Skip to main content
Legalai.guide
Compliance & Regulatory
legalai
bundled
vendor
due-diligence
compliance
procurement

Vendor Due Diligence

Structured third-party risk assessment for IT vendors and technology providers. Covers financial, operational, compliance, security, and reputational dimensions with GDPR, DORA, and NIS2 checklists where applicable.

Learn to build skills

Official alternative

Anthropic maintains an official plugin workflow for this task. Use it when you want the full marketplace plugin with MCP connectors.

Vendor AI Reviewer
/plugin install ai-governance-legal@claude-for-legal

Official outputs require attorney review before client reliance.

About this skill

Structured third-party risk assessment for IT vendors and technology providers. Covers financial, operational, compliance, security, and reputational dimensions with GDPR, DORA, and NIS2 checklists where applicable.

Skills provide structured workflow guidance for attorney-supervised use. They are not legal advice and require human review before client reliance.

How to install

Download starter bundle
  1. Download the ZIP and unzip the skill folder.
  2. In Claude: Settings → Capabilities → Skills → Upload skill folder.
  3. In Claude Code or Codex: copy the folder into `.claude/skills/` or `~/.agents/skills/`.
  4. Invoke the skill by describing a task that matches the skill description.

Skills provide structured workflow guidance for attorney-supervised use. They are not legal advice and require human review before client reliance.

Skill content preview

# Vendor Due Diligence

Run a structured vendor risk assessment before onboarding or renewal.

## Intake questions

1. Vendor name, service description, and data processed
2. Criticality tier (critical / important / standard)
3. Hosting regions and subprocessors
4. Existing certifications (SOC 2, ISO 27001, etc.)
5. Contract stage (RFP, renewal, incident follow-up)

## Assessment dimensions

Score each area: Low / Medium / High risk with evidence notes.

1. **Financial stability**
2. **Operational resilience** — SLAs, BCP/DR, support model
3. **Security** — access controls, encryption, incident history
4. **Compliance** — GDPR/DPA, DORA ICT third-party rules, NIS2 if applicable
5. **Reputational / concentration risk**

## Output format

```markdown
## Vendor diligence summary
## Risk scorecard
| Domain | Rating | Evidence | Gap | Mitigation |
## Required contract clauses / security addenda
## Open items for vendor questionnaire
## Recommendation (proceed / proceed with conditions / do not proceed)
```

## Guardrails

- Mark missing evidence explicitly; do not assume compliance from marketing claims.
- Separate factual findings from recommended business decision.
- Escalate critical vendors with access to sensitive or regulated data.

Sources and official references

www.nist.gov/cyberframework

Skills provide structured workflow guidance for attorney-supervised use. They are not legal advice and require human review before client reliance.