Vendor Risk Assessment

This field is hidden when viewing the form

Next Steps: Sync an Email Add-On

To get the most out of your form, we suggest that you sync this form with an email add-on. To learn more about your email add-on options, visit the following page (https://www.gravityforms.com/the-8-best-email-plugins-for-wordpress-in-2020/). Important: Delete this tip before you publish the form.

Woundtech Third Party Vendor Assessment Questionnaire

Vendor Company Information(Required)

Company Name

Vendor Company Address(Required)

Street Address Address Line 2 City State ZIP Code

Vendor Contact Name(Required)

First Last

Vendor Contact Email Address

Vendor Company Website(Required)

Data Access Notes(Required)

Please describe the data to be exchanged (business reason, frequency, and method of proposed data exchange):

SOC2/HITRUST Certification(Required)

Does your organization hold a current SOC2 and/or HITRUST certification? (If yes, please attach the latest reports)

SOC2/HITRUST Report Upload

Accepted file types: pdf, doc, docx, Max. file size: 100 MB.

Policies and Processes

Does your organization document, publish, and enforce security policies?(Required)

Do you review and update these policies at least annually?(Required)

Does your organization document and enforce HR policies?(Required)

Does your organization have acceptable use policies?(Required)

Does your organization have policies governing the use of company email, internet, and devices?(Required)

Does your organization have encryption policies and standards?(Required)

Does your organization adhere to a Data Breach Notification policy?(Required)

Provide Notification Timeframe Below

Notification Timeframe For Breach In Hours(Required)

Does your organization have documented policies regarding the storage, handling, and disposal of sensitive data?(Required)

Outline Procedures if Yes

Describe your organization's data handling and disposal procedures

Does your organization have policies for third-party management of sensitive data (storage, use, and disposal)?(Required)

Outline Procedures if Yes

Describe your organization's policies for third party management of sensitive data

Does your organization outsource any security management functions?(Required)

Specify Outsourced Functions if Yes

Describe your organization's outsourced security functions

Do your policies and procedures comply with relevant privacy laws regarding the security and protection of customer data?(Required)

Outline Procedures if Yes

Describe how your organization's policies align with privacy laws with regards to protection of customer data

Physical and Data Center Security

Does your organization regularly assess physical and environmental risks?(Required)

Are data center perimeter controls managed through access cards?(Required)

Are keypad controls used for data center perimeter access?(Required)

Are security guards employed at data center perimeters?(Required)

Do you have business continuity plans in case your office becomes inaccessible?(Required)

Is network equipment physically secured?(Required)

Do you use external data center providers?(Required)

If yes please list

Please describe external data centers and host providers

Do you maintain visitor logs for more than 30 days?(Required)

Does your organization have a documented policy for physical security requirements in your office?(Required)

Data Handling and Security

How does your software ensure compliance with HIPAA and other relevant regulations?(Required)

Where is application data stored? (e.g., Amazon S3, SQL, Snowflake, Azure, etc.)(Required)

Does your software provide comprehensive audit trails for data access and changes?(Required)

Is all data encrypted at rest?(Required)

Is all data encrypted in transit?(Required)

What encryption methods are used to encrypt data?(Required)

Please list all encryption methods used

Does your software support data exchange with other providers or systems? (e.g., API, SFTP, FHIR, Webhooks)(Required)

Does your software comply with industry standards like HL7, ICD-10, and CPT?(Required)

Describe your business continuity plan related to data availability (e.g., uptime SLA, data backup, and recovery).(Required)

Who owns the data stored in your system, and what happens to the data if we switch vendors?(Required)

AI Capabilities and Features

Does your application use AI functionality (e.g., predictive analytics, natural language processing, clinical decision support)?(Required)

Please Specify AI Solution(s) Used

Does your organization use AI to train or learn from live identifiable information (e.g., PHI or PII)?(Required)

If yes, please describe how data is used to learn or train AI

Information Security Measures

Does your organization have an information security program? (Provide Links if Yes)(Required)

Please provide links to relevant security and privacy policies

Please upload any applicable security policies and documentation.

Drop files here or

Max. file size: 100 MB.

Does the security program apply to all operations and systems that process sensitive data?(Required)

Do you provide security awareness training to all employees (including phishing prevention and social engineering)?(Required)

Are relevant staff and managers professionally certified in information security?(Required)

Is administrator-level access to network infrastructure limited?(Required)

Are there strict controls for accessing security logs?(Required)

Is multi-factor authentication (MFA) required for access to all systems?(Required)

Has your organization conducted a penetration test (PEN test) in the past 12 months?(Required)

Are you able to provide your latest penetration test results?(Required)

Please attach latest Pen Test Results(Required)

Max. file size: 100 MB.

Endpoint Security Measures

How do you ensure the confidentiality and integrity of data when employees work remotely?(Required)

End-User Devices (Laptops, Desktops, Tablets)

Do you use data loss prevention (DLP) tools to prevent sensitive data leakage?(Required)

Is MDR (Managed Detection and Response) or EDR (Endpoint Detection and Response) software enabled on all computers handling customer data?(Required)

Is antivirus software required and enabled on all endpoints?(Required)

Is antivirus scanning performed regularly on all endpoints?(Required)

Does your organization allow the installation of non-approved software on endpoints?(Required)

What is your process for managing and deploying security patches and software updates to endpoints, and how often is it done?(Required)

Name

This field is for validation purposes and should be left unchanged.