An independent review of a third-party vendor or service provider's security posture. Before you hand someone access to your customer data, patient records, or financial information, you should know whether they can be trusted with it. This is the due diligence HIPAA, FTC Safeguards, and NIST all expect, done by someone with nothing to sell you and no reason to look the other way.
A Vendor Review is for the moment before you commit. You're about to onboard a software platform, a billing company, a managed IT provider, or any partner that will touch sensitive data, and you want an honest, independent read on their security before you sign. It's a per-vendor engagement, scoped to a single relationship, framework-agnostic by design.
We gather what's available, ask for what isn't, and build an independent picture of how seriously a vendor takes the security of the data you're about to entrust to them. Here's what the review covers.
We collect and review the vendor's available security documentation: policies, security overviews, data-handling practices, subprocessor lists, and whatever else they're willing to share. We read it so you don't have to, and we tell you what's solid and what's missing.
If the vendor has a SOC 2 report, ISO 27001 certificate, HITRUST, or similar attestation, we read it properly, including the scope, the exceptions, and the fine print most people skip. A clean cover page doesn't always mean what it appears to. We tell you what the attestation actually covers.
We review the security and data-protection terms in the contract or Business Associate Agreement: breach notification timelines, data ownership, return-and-destruction obligations, subprocessor controls, and liability. We flag the gaps that matter before you sign, not after.
Where documentation falls short, we send the vendor a focused security questionnaire scoped to your relationship and the sensitivity of the data involved. The questions are calibrated to the risk, not a generic 300-line spreadsheet that nobody completes honestly.
We synthesize everything into a clear, defensible risk rating for the vendor. Not a vague color code, but a rating you can explain to an insurer, a regulator, or your own leadership, with the reasoning behind it written out in plain language.
You receive a written report of what we found, what concerns us, and our honest recommendation: proceed, proceed with specific conditions, or look elsewhere. The findings are yours to keep as documented evidence that you did your due diligence.
Every Vendor Review produces the same set of deliverables. No tiers, no upsells, no surprises about what's included.
A complete written assessment of the vendor's security posture: what we reviewed, what we observed, where the documentation or controls fall short, and why each finding matters. Organized so you can hand it to an insurer, a regulator, or your own leadership and have it stand on its own.
A clear, defensible risk rating for the vendor, with the reasoning written out. You know not just where the vendor lands, but exactly why, and what would have to change to move the rating.
Our honest, independent recommendation: proceed, proceed with specific conditions, or look elsewhere. Because we don't sell tools and don't take commissions, the recommendation is about your risk, not our back end.
A conversation to walk through the findings, answer your questions, and align on next steps, whether that's conditions to put in the contract, follow-up questions to send the vendor, or simply the confidence to move forward. You leave knowing exactly what to do.
Most compliance work disappears into an inbox. We do it differently. Every Complyn client gets access to the Complyn Client Portal, a dedicated space where your reports, files, and conversations stay organized and accessible for up to three years after the engagement ends.
Three years of access, no extra fee. The platform exists to make compliance something you can return to, not something you have to rebuild every time.
A SOC 2 report is something a vendor commissions about themselves. A Vendor Review is something you commission about them. We read the SOC 2 (along with their other documentation) so you don't have to, and we translate it into a plain-language answer to the question you actually care about: is it safe to hand this vendor access to your sensitive data? A SOC 2 is one input. The review is the independent judgment built on top of it.
Either works, and we'll figure out the right approach on the scoping call. Often it's smoothest if you make the introduction and we correspond with the vendor directly through a short security questionnaire and document request. Sometimes you'd rather collect the documents yourself and hand them to us. We're flexible. What matters is that we end up with enough to form an honest opinion.
That's a finding in itself, and an important one. A vendor's willingness to be transparent about their security is part of what you're evaluating. If a vendor refuses to provide reasonable documentation or answer a basic questionnaire, we say so in the report and factor it into the risk rating. You deserve to know when a vendor won't show their work before you trust them with your data.
In most cases, yes. HIPAA expects covered entities to evaluate business associates, the FTC Safeguards Rule requires you to oversee your service providers, and NIST CSF treats third-party risk as a core function. A documented, independent Vendor Review with a written risk rating is exactly the kind of evidence those rules contemplate. Tell us which framework is driving the requirement on the scoping call and we'll make sure the review and its documentation line up with it.
Pricing depends on the vendor and the depth of review you need. A single, straightforward vendor with current documentation is our lightest engagement; a critical vendor with access to large volumes of sensitive data takes more. We provide a written scope and fixed price after a free thirty-minute discovery call. No hidden fees, no commissions, no scope creep without your approval. Schedule an assessment to get a specific quote.
Tell us about the vendor and what's prompting this. We'll review your request, propose a scope, and set up a free thirty-minute discovery call. No obligation, no scare tactics, no high-pressure sales pitch.