In 2025, 30% of all data breaches involved a third-party vendor — double the prior year, according to Verizon’s Data Breach Investigations Report. Most of those breaches had the same root cause: the vendor was given access before the proper checks were done. NDA not signed. Security assessment skipped. DPA never sent. The risk was taken on without anyone consciously deciding to take it.
CheckFlow gives procurement, legal, IT security, and finance teams a single structured process for every new vendor: legal agreements before anything starts, security review before any system access is provisioned, financial verification before any payment goes out. Executed by the right person at each step, documented with timestamps, and auditable for GDPR, SOC 2, ISO 27001, and DORA requirements.
“We had a vendor access incident last year because security review hadn’t been completed. After that we built the onboarding checklist in CheckFlow. NDA, DPA, security questionnaire, access provisioning — every step in sequence. Nothing gets provisioned until the prior step is signed off. We’ve onboarded 40 vendors since. Not one gap.”
- Head of IT Security, SaaS Platform
“GDPR required us to have Data Processing Agreements in place with every vendor who touches personal data. We had 120 vendors and DPAs with maybe 30 of them. CheckFlow helped us run the remediation programme and now every new vendor gets the full onboarding treatment — DPA included — before they see a single record.”
- Chief Privacy Officer, Financial Services Firm
“30% of all 2025 data breaches involved a third-party vendor — double the rate of the prior year”
— Verizon Data Breach Investigations Report 2025
“Average cost of a third-party breach: $4.76M — 11% higher than the average breach cost”
— IBM Cost of a Data Breach Report 2025
Vendor onboarding fails when it’s an informal process — a series of emails between departments, each one assuming someone else has handled the steps they haven’t heard about. Legal assumes IT has done the security assessment. IT assumes Legal has the NDA. Finance sets up the payment before anyone’s confirmed the bank details are legitimate. Everyone assumes someone else has dealt with the DPA. Nobody has. And by the time the vendor is operational, the risk is already live.
The project needs the vendor onboarded this week. The security questionnaire is still being chased. Someone provisioned the access to move things along. This is how 30% of data breaches in 2025 started — a vendor with access to systems or data before the risk was properly assessed.
The project starts on Monday. The NDA gets sent on Tuesday. Everyone’s already shared the product roadmap in the Friday call. Without a system that enforces “NDA signed” as a gate before any other step, legal protection is theoretical rather than operational.
GDPR Article 28 requires a Data Processing Agreement with every sub-processor who touches personal data. GDPR fines for non-compliant DPAs reach €20 million or 4% of global turnover. Most companies with more than 20 vendors have DPAs with some of them. CheckFlow makes the DPA a mandatory step, not an optional one.
High-value new vendors get thorough onboarding. Smaller or faster-moving ones get whatever the project manager remembers to do. The inconsistency is the problem — a breach doesn’t care that you had 12 good onboardings. It happens through the one that was rushed.
Business Email Compromise (BEC) attacks specifically target vendor payment setup — a fraudulent email updating banking details before the vendor relationship is formally confirmed. Without a structured verification step, finance has no way to distinguish a legitimate bank detail update from a social engineering attack.
Your GDPR data map lists the vendor. But can you prove they were assessed before being given access to personal data? Can you show DORA examiners your ICT vendor risk register with evidence of due diligence? Without a documented, timestamped onboarding record per vendor, your risk management programme is a policy document, not a practice.
One checklist template per vendor type. Every department gets their steps. Nothing proceeds to the next stage without the prior stage complete.
Define every step required before a vendor is operational — NDA and MSA execution, DPA sign-off for data processors, security questionnaire and certificate review, sanctions and insurance verification, ERP system setup, bank detail verification. Assign each step to the right department: Legal handles contracts, IT Security handles risk assessment, Finance handles bank and payment setup, Procurement handles system registration.
When a new vendor engagement begins, start the checklist. Legal gets their contracting tasks immediately. IT Security gets the security review tasks. Finance gets the payment setup steps. Each team sees their own steps and receives automatic reminders as deadlines approach. No vendor gets system access until IT Security’s steps are marked complete. No payment goes out until Finance has verified bank details.
Every completed step creates a timestamped record: who completed it, when, and any attached documents. The full onboarding record per vendor is permanently stored and exportable. When a GDPR audit asks for evidence of due diligence on a specific processor, or a SOC 2 auditor reviews your CC9.2 vendor management controls, the evidence is already there.
Vendor onboarding isn’t a single-team process. Legal executes the contracts. IT Security runs the risk assessment. Finance sets up the payment. Procurement registers the supplier. HR or Compliance may run background checks. When these teams operate in separate systems with no shared checklist, steps fall between the cracks — and the gap between “vendor selected” and “vendor operational and compliant” is where most vendor risk originates.
NDA, MSA, and DPA steps are sequenced as gates before any other onboarding step can proceed. Legal completes and files the documents; CheckFlow records completion with a timestamp. No system access is provisioned and no project work begins until the legal gates are cleared. The NDA is not a courtesy — it’s a prerequisite.
Learn MoreIT Security runs a structured vendor security assessment for every new vendor who will access your systems or data: security questionnaire sent and responses reviewed, SOC 2 Type 2 or ISO 27001 certificate verified and filed, risk rating assigned. All documented. The assessment record includes the reviewer, the date, the risk rating, and any conditions attached to the approval.
Learn MoreData Processing Agreement execution is a mandatory, sequenced step for any vendor processing personal data. CheckFlow records which DPA version was signed, by whom, and when. The completed DPA step supports your GDPR Article 28 obligations. For all vendors, the full onboarding record supports your data map and your ability to demonstrate due diligence to a supervisory authority.
Learn MoreFinance completes structured vendor financial setup steps: bank detail verification against official confirmation (not email), currency and payment terms confirmed, supplier registered in ERP, purchase order process confirmed. Structured verification is the primary defence against Business Email Compromise at vendor onboarding — a growing fraud vector that exploits unstructured vendor payment setup processes.
Learn MoreEach department sees their own tasks and deadlines — Legal, IT Security, Finance, Procurement. No department can see or action steps that belong to another. Reminders go to the right person automatically. The requesting manager sees real-time progress across all departments. No “has Legal signed off yet?” emails. No vendor going live with tasks outstanding.
Learn MoreEvery completed vendor onboarding produces a permanent, timestamped record that directly supports: SOC 2 CC9.2 (vendor management evidence), GDPR Article 28 (processor due diligence), ISO 27001 A.5.19–5.22 (supplier relationship controls), DORA Article 28 (ICT third-party service provider register), and FCA SYSC 8 (outsourcing risk management). One checklist, evidence for multiple frameworks.
Learn MoreDon’t start from a blank page. Pick a proven procurement and supplier template, customise it to your vendor tiers, due diligence, and approval process, and run it for your next vendor in minutes. Each one is fully editable in the CheckFlow template designer.
The four stages of compliant vendor onboarding — and the steps that most organisations skip, deprioritise, or forget to document until there’s an incident.
CheckFlow’s free vendor onboarding templates cover all four stages — customise them for your vendor tier, risk level, and compliance requirements, and onboard your next vendor today.
Get the Free Templates
Coupa, SAP Ariba, and enterprise VMS platforms manage vendor relationships at scale — procurement workflows, catalogue purchasing, contract management, and spend analytics. They’re purpose-built for procurement departments with significant IT infrastructure budgets (typically $50,000–500,000+ per year). CheckFlow solves a different, more immediate problem: the structured cross-department checklist that ensures every new vendor goes through NDA execution, security assessment, GDPR compliance review, and financial setup in the right order, with every step documented. It’s used by companies that don’t have a VMS — or by procurement, legal, and IT Security teams within larger companies that need a simple, lightweight checklist layer alongside their enterprise tools.
No. The entire vendor onboarding process is executed by your internal team. Legal handles the contract steps, IT Security handles the risk assessment, Finance handles the financial setup — all using CheckFlow. The vendor receives documents to sign (NDA, DPA, security questionnaire) through your existing channels — DocuSign, email, or whatever you use. CheckFlow tracks that each step has been completed by the appropriate internal owner, not the vendor.
GDPR Article 28 requires that any controller using a processor has a Data Processing Agreement (DPA) in place before the processor handles personal data. CheckFlow includes the DPA execution as a mandatory, sequenced step in the vendor onboarding checklist for any vendor processing personal data — meaning no data access can be provisioned until the DPA step is marked complete. The completed record includes who confirmed the DPA was executed, when, and any reference to the document. This creates the documented due diligence record that supervisory authorities look for in a GDPR investigation.
Yes. Most organisations classify vendors by risk level — high, medium, and low — and apply proportionate due diligence. A high-risk vendor with access to production systems and personal data gets the full checklist: SOC 2 review, SIG Lite questionnaire, DPA, background checks, senior sign-off. A low-risk vendor supplying office stationery gets a shorter version with basic contract and payment setup steps. CheckFlow lets you build a template per vendor tier and apply the appropriate one at onboarding.
The vendor onboarding checklist and its documented completion records directly support: GDPR Article 28 (Data Processing Agreement execution and processor due diligence), SOC 2 CC9.2 (vendor risk management evidence for Type 2 audits), ISO 27001 Annex A controls A.5.19–5.22 (supplier relationships and ICT supply chain security), DORA Article 28 (ICT third-party service provider register and risk assessment documentation for EU financial services firms), and FCA SYSC 8 (outsourcing risk management). One checklist, evidence for multiple regulatory requirements.
Most organisations have their first vendor onboarding checklist template running within a single afternoon. Start with the free CheckFlow template, customise the steps for your legal, security, and financial requirements, assign each step to the appropriate department or role, and you’re ready to run it for your next vendor. There’s no IT implementation, no integration project, and no vendor to train. The internal team who will complete the checklist steps can be up and running within hours, not weeks.
CheckFlow is $10 per user per month, priced on the number of managers who use the platform to manage and complete checklist steps — typically Procurement, Legal, IT Security, and Finance team members. For a team of 5 people managing vendor onboarding across these departments, the cost is $50 per month. Vendors themselves require no account and are not counted as users. Manual vendor onboarding processes typically cost $700–$35,000 per vendor when accounting for staff time across legal, compliance, IT, and finance. CheckFlow’s structured process reduces this significantly while improving consistency and compliance.
Build the cross-department vendor onboarding checklist that ensures every new supplier goes through the right legal, security, compliance, and financial steps — in the right order, by the right person, with documented proof for every audit.
