Evaluate cybersecurity risk from your vendors, contractors, and SaaS providers. Supply chain attacks are the fastest-growing threat vector for Texas SMBs.
No vendors added yet. Add at least one vendor above to proceed.
Vendor 1 of 1
Use these template clauses when establishing or renewing vendor contracts.
Vendor shall implement and maintain administrative, technical, and physical safeguards consistent with industry standards (NIST SP 800-171 or equivalent) to protect Company Data. Vendor shall encrypt all Company Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent). In the event of a Security Incident affecting Company Data, Vendor shall notify Company in writing within seventy-two (72) hours of discovery, provide a written incident report within five (5) business days, and cooperate fully with Company's investigation and remediation efforts at Vendor's expense.
Vendor shall limit access to Company Data and systems to authorized personnel on a need-to-know basis. All Vendor personnel accessing Company systems shall use multi-factor authentication (MFA). Vendor shall maintain audit logs of all access to Company Data and systems for a minimum of twelve (12) months and make such logs available to Company upon request within five (5) business days. Company reserves the right to revoke any Vendor access within twenty-four (24) hours. Vendor shall conduct background checks on all personnel with access to Company Data.
Vendor shall maintain, at minimum, a current SOC 2 Type II report or ISO 27001 certification covering services provided to Company, and shall provide a copy annually. Vendor shall comply with all applicable laws including Texas Business & Commerce Code Ch. 521, SB 2610, and any industry-specific regulations (HIPAA, PCI DSS, etc.) applicable to Company Data. Vendor shall maintain cyber liability insurance with limits of no less than $1,000,000 per occurrence and provide a certificate of insurance annually. Vendor shall permit Company or its designee to conduct security assessments annually.
Upon termination or expiration of the Agreement, Vendor shall: (a) return or securely destroy all Company Data within thirty (30) calendar days and provide written certification of destruction; (b) revoke all access to Company systems within twenty-four (24) hours; (c) cooperate with Company's transition to a successor vendor. Vendor's obligations regarding confidentiality, data protection, and indemnification shall survive termination for a period of three (3) years.