire without creating an account. The optional save feature stores your organization details so you can skip setup on future visits.

Is this legal advice?

No. This tool helps structure vendor due diligence but is not legal advice. It should not replace a review by your legal, compliance, or privacy team, especially for vendors that handle PHI or require a BAA.

What information is stored if I save my profile?

Only your organization name, contact name, email, and preferred questionnaire settings. Do not enter PHI, patient data, or sensitive vendor responses into this tool.