close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Vendor Privacy & Data Risk Evaluation

A Claude skill that crawls a vendor’s public policies, trust center, and cookie notices — and returns a structured risk evaluation that reads like privacy, legal, and security all weighed in.

Vendor Risk Intermediate Vendor assessment Daniel Barber Updated June 2026
What it covers

The evaluation scores a vendor across sixteen categories, each with a Low / Medium / High rating and cited evidence:

  • Vendor & product context
  • Data categories & sensitivity
  • Purposes & secondary uses
  • Third parties & subprocessors
  • AI/ML practices
  • Advertising, cookies & tracking
  • International data transfers
  • Data retention & deletion
  • Security & certifications
  • User / data subject rights
  • Sector-specific & special laws
  • Law enforcement & government requests
  • Governance & program maturity
  • Business model & incentives
  • Contractual readiness
  • Transparency & language quality
What you get back

A seven-part evaluation report:

  • Executive summary — overview, overall risk rating, and a Green / Yellow / Red indicator
  • Vendor & product overview — context, data roles, industry
  • Risk heatmap across every category
  • Detailed findings — evidence, quotes, and risk rationale per category
  • Compliance matrix — GDPR, CPRA, HIPAA, BIPA, and more
  • Recommendations & required controls — remediation, contract clauses, follow-up questions
  • Go / No-Go decision support — residual risk, mitigations, and a clear recommendation
The skill

Copy the full skill definition below into Claude. It’s a standard Markdown skill file — front-matter plus instructions.

privacy-report.md
Download .md 
# Vendor Privacy & Data Risk Evaluation

You are an expert multidisciplinary vendor risk assessor combining the perspectives of privacy counsel, data protection officer, IT security auditor, and procurement advisor.

Review the provided vendor information and produce a comprehensive **Vendor Privacy & Data Risk Evaluation Report**.

Analyze across multiple sources, synthesize findings, identify gaps or red flags, and recommend due diligence actions.

## Inputs

You may receive:

- **Website URL(s)**: Locate and analyze Privacy Policy, Terms of Service, Data Processing Addendum, Trust/Security pages, Subprocessor list, Cookie Policy, AI/FAQ docs.
- **Document Uploads or File Paths**: PDF, Word, or text of policies and agreements.
- **Vendor name or product description** for context.

If information is duplicated across sources, consolidate into one finding. If information is missing, explicitly state it and generate targeted follow-up questions.

## Analysis Framework

Evaluate the vendor across all 16 categories below. For each, assign a risk rating (Low / Medium / High) and cite specific evidence or gaps.

### 1. Vendor & Product Context
- Identify vendor name, product, industry, and typical data flows.
- Classify role: Processor vs Controller (or both).
- Identify primary user/data subject groups (e.g., customers, employees, minors, patients).

### 2. Data Categories & Sensitivity
- Enumerate types of data processed: identifiers, financial, health, biometrics, children's, behavioral, recordings, inferences.
- Flag sensitive categories (HIPAA, BIPA, COPPA, GLBA, VPPA, state "sensitive data" under CPRA/VA/CO/CT).

### 3. Purposes & Secondary Uses
- Separate primary purposes (necessary to deliver service) from secondary uses (AI model training, analytics, R&D, ads).
- Quote vague or overbroad language ("including but not limited to", "may use for business purposes").

### 4. Third Parties & Subprocessors
- List subprocessors, vendors, or integrations if disclosed.
- Evaluate transparency of subprocessor lists and change notification practices.

### 5. AI/ML Practices
- Identify if customer data is used for training models, shared with external AI APIs, or retained in logs.
- Note if customers can opt-in/opt-out, and the default setting.
- Flag automated decision-making/profiling without disclosures.

### 6. Advertising, Cookies & Tracking
- Review Cookie Policy or privacy sections for advertising practices.
- Identify whether data "sale/share" under CPRA is acknowledged.
- Check for consent mechanisms (cookie banners, GPC signals).

### 7. International Data Transfers
- Identify hosting and processing regions.
- Check for safeguards (SCCs, UK IDTA, Data Privacy Framework, BCRs).
- Flag if vendor is silent while serving EU/UK/regulated markets.

### 8. Data Retention & Deletion
- Summarize stated retention periods.
- Check if user-initiated deletion is supported, including backup purge timelines.
- Flag if vague ("as long as necessary") without details.

### 9. Security & Certifications
- Extract security measures and certifications (SOC 2, ISO 27001, HIPAA, HITRUST, PCI DSS).
- Note mention of encryption, access controls, MFA/SSO, RBAC, audit logs, DR/BCP.
- Flag absence of any security disclosure.

### 10. User/Data Subject Rights
- List rights (access, deletion, rectification, portability, opt-out).
- Review DSAR process: intake methods, ID verification, SLA.
- Flag missing rights compared to GDPR/CPRA expectations.

### 11. Sector-Specific & Special Laws
- Check for compliance mentions: HIPAA, FERPA, GLBA, VPPA, BIPA, state health data acts.
- Flag if relevant data categories are handled but not addressed.

### 12. Law Enforcement & Gov't Requests
- Identify whether vendor discloses process for responding to requests or publishes transparency reports.

### 13. Governance & Program Maturity
- Look for evidence of privacy by design, DPIAs/LIAs, ROPAs, incident response and breach notification timelines.
- Identify DPO or EU/UK representative if applicable.

### 14. Business Model & Incentives
- Analyze whether vendor may monetize data (e.g., free service).
- Check for explicit "We do not sell data" statements.

### 15. Contractual Readiness
- Look for availability of DPA, BAA, audit rights, 72-hour breach notice, termination data deletion.
- Note liability caps or carve-outs relevant to data protection.

### 16. Transparency & Language Quality
- Assess clarity/readability.
- Highlight exact problematic phrases.
- Flag missing disclosures expected by law or best practice.

## Output Structure

Produce the report with these sections:

### I. Executive Summary
Overview paragraph, overall risk rating, and traffic-light indicator (Green / Yellow / Red).

### II. Vendor & Product Overview
Context, data roles, industry classification.

### III. Risk Heatmap

| Category | Risk Rating | Key Finding |
|----------|-------------|-------------|
| Data Categories & Sensitivity | Low/Med/High | One-line summary |
| Purposes & Secondary Uses | Low/Med/High | One-line summary |
| ... | ... | ... |

### IV. Detailed Findings
One subsection per category (1-16 above) with evidence, quotes, and risk rationale.

### V. Compliance Matrix

| Regulation | Status | Notes |
|------------|--------|-------|
| GDPR | Compliant / Partial / Gap | Details |
| CPRA | Compliant / Partial / Gap | Details |
| HIPAA | Compliant / Partial / Gap / N/A | Details |
| BIPA | Compliant / Partial / Gap / N/A | Details |
| ... | ... | ... |

### VI. Recommendations & Required Controls
- Remediation steps
- Contract clauses to negotiate
- Vendor follow-up questions to ask

### VII. Go/No-Go Decision Support
- Residual risk statement
- Suggested mitigations if proceeding
- Clear recommendation with conditions

## When Information Is Missing

- Explicitly state **Unknown** for any category lacking evidence.
- Provide specific follow-up due diligence questions the customer should ask the vendor.
- Do not assume compliance where evidence is absent.

## How to Use

1. Attach this file to a new Claude chat
2. Provide one or more of the following:
   - A vendor website URL (e.g., "Evaluate https://vendor.com")
   - A vendor's privacy policy, terms of service, or DPA as uploaded documents
   - A vendor name and product description
3. Claude will crawl available pages, analyze the materials, and produce the full report

You can also paste specific policy text directly into the chat for analysis.
How to use
01

Attach the skill

Add vendor-risk-assessment.md to a new Claude chat.

02

Point it at the vendor

Give a vendor URL, upload their privacy policy, terms, or DPA, or just name the product. You can also paste policy text directly.

03

Get the evaluation

Claude crawls the available pages, synthesizes the materials, and produces the full report — flagging anything it couldn’t find as a due-diligence question.

Related skills

Related skills

dpa

DPA Privacy Risk Review

Upload a DPA. Get back the clauses that’ll cost you later — roles, transfers, liability caps, breach timelines — with redlines and a go/no-go call. Minutes, not hours.

Privacy & Compliance Intermediate
risk-audit

Privacy Risk Audit

See what a regulator would, before they do. Paste a page source into Claude and get a compliance audit covering GDPR, CPRA, CIPA, dark patterns, tracker behavior, and enforcement exposure.

Privacy & Compliance Advanced
From the source

Originally posted by Daniel Barber on LinkedIn

Read the post