Page 1 of 1

Initiales Vendor-Onboarding

These checklists are used for the systematic evaluation and review of SaaS providers and cloud services in the context of our law firm, particularly taking into account the special requirements for professionals bound by professional secrecy in accordance with the GDPR and Section 203 of the German Criminal Code (StGB).The checklists are divided into two stages:
- Initial vendor onboarding: Compact questionnaire for quickly recording the most important security and compliance aspects of a provider. Ideal for the initial assessment and selection of potential service providers.
- Vendor Security & Compliance Questionnaire: Comprehensive list of technical, organizational, and legal questions, including special AI security requirements. This is used for in-depth review and documentation prior to signing a contract.
The lists help to identify risks at an early stage, comply with data protection regulations, and ensure the security of our IT landscape.

Vendor Basic Information

Vendor Name

Brief description of the service

Compliance / Data Protection

Is a signed Data Processing Agreement (DPA) in place?

Is a signed Data Processing Agreement (DPA) in place?

In which country is the data stored?

Are important certificates (e.g., ISO 27001, SOC 2, BSI C5) in place?

Are important certificates (e.g., ISO 27001, SOC 2, BSI C5) in place?

Access & User Protection (Security Access)

Is SSO/SAML integration (e.g., via Azure AD or similar) supported?

Is SSO/SAML integration (e.g., via Azure AD or similar) supported?

Is Multi-Factor Authentication (MFA) mandatory (e.g., for admin accounts)?

Is Multi-Factor Authentication (MFA) mandatory (e.g., for admin accounts)?

Does the system provide granular rights and user management?

Does the system provide granular rights and user management?

Are emergency (‘break glass’) accounts available?

Are emergency (‘break glass’) accounts available?

Is logging of administrator accesses implemented?

Is logging of administrator accesses implemented?

Data Protection & Strorage

Is encryption in transit (e.g., TLS 1.2/1.3) ensured?

Is encryption in transit (e.g., TLS 1.2/1.3) ensured?

Is encryption at rest (e.g., AES-256 or similar) implemented?

Is encryption at rest (e.g., AES-256 or similar) implemented?

Are personal data processed? (If yes, please specify which ones)

Is vendor support access regulated and logged?

Is vendor support access regulated and logged?

Operations & Backup

Are regular backups performed? (If yes, please specify frequency)

Is data export supported (e.g., CSV, JSON)?

Is disaster recovery / restore tested and possible? Describe.

Security Operations

When was the last external penetration test conducted? (Please specify year/month)

Is a vulnerability management process in place?

Is a vulnerability management process in place?

Is an incident response process documented?

Is an incident response process documented?

Is security monitoring (e.g., SIEM, log analysis) active?

Is security monitoring (e.g., SIEM, log analysis) active?

AI & Sensitive Data (if AI Funktions Are Relevant)

Is customer data used for AI training?

Is customer data used for AI training?

Is isolation of customer data in AI systems ensured?

Is isolation of customer data in AI systems ensured?

Documentation

Are proof or certificate copies available as PDF?

Are proof or certificate copies available as PDF?