GlobalConfidential

Vendor compliance reference for data processing partners

Map contract clauses to regulatory obligations and keep auditors aligned with a single source of truth.

Updated August 4, 2025 Effective September 1, 2025
Download DPA template

Data processing agreements

Every vendor handling customer personal data must sign the Nextbase DPA with GDPR Article 28 language mirrored in clauses 3-7.

Controllers remain accountable for the personal data we process. Before onboarding a new vendor, confirm the lawful basis and document processing instructions in the DPA schedule.

  1. Verify Standard Contractual Clauses (SCCs) are included for any international transfers.
  2. Confirm vendor subprocessors are disclosed and align with our Third-Party Risk Register.
  3. Ensure audit cooperation clauses allow on-site assessments within 30 days' notice.

Vendor access controls

Reinforce access controls by mapping vendor roles to least-privilege policies and documenting revocation workflows.

Access must be provisioned through the centralized identity provider. Temporary break-glass accounts require CISO approval and expire after 24 hours.

Vendor accounts shall be reviewed every 90 days with evidence logged in the compliance workspace.

— Nextbase Vendor Security Policy

Appendices

PreviousPrivacy governance overviewNextCross-border transfer policy
Citation index
Inline references with quick download links for auditors.
Citation 1regulation

GDPR Article 28: Processor obligations

Official Journal of the European Union

View source
Citation 2standard

ISO/IEC 27001:2022 control 5.29

ISO.org

Citation 3guidance

SOC 2 Trust Services Criteria CC6.6

AICPA