LiStDan Finance operates eight third-party vendor relationships. All eight were assessed for security posture, data handling risk, and contractual adequacy. Vendor risk evaluations were produced by three team members across dedicated assessment files, then consolidated by Stephanie Uzama into the Unified Vendor Risk Register.
| Vendor | Category | Criticality | Personal Data Processed | DPA Status at Assessment |
|---|---|---|---|---|
| Azure (Microsoft) | Cloud Infrastructure | Critical | Yes — all hosted data | Not confirmed |
| KYC Vendor | Identity Verification | Critical | Yes — biometric, identity documents | Not confirmed |
| Fraud Detection Vendor | Security Analytics | Critical | Yes — transaction and behavioural data | Not confirmed |
| Payment Gateway Provider | Payment Processing | Critical | Yes — card and transaction data | Not confirmed |
| Banking Partners | Financial Services | High | Yes — financial and personal data | Not confirmed |
| Intercom | Customer Communications | Medium | Yes — PII, conversation data | Not confirmed |
| SendGrid | Email Delivery | Medium | Yes — email addresses, contact data | Not confirmed |
| Merchant API Partners | Commerce Integration | Medium | Limited | Not confirmed |
Key Finding: No GDPR-compliant Data Processing Agreement was confirmed for any of the eight vendor relationships at the time of assessment. For six vendors actively processing personal data, this represents direct GDPR Article 28 non-compliance. DPA execution is a Phase 2 remediation priority.
All eight vendor risk assessments were completed with risk scoring and recommended controls. However, no assessment confirmed that a GDPR-compliant DPA is in place for any vendor. Audit rights clauses and SLA performance monitoring evidence were not provided for any vendor relationship.
Recommended action: Establish a vendor risk review cycle. Require all critical and high-criticality vendors to submit evidence of their own security posture annually (SOC 2 reports, ISO 27001 certificates, or equivalent).
Six vendors are actively processing personal data on LiStDan Finance’s behalf without a signed DPA: KYC Vendor, Fraud Detection Vendor, Intercom, SendGrid, Banking Partners, and Payment Gateway Provider. GDPR Article 28 requires these to be bound by a written contract containing mandatory clauses covering processing instructions, security obligations, audit rights, and subprocessor controls.
Recommended action:
| Vendor Evaluation File | Analyst | Vendors Covered |
|---|---|---|
| Communication and Customer Experience Vendor Risk | Diivine | Intercom, SendGrid |
| Third-Party KYC and Fraud Detection Evaluation | Zenny | KYC Vendor, Fraud Detection Vendor |
| Vendor Overview Risk Register | Stephanie Uzama | Azure, Payment Gateway Provider, Banking Partners, Merchant API Partners |