Vendors Inventory and Attributes

Description — The country and state or province where this vendor is legally domiciled — the jurisdiction of incorporation or registration.

Benefit(s) — Governs which legal system applies to contract disputes and which data protection laws the vendor is subject to as a data processor. A vendor domiciled in the EU is directly subject to GDPR as a processor regardless of where the enterprise is located.

Source — Manual.

Examples — United States (California), United Kingdom, Germany, India (Karnataka), Ireland

Operating Jurisdictions

[Multi-Value]

Description — All countries or regions where this vendor has operations relevant to the enterprise engagement — support centers, data processing facilities, development offices, and delivery locations.

Benefit(s) — Provides a complete picture of the vendor’s operational footprint beyond its legal domicile. A vendor headquartered in the U.S. with support operations in India and data processing in Germany has a multi-jurisdictional risk profile that the Headquarters Jurisdiction alone does not capture.

Source — Manual.

Examples — United States; United Kingdom; India; Germany; Ireland

Notes — Separate multiple values with semicolons.

Data Processing Locations

[Multi-Value]

Description — The specific countries or regions where this vendor processes or stores enterprise data on the enterprise’s behalf.

Benefit(s) — Critical for GDPR, CCPA, and data sovereignty compliance. A vendor that processes EU personal data in a country without an EU adequacy decision requires Standard Contractual Clauses or another transfer mechanism. Without this attribute, cross-border data transfer compliance cannot be assessed at the vendor level.

Source — Manual.

Examples — United States (us-east-1, us-west-2); European Union (eu-west-1); United Kingdom

Notes — Separate multiple values with semicolons. For cloud vendors, include the relevant regions or availability zones. Distinct from Operating Jurisdictions — a vendor may have offices in 20 countries but process enterprise data only in 3.

Description — Whether this vendor operates in regions subject to sanctions, political instability, or trade restrictions that could disrupt service delivery or create regulatory exposure for the enterprise.

Benefit(s) — Surfaces geopolitical exposure in the vendor portfolio before it becomes an operational or compliance crisis. Vendors with significant operations in sanctioned regions or geopolitical hotspots represent a risk category distinct from security or financial risk.

Source — Manual.

Examples — Low, Moderate, High, Not Applicable

Notes — Valid values: Low, Moderate, High, Not Applicable. Consider: vendor operations in sanctioned countries (OFAC, EU, UN), operations in regions with active conflict, operations in jurisdictions with data localization or government access requirements (e.g., China, Russia). Reviewed annually and on geopolitical events that may affect the vendor’s operating environment.