Vendor Security Questionnaire

Vendor Security Questionnaire

---

Header

Pole	Hodnota
Vendor Name	[PLACEHOLDER]
Service Description	[PLACEHOLDER]
Questionnaire Date	[PLACEHOLDER: DD.MM.YYYY]
Completed By	[PLACEHOLDER: Name, Role]
Reviewer	[PLACEHOLDER: Name, Role]

---

Section 1: Company Information

#	Otázka	Odpověď
1.1	Legal name of company
1.2	Headquarters location
1.3	Year established
1.4	Number of employees
1.5	Annual revenue
1.6	Primary contact (security)
1.7	Website

---

Section 2: Certifications & Compliance

#	Otázka	Odpověď
2.1	Do you have ISO 27001 certification?	☐ Yes / ☐ No / ☐ In progress
2.2	If yes, provide certificate number and expiry
2.3	Do you have SOC 2 Type II report?	☐ Yes / ☐ No / ☐ In progress
2.4	Are you GDPR compliant?	☐ Yes / ☐ No / ☐ In progress
2.5	Are you NIS2 compliant (if applicable)?	☐ Yes / ☐ No / ☐ N/A
2.6	List other relevant certifications
2.7	Have you had any regulatory actions in last 3 years?	☐ Yes / ☐ No
2.8	If yes, describe

---

Section 3: Data Protection

#	Otázka	Odpověď
3.1	What personal data will you process?
3.2	What is the legal basis for processing?
3.3	Where will data be stored? (country/region)
3.4	Will data be transferred outside EU/EEA?	☐ Yes / ☐ No
3.5	If yes, what transfer mechanism?	☐ SCCs / ☐ Adequacy / ☐ BCR / ☐ Other
3.6	Do you have a DPO?	☐ Yes / ☐ No
3.7	DPO contact
3.8	Do you have a privacy policy?	☐ Yes / ☐ No
3.9	Can you support DSAR requests?	☐ Yes / ☐ No
3.10	What is your data retention policy?

---

Section 4: Information Security

4.1 Access Control

#	Otázka	Odpověď
4.1.1	Do you use MFA for all admin access?	☐ Yes / ☐ No
4.1.2	Do you use role-based access control (RBAC)?	☐ Yes / ☐ No
4.1.3	How often are access rights reviewed?
4.1.4	What is your password policy?
4.1.5	Do you have privileged access management (PAM)?	☐ Yes / ☐ No

4.2 Encryption

#	Otázka	Odpověď
4.2.1	Is data encrypted at rest?	☐ Yes / ☐ No
4.2.2	If yes, what algorithm/key length?
4.2.3	Is data encrypted in transit?	☐ Yes / ☐ No
4.2.4	What TLS version is supported?
4.2.5	How are encryption keys managed?

4.3 Network Security

#	Otázka	Odpověď
4.3.1	Do you use firewalls?	☐ Yes / ☐ No
4.3.2	Do you have IDS/IPS?	☐ Yes / ☐ No
4.3.3	Is network segmentation implemented?	☐ Yes / ☐ No
4.3.4	Do you use DDoS protection?	☐ Yes / ☐ No

4.4 Vulnerability Management

#	Otázka	Odpověď
4.4.1	How often do you scan for vulnerabilities?
4.4.2	What is your patch management SLA?	Critical: / High: / Medium:
4.4.3	Do you conduct penetration testing?	☐ Yes / ☐ No
4.4.4	How often?
4.4.5	Do you have a bug bounty program?	☐ Yes / ☐ No

4.5 Logging & Monitoring

#	Otázka	Odpověď
4.5.1	Do you use SIEM?	☐ Yes / ☐ No
4.5.2	What is your log retention period?
4.5.3	Do you have 24/7 security monitoring?	☐ Yes / ☐ No
4.5.4	Can you provide audit logs to customers?	☐ Yes / ☐ No

---

Section 5: Incident Management

#	Otázka	Odpověď
5.1	Do you have an incident response plan?	☐ Yes / ☐ No
5.2	How quickly can you notify customers of breach?
5.3	Have you had any breaches in last 3 years?	☐ Yes / ☐ No
5.4	If yes, describe
5.5	Do you conduct incident response exercises?	☐ Yes / ☐ No
5.6	Do you have cyber insurance?	☐ Yes / ☐ No

---

Section 6: Business Continuity

#	Otázka	Odpověď
6.1	Do you have a BCP/DRP?	☐ Yes / ☐ No
6.2	What is your RTO?
6.3	What is your RPO?
6.4	How often are backups taken?
6.5	Are backups encrypted?	☐ Yes / ☐ No
6.6	How often is DR tested?
6.7	What is your SLA uptime guarantee?

---

Section 7: Sub-processors

#	Otázka	Odpověď
7.1	Do you use sub-processors?	☐ Yes / ☐ No
7.2	List all sub-processors with access to data
7.3	How do you assess sub-processor security?
7.4	Can customers object to new sub-processors?	☐ Yes / ☐ No

---

Section 8: AI/ML (if applicable)

#	Otázka	Odpověď
8.1	Does your service use AI/ML?	☐ Yes / ☐ No
8.2	If yes, describe AI functionality
8.3	Is customer data used for training?	☐ Yes / ☐ No
8.4	Can customers opt-out of AI training?	☐ Yes / ☐ No
8.5	How do you address AI bias?
8.6	Are you prepared for AI Act compliance?	☐ Yes / ☐ No / ☐ N/A

---

Section 9: Physical Security

#	Otázka	Odpověď
9.1	Where are your data centers located?
9.2	Do you own or lease data center space?	☐ Own / ☐ Lease / ☐ Cloud
9.3	Data center certifications
9.4	Physical access controls in place

---

Section 10: HR Security

#	Otázka	Odpověď
10.1	Do you conduct background checks?	☐ Yes / ☐ No
10.2	Is security training mandatory?	☐ Yes / ☐ No
10.3	How often is training conducted?
10.4	Do employees sign NDAs?	☐ Yes / ☐ No
10.5	What is your offboarding process?

---

Section 11: Data Act Compliance (EU 2023/2854)

Vyplňte pro cloud/SaaS služby a connected products. Data Act platí od 12.9.2025.

11.1 Scope Determination

#	Otázka	Odpověď
11.1.1	Je vendor poskytovatelem cloud služeb (IaaS/PaaS/SaaS)?	☐ Yes / ☐ No
11.1.2	Je vendor výrobcem connected products (IoT)?	☐ Yes / ☐ No
11.1.3	Je vendor regulován DORA? (pokud ano, DORA = lex specialis)	☐ Yes / ☐ No

11.2 Cloud Switching Rights (Kapitola VI Data Act)

Vyplňte pokud 11.1.1 = Yes

#	Otázka	Odpověď
11.2.1	Jsou switching rights explicitně uvedena ve smlouvě?	☐ Yes / ☐ No
11.2.2	Jaká je maximální notice period pro switching?	☐ ≤2 měsíce (compliant) / ☐ >2 měsíce (non-compliant)
11.2.3	Existuje self-service data export funkce?	☐ Yes / ☐ No / ☐ Partial
11.2.4	V jakém formátu jsou data exportovatelná?	☐ Standard (JSON, CSV, SQL) / ☐ Proprietary
11.2.5	Jsou switching costs transparentně dokumentovány?	☐ Yes / ☐ No
11.2.6	Jaká je výše switching fees?	☐ 0 (compliant od 2027) / ☐ Reasonable / ☐ High
11.2.7	Poskytuje vendor technickou asistenci při switchingu?	☐ Yes, v SLA / ☐ Best effort / ☐ No
11.2.8	Existuje dokumentace pro migraci?	☐ Yes / ☐ No
11.2.9	Jsou API standardizovaná a interoperabilní?	☐ Yes / ☐ Partial / ☐ No

Cloud Switching Compliance Score:

• 8-9 odpovědí “compliant”: ✅ Vysoká compliance
• 5-7 odpovědí “compliant”: ⚠️ Střední - vyžaduje pozornost
• <5 odpovědí “compliant”: ❌ Nízká - riziko lock-in

11.3 Data Portability & Export

#	Otázka	Odpověď
11.3.1	Lze exportovat VŠECHNA zákaznická data?	☐ Yes / ☐ Partial / ☐ No
11.3.2	Jsou exportovatelná i metadata a konfigurace?	☐ Yes / ☐ No
11.3.3	Jaký je SLA pro dokončení exportu?
11.3.4	Je export dostupný i po ukončení smlouvy?	☐ Yes (doba: ___) / ☐ No
11.3.5	Lze data exportovat programaticky (API)?	☐ Yes / ☐ No

11.4 IoT / Connected Products (Kapitola II-III Data Act)

Vyplňte pokud 11.1.2 = Yes

#	Otázka	Odpověď
11.4.1	Mají uživatelé real-time přístup k datům ze zařízení?	☐ Yes / ☐ On request / ☐ No
11.4.2	Je přístup k datům bezplatný?	☐ Yes / ☐ Partial / ☐ No
11.4.3	Jsou data v machine-readable formátu?	☐ Yes / ☐ No
11.4.4	Mohou uživatelé sdílet data s třetími stranami?	☐ Yes / ☐ No
11.4.5	Je produkt navržen s “data access by design”?	☐ Yes / ☐ In progress / ☐ No
11.4.6	Jsou před-nákupní informace o datech dostupné?	☐ Yes / ☐ No

11.5 Unfair Terms Protection (Kapitola IV Data Act)

#	Otázka	Odpověď
11.5.1	Obsahuje smlouva klauzule umožňující jednostranné změny?	☐ No (good) / ☐ Yes (review needed)
11.5.2	Obsahuje smlouva výlučná práva na data?	☐ No (good) / ☐ Yes (potential issue)
11.5.3	Jsou penále za předčasné ukončení proporcionální?	☐ Yes / ☐ No (review needed)
11.5.4	Byla smlouva revidována pro Data Act compliance?	☐ Yes / ☐ In progress / ☐ No

11.6 Data Act Summary

Kritérium	Status	Poznámka
Cloud Switching Rights	☐ Compliant / ☐ Partial / ☐ Non-compliant
Data Portability	☐ Compliant / ☐ Partial / ☐ Non-compliant
IoT Data Access	☐ Compliant / ☐ Partial / ☐ N/A
Unfair Terms	☐ Compliant / ☐ Partial / ☐ Non-compliant
Overall Data Act	☐ Compliant / ☐ Partial / ☐ Non-compliant

Data Act Risk Assessment:

• ☐ Low Risk - Vendor je Data Act compliant, nízké lock-in riziko
• ☐ Medium Risk - Částečná compliance, doporučeno vyjednávání
• ☐ High Risk - Non-compliant, vysoké lock-in riziko, zvážit alternativy

---

Section 12: Documentation Request

Please provide the following documents:

Document	Provided	Notes
ISO 27001 certificate	☐
SOC 2 Type II report	☐
Privacy policy	☐
DPA template	☐
Penetration test summary	☐
Insurance certificate	☐
Sub-processor list	☐
Data Act documentation:
Data export procedure	☐
Switching process documentation	☐
Switching costs breakdown	☐
Migration guide	☐

---

Assessment Summary

Area	Score (1-5)	Notes
Certifications
Data Protection
Access Control
Encryption
Network Security
Vulnerability Mgmt
Incident Response
Business Continuity
Data Act Compliance
Lock-in Risk		Low/Medium/High
Overall

Data Act Specific Assessment:

Kritérium	Status
Switching Rights	☐ OK / ☐ Negotiate / ☐ Block
Data Portability	☐ OK / ☐ Negotiate / ☐ Block
Exit Costs	☐ Acceptable / ☐ High / ☐ Prohibitive
Unfair Terms	☐ None / ☐ Some / ☐ Many

Recommendation: ☐ Approve / ☐ Approve with conditions / ☐ Reject

Conditions (if applicable):

1. [PLACEHOLDER]
2. [PLACEHOLDER]

Data Act Specific Conditions:

1. [PLACEHOLDER: e.g., “Require Data Act compliant switching clause”]
2. [PLACEHOLDER: e.g., “Negotiate switching fees reduction”]

---

Sign-off

Role	Name	Date	Signature
Security Reviewer
CISO
DPO (if personal data)
DSO (if cloud/SaaS)
Procurement

---

References

• Data Act Assessment Template
• Vendor Sovereignty Assessment
• Tech Sovereignty Directive
• Data Act Documentation

---

Verze: 1.1 | Datum: Prosinec 2025 Changelog:

• v1.1: Přidána Section 11 - Data Act Compliance Licence: CC BY-SA 4.0