Start Free Scan
USE CASE: B2B

Vendor Privacy Assessment

Evaluate third-party vendor websites for PII exposure before sharing customer data. Part of your GDPR due diligence.

Why Vendor Assessment Matters

"Controllers shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation."

— GDPR Article 28(1)

Under GDPR, you're responsible for ensuring your vendors handle personal data appropriately. If a vendor you share customer data with has poor security practices (like exposing PII on their website), you could be held liable for inadequate due diligence.

60%
of data breaches involve third parties
€4.45M
average data breach cost (2024)
72h
GDPR breach notification deadline

Red Flags in Vendor Websites

A vendor's public website can reveal a lot about their internal data handling practices. Here's what piisafe.eu checks:

High Risk

Exposed Customer Data

Real customer names, emails, or account details visible in HTML source, error messages, or cached pages. Indicates serious security issues.

High Risk

Financial Data in URLs

Credit card numbers, bank accounts, or payment tokens in URL parameters. Often indexed by search engines.

Medium Risk

Test Data in Production

Sample SSNs, dummy credit cards, or "test@example.com" emails visible on live pages. Suggests poor deployment practices.

Medium Risk

Debug Information

Stack traces, API responses, or internal system details exposed. Could reveal infrastructure vulnerabilities.

Good Sign

No PII Detected

Clean scan with Grade A. Suggests good data handling practices and awareness of privacy requirements.

Good Sign

Proper Masking

Examples use clearly fake data (John Doe, 555-0100, 4111-****-****). Shows intentional privacy considerations.

Vendor Assessment Checklist

Use this checklist when evaluating a new vendor. piisafe.eu scans help with items 3-5.

1. Security Certifications

Does the vendor have ISO 27001, SOC 2, or equivalent certifications?

2. Data Processing Agreement

Is there a GDPR-compliant DPA covering data handling, sub-processors, and breach notification?

3. Website PII Scan (piisafe.eu)

Scan the vendor's public website for exposed PII. Grade A indicates good practices; Grade D-F is a red flag.

4. Documentation Review

Scan vendor documentation and help pages for exposed examples using real PII patterns.

5. Marketing Materials

Check case studies and testimonials for unmasked customer data that could indicate careless handling.

6. Data Residency

Where is customer data stored? EU residency requirements may apply under GDPR Article 44.

7. Breach History

Has the vendor had any public data breaches? Check haveibeenpwned.com and news archives.

How to Conduct a Vendor Scan

  1. Identify Key Pages: Start with the vendor's main website, documentation, and customer portal login page.
  2. Run piisafe.eu Scan: Enter the vendor's URL. Use the GDPR preset for EU vendors or PCI-DSS for payment processors.
  3. Review Findings: Any Grade below B warrants further investigation. High-severity findings (SSN, credit cards) are immediate red flags.
  4. Document Results: Export the scan report and include it in your vendor assessment file. This demonstrates due diligence.
  5. Follow Up: If issues are found, ask the vendor to address them before signing contracts or sharing data.

Assess Your Vendors Now

Free, no registration. Scan any vendor's website for PII exposure in 60 seconds.

Start Free Scan