Vendors Inventory and Attributes

Description — Whether a Data Processing Agreement (DPA) is in place with this vendor. Required under GDPR and many other privacy regulations when a vendor processes personal data on behalf of the enterprise as a data processor.

Benefit(s) — Surfaces the regulatory compliance status of the vendor relationship for personal data handling. A vendor processing personal data without a DPA exposes the enterprise to regulatory sanctions.

Source — Manual.

Examples — In Place, Required but Not Yet Executed, Not Required

Notes — Valid values: In Place, Required but Not Yet Executed, Not Required. Required when the vendor processes any personal data on behalf of the enterprise — including operational data, employee data, and customer data. If the vendor accesses any data classified as PII in the Data and Information Inventory, a DPA is almost certainly required.

Description — Whether a Business Associate Agreement (BAA) is in place with this vendor. Required under HIPAA when a vendor handles Protected Health Information (PHI) on behalf of a covered entity or business associate.

Benefit(s) — Surfaces the HIPAA compliance status of the vendor relationship. A vendor handling PHI without a BAA creates a HIPAA violation for the enterprise regardless of whether the vendor itself is a covered entity.

Source — Manual.

Examples — In Place, Required but Not Yet Executed, Not Required

Notes — Valid values: In Place, Required but Not Yet Executed, Not Required. Required when the vendor handles any data classified as PHI in the Data and Information Inventory.