Most major breaches have a vendor component. Sometimes the vendor is the direct cause. Sometimes they just make things worse. Either way, the pattern is clear: your security is only as strong as your weakest vendor.
The frustrating part? Most of these situations are preventable. The warning signs are there during vendor selection—they just get ignored in the rush to sign.
Here are the red flags to watch for.
The Contract Red Flags
No Data Processing Agreement
If a vendor handles any personal data—customer information, employee records, anything—they need a Data Processing Agreement (DPA). This isn't optional under GDPR, CCPA, or most modern privacy laws.
When a vendor says "we don't do DPAs" or "that's not necessary for our service," that's a red flag. Either they don't understand their legal obligations, or they're hoping you won't notice.
Liability Caps That Make No Sense
Consider a contract where the vendor's total liability is capped at "fees paid in the prior 12 months." For a $500/month service handling customer PII. If they cause a breach affecting thousands of customers, their maximum exposure is $6,000.
That's not a partnership. That's them transferring all their risk to you.
No Breach Notification Terms
How will you find out if the vendor has a breach? When? What information will they provide?
If these questions aren't answered in the contract, you might find out about a breach when your customers do—from the news. I've seen this happen.
The Questionnaire Red Flags
Vague or Evasive Answers
"We use industry-standard security practices." "Our team handles security." "N/A" on questions about MFA or encryption.
These aren't answers. They're deflections. A vendor with mature security practices can describe them specifically.
Can't Provide Evidence
A SOC 2 report? "We're working on it." Penetration test results? "We don't share those." Security policies? "Those are confidential."
Evidence of security practices isn't confidential—it's how you demonstrate trustworthiness. Vendors who can't or won't provide evidence are asking you to trust them blindly.
Takes Weeks to Respond
If it takes a vendor three weeks to answer a security questionnaire, that tells you something about how seriously they take security. Either they don't have documented practices, or security isn't a priority.
The Technical Red Flags
No MFA Available
In 2024, if a SaaS vendor doesn't support multi-factor authentication, walk away. This is table stakes.
Unclear About Data Location
"Your data is in the cloud" isn't an answer. Where specifically? Which regions? Which subprocessors? If they can't tell you, they probably don't know—and that's worse.
Can't Explain Their Security Architecture
Ask a vendor how they protect your data at rest and in transit. How they handle key management. How they segment customer data.
A mature vendor can explain this clearly. An immature one will deflect to marketing language about being "secure by design."
The Operational Red Flags
No Incident Response Plan
Ask what happens if they discover a security incident. Who gets notified? What's the timeline? What information will they provide?
"We'll handle it" isn't a plan.
No Business Continuity Documentation
What happens if their primary data center goes down? How quickly can they recover? Have they tested their disaster recovery procedures?
Your business continuity depends on theirs.
Single Points of Failure
Is the vendor a one-person shop? Is everything dependent on a single engineer or system? What happens if that person leaves or that system fails?
Small vendors can be great partners, but you need to understand the risks.
The Relationship Red Flags
Resistance to Security Discussions
A vendor who treats security questions as annoying or adversarial is telling you something about their culture. Good vendors welcome security due diligence because it's an opportunity to demonstrate their practices.
Pressure to Skip the Process
"Our other customers don't ask these questions." "Can we just get this signed? You can review the security stuff later."
This is backwards. The time for security due diligence is before you sign, when you have leverage.
No Named Security Contact
If something goes wrong, who do you call? An enterprise vendor should have a security team. A smaller vendor should at least have a designated person responsible for security.
What To Do When You Find Red Flags
Not every red flag is a deal-breaker. Sometimes a vendor is genuinely early in their security journey and willing to improve.
For minor concerns:
- Request specific remediation with a timeline
- Add contractual protections (breach notification, audit rights)
- Schedule more frequent reviews
For major concerns:
- Escalate internally before signing
- Consider alternative vendors
- If you proceed anyway, document why and the accepted risk
For deal-breakers:
- Walk away
- Document why for future reference
The Bottom Line
Vendor due diligence feels like overhead until you're dealing with a breach that started at a vendor. Then it feels like the most valuable investment you could have made.
The hour you spend on security questions before signing is worth more than the months you'd spend on incident response afterward.
Need help building a vendor risk program or evaluating critical vendors? Our GRC Advisory services include vendor assessment and due diligence support. Let's talk.
