How do I judge whether a vendor is safe enough?
A vendor risk assessment does not have to be a 50-page doc. For SMBs a short per-vendor checklist suffices.
Try this first
- 1Ask if they have SOC 2 or ISO 27001; for sensitive data that is a minimum.
- 2Request the DPA (data processing agreement) and read for sensitive clauses on sub-processors and data transfer.
- 3Check haveibeenpwned.com to see if the vendor appears in a known breach; recent breaches are a red flag.
- 4Think what you lose if this vendor goes offline tomorrow; how critical is it to daily operations?
- 5Record the outcome in your SaaS register; audits ask exactly this.
When to bring us in
For the most critical vendors or sensitive industries (healthcare, finance): ask for advice, a proper assessment by a specialist is justified.
See also
- New hire has an account but cannot reach Outlook or TeamsAn M365 account without a license is an empty shell. Assigning takes a few clicks, but picking the right plan pays off long-term.
- Employee left, but their email must be retainedPulling the license straight away starts a 30-day timer on the mailbox. The right route keeps access to the mail without paying for the license.
- We pay for licenses nobody usesBetween leavers, duplicate plans, and test accounts there is often 10-20% wasted license spend. A usage report exposes it fast.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.