Skip to main content
Every vendor that may process, store, or transmit Denialbase customer data — especially PHI — goes through a standardized assessment before being onboarded. See Subprocessors for the full current list.

Vendor assessment criteria

  • Current SOC 2 Type II or ISO 27001 certification (or equivalent).
  • Published security documentation and/or willingness to complete a security questionnaire.
  • Encryption of customer data at rest and in transit.
  • Appropriate access controls and audit logging.
  • Willingness to sign a Business Associate Agreement if PHI may be involved.
  • Understanding of HIPAA Security and Privacy rule obligations.
  • Breach notification commitments aligned with HIPAA §164.410.
  • Documented data residency (US-preferred for most workloads).
  • Clear policy on subprocessor use.
  • Data deletion / return procedures on offboarding.
  • Documented SLA for availability.
  • Status page or equivalent for incident communication.
  • Financial stability appropriate for the service tier.
  • Clear support channels and response SLAs.
  • Commercial terms that don’t unduly restrict our ability to audit or exit.

Onboarding workflow

1

Business case

Requester documents the business need, the data that will flow to the vendor, and whether PHI is involved.
2

Assessment

Security team completes the assessment checklist above. PHI-involved vendors require additional BAA review.
3

Legal review

Contract and DPA/BAA reviewed by legal. Negotiated changes if needed.
4

Sign + record

Contract and any BAA signed. Recorded in our vendor register and in Subprocessors.
5

Customer notification

If the vendor is a new subprocessor handling PHI, existing customers are notified per the BAA’s 30-day notice clause.

Ongoing monitoring

  • Annual review — every vendor re-assessed at least annually.
  • Breach monitoring — public breach announcements are tracked; we re-assess any affected vendor within 7 days.
  • SOC 2 / ISO 27001 refresh — we request the latest report annually and review exceptions.
  • Performance review — vendors that consistently miss SLAs are flagged for replacement.

Offboarding

1

Contractual notice

Terminate per the contract terms.
2

Data return or deletion

Confirm customer data is returned or deleted per the BAA / DPA. Obtain written confirmation where required.
3

Credential cleanup

Rotate any shared secrets, revoke API keys, remove IAM bindings.
4

Customer notification

Update Subprocessors and notify customers as required.
5

Vendor register update

Mark the vendor as offboarded in our register with the termination date.

Current vendor register

See Subprocessors for the complete list with BAA status and data-residency details.