Skip to main content
Legalai.guide
合规与监管
legalai
bundled
vendor
due-diligence
compliance
procurement

供应商尽职调查

针对 IT 供应商的结构化第三方风险评估,涵盖财务、运营、合规、安全与声誉维度,并含 GDPR、DORA、NIS2 清单。

Learn to build skills

Official alternative

Anthropic maintains an official plugin workflow for this task. Use it when you want the full marketplace plugin with MCP connectors.

Vendor AI Reviewer
/plugin install ai-governance-legal@claude-for-legal

Official outputs require attorney review before client reliance.

关于此技能

针对 IT 供应商的结构化第三方风险评估,涵盖财务、运营、合规、安全与声誉维度,并含 GDPR、DORA、NIS2 清单。

Skills provide structured workflow guidance for attorney-supervised use. They are not legal advice and require human review before client reliance.

How to install

Download starter bundle
  1. Download the ZIP and unzip the skill folder.
  2. In Claude: Settings → Capabilities → Skills → Upload skill folder.
  3. In Claude Code or Codex: copy the folder into `.claude/skills/` or `~/.agents/skills/`.
  4. Invoke the skill by describing a task that matches the skill description.

Skills provide structured workflow guidance for attorney-supervised use. They are not legal advice and require human review before client reliance.

Skill content preview

# Vendor Due Diligence

Run a structured vendor risk assessment before onboarding or renewal.

## Intake questions

1. Vendor name, service description, and data processed
2. Criticality tier (critical / important / standard)
3. Hosting regions and subprocessors
4. Existing certifications (SOC 2, ISO 27001, etc.)
5. Contract stage (RFP, renewal, incident follow-up)

## Assessment dimensions

Score each area: Low / Medium / High risk with evidence notes.

1. **Financial stability**
2. **Operational resilience** — SLAs, BCP/DR, support model
3. **Security** — access controls, encryption, incident history
4. **Compliance** — GDPR/DPA, DORA ICT third-party rules, NIS2 if applicable
5. **Reputational / concentration risk**

## Output format

```markdown
## Vendor diligence summary
## Risk scorecard
| Domain | Rating | Evidence | Gap | Mitigation |
## Required contract clauses / security addenda
## Open items for vendor questionnaire
## Recommendation (proceed / proceed with conditions / do not proceed)
```

## Guardrails

- Mark missing evidence explicitly; do not assume compliance from marketing claims.
- Separate factual findings from recommended business decision.
- Escalate critical vendors with access to sensitive or regulated data.

Sources and official references

www.nist.gov/cyberframework

Skills provide structured workflow guidance for attorney-supervised use. They are not legal advice and require human review before client reliance.