<aside> 💡 Please refer to this document whenever a third party, such as; vendor, sub-processor, SaaS tool, native desktop application or integration is being considered for use.
</aside>
Lay out the issue and problem you are trying to solve. Take a step back and look at the bigger picture. Do we even need the process you're considering purchasing a tool for? Do we have an existing tool already purchased? Be conscious of optimizing a bad process. Consider if you should depreciate the process entirely.
If you do need to procure a new tool, ask yourself the following questions:
Third parties will often collect personally identifiable information (PII) from Remoters, Clients and Employees. Examples are (but not limited too): name, email, address, IP address, role, birthday etc.
ALL vendors and third parties need a security review, as a data breach from a 3rd party still expresses responsibility by Remote.
Go to this page to create a new vendor assessment process.
Note: Some information will probably be direct from the Third party
In the event that a tool needs to connect to the product, we need to understand how this works and how the data stored within the product is impacted. The product may well have to leverage a 3rd party to achieve certain task not carried out by the product itself, this is known as a subprocessor. The privacy is covered in the section above, but the other questions that need to be answered are: