Resources

Vendor Due Diligence Toolkit

Vendor due diligence differs from due diligence on prospective and/or current donors, in that typically prospect development professionals will not receive regular requests for vendor due diligence. Rather, vendor due diligence is necessary on the buy-side of any relationship with a vendor, not only prior to purchase but also after said purchase, as vendors change over time – either through acquisition and mergers or through further development of their products and features. This toolkit is designed to help prospect development professionals understand their role in vendor due diligence and is meant to offer best practices and to augment any institutional policy regarding vendor engagement and procurement. If your organization does not already have vendor due diligence policies and procedures in place, this toolkit will help you formulate your own. Additionally, if your organization already has vendor due diligence policies and procedures in place, this toolkit could suggest some improvements to your current policy and/or your current due diligence process.

What is Vendor Due Diligence

Prospect development professionals are tasked with mitigating risk to their nonprofit organization through a variety of activities. While typically these activities are aimed directly at prospective donors, prospect development professionals’ skills can also be employed for vendor due diligence processes. Vendor due diligence in this context is the analysis of available data to evaluate the risks of entering into an agreement or partnership with a prospective vendor or continuing an existing relationship with a current vendor. As vendors’ offerings change over time and vendors’ terms and conditions of service can update frequently over time, vendor due diligence should be conducted on a regular schedule. Prospect development professionals, as users of data products and software-as-a-service products, are uniquely positioned to perform vendor due diligence in that prospect development professionals understand the importance and confidentiality of an organization’s data as well as how that internal data can be enriched with external data and through available analytics and reporting platforms.

Vendor due diligence is the specific information analysis through the lens of ethical, legal, security, and privacy concerns the prospective or current vendor presents, either through former, current, or anticipated actions or those of connected persons. These concerns can range from criminal and legal issues to questionable sources of product development, such as with a data vendor the supply chain that vendor took to acquire that data to present such as a product offering. While prospect development professionals may not be the final decision makers, prospect development professionals may make recommendations regarding whether to move forward with a prospective or current vendor.

Reasons to Perform Vendor Due Diligence

Some reasons to perform vendor due diligence research and risks associated with partnering with a prospective vendor or continuing to partner with a current vendor are listed below:

Legal and regulatory risk - Could advancing the relationship with a prospective or current vendor expose the organization to legal or regulatory challenge? Is the prospective or current vendor compliant with data privacy and data security regulations?
Financial risk – Could engaging with a prospective or current vendor jeopardize your organization’s reputation or ability to raise money in the future?
Reputational risk – Could engaging with the vendor be perceived as inappropriate or unethical by your organization’s stakeholders?
Dependency/operational risk – If the prospective or current vendor had to suddenly shut down its services and/or product lines, how would this impact your organization?

Internal Partners and Conversations

No department should work alone when it comes to exploring new vendors. Internal colleagues with whom you should consider partnering include:

Procurement/Sourcing (vendors)
IT and Security/Chief Information Security Officer (CISO) (technology)
Finance (budget)
Project Management
Legal Counsel (contracts)
Chief Privacy Officer

Conversations to consider include new vendor exploration, reviewing current vendors and contracts, the ability to provide technical support and training, and data sharing concerns.

Educause’s Higher Education Community Vendor Assessment Toolkit

Recognizing the need to manage vendor risk in the higher education community, the Higher Education Information Security Council’s (HEISC) Shared Assessments Working Group, working with Internet2 and REN-ISAC, created the Higher Education Community Vendor Assessment Toolkit (HECVAT). Before signing an agreement with a vendor, you can have the vendor fill out the HECVAT questionnaire so you can understand how they will secure your organization’s information. Apra’s ECC suggests partnering with your IT team, who can provide expertise and insight on the technical aspects covered by the HECVAT toolkit.

Vendor responses to the HECVAT questionnaire can be accessed by any organization, which should expedite procurement processes. Additionally, the use of the HECVAT tool will create consistency in the procurement process within an organization. There are several assessment tools available for free to download at the HECVAT website. These tools provide numerous questions which can be useful in vetting vendors. More information about HECVAT can be found here: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit

Vendor Due Diligence Suggested Process

The actual process of performing vendor due diligence can include the following (NOTE: Please reference the Search Terms for Vendor Due Diligence Research located herein.):

Review your organization’s current procurement policies.

Search court records for any recent and applicable lawsuits.
Search the sexual offender registry (C-Suite).
Run a negative news search for the vendor and the vendor’s subsidiaries if appropriate.
Search for any negative news via social media and read through social media posts by the vendor.
Research environmental, social, and governance issues, such as human rights policies.
Research vendor’s DEI initiatives and/or C-Suite composition.
Discover and read the terms and conditions of the vendor’s services and privacy policy. See herein Privacy Policies or Terms and Conditions for Common Vendors in Our Sector.
If the vendor under consideration by your organization is providing data enrichment services to your organization, discover how the vendor sources its data (how and from whom). Does your institution allow you to acquire scraped data?
Ask for details regarding the following questions: What does your vendor do with your organization’s data? How long do they keep it? Where is it stored? Who owns it? With whom do they share it to deliver the services you want? How does the vendor minimize bias in their data and models/scores?

Ask the Ethicist: Vendor Due Diligence

In 2020, the Apra Ethics & Compliance Committee authored an Ask the Ethicist column regarding vendor due diligence. To read it in its entirety, please visit the following:

https://connections.aprahome.org/Articles/ask-the-ethicist-vendor-due-diligence

Privacy Policies or Terms and Condition for Common Vendors in Our Sector

When considering using a vendor and/or renewing services with a current vendor, one should thoroughly review the vendor’s stated terms and conditions in addition to their privacy policy to ensure these are in alignment with your organization’s data security, privacy, and sharing practices. The following chart provides links to various vendors’ terms and conditions and privacy policies; this enumeration does not imply endorsement by Apra nor endorsement by any member of the Ethics & Compliance Committee:

Privacy Policies or Terms and Conditions for Common Vendors in Our Sector*
ALUMinate	https://www.aluminateus.com/privacy-policy/
AlumniFinder	https://www.accudata.com/wp-content/uploads/2019/12/AccuData-Privacy-Policy-01.01.2020.pdf
Blackbaud	https://www.blackbaud.com/terms-and-conditions
DonorSearch	https://www.donorsearch.net/wp-content/uploads/2019/12/DS-Privacy-Policy.pdf
Evertrue	https://www.evertrue.com/terms-and-conditions/
HEPdata	https://www.hepdata.com/terms_of_use.html
iWave	https://www.iwave.com/terms-and-conditions/
LexisNexis	https://www.lexisnexis.com/en-us/terms/general/default.page
Live Alumni	https://resources.livealumni.com/privacy-policy/
NOZA	https://www.nozasearch.com/TermsOfService.pdf
Relationship Science (RelSci)	https://www.relsci.com/consumertermsofservice
Salesforce	https://www.salesforce.com/company/legal/sfdc-website-terms-of-service/
Wealth Engine (Acquired by Wealth-X in 2020)	https://www.wealthengine.com/terms-and-conditions/
Wealth-X	https://www.wealthx.com/terms-of-use/
Windfall	https://windfalldata.com/terms-of-service/

*This does not represent an endorsement by Apra.

Checklist of Sources for Vendor Due Diligence Research

Sources	Suggested Search Focus
News databases like Lexis/Nexis or Factiva (see search terms for due diligence research)	Both vendor and C-Suite
Internet search (see search terms for due diligence research)	Both vendor and C-Suite
Court records databases, such as PACER	Both vendor and C-Suite
Website including any associated organizations	Both vendor and C-Suite of parent company
Corporate Watch	Both vendor and C-Suite
Financial Records/Annual Reports	Vendor and pertinent subsidiaries
SEC filings	Vendor, pertinent subsidiaries, and C-Suite of parent company
Companies House	Vendor and pertinent subsidiaries
Corporate registries & business directories, including governmental sites
Foundation Sites like Candid or OSCR
Business and Human Rights Resource Centre
Social Media Presence
Other Sources as relevant

Risk Assessment Scoring Template

In addition to the Educause HECVAT process, a risk assessment score can further guide your organization in developing a consistent, objective, and transparent approach to scoring vendor risk and helps to aid decision making. You may also wish to assign a numeric value for each incident discovered at certain levels.

Risk Level	Financial	Legal & Regulatory	Reputational	Operational/Dependency
High	Evidence of money laundering, fraud, funds misappropriation, and financial irregularities	Substantial and/or repeated evidence of flouting regulations and laws, e.g., criminal convictions and large fines, etc.	Substantial and/or repeated evidence of serious criticism from other organizations, peers and stakeholders; and/or evidence of practices and behaviors that undermine the organization’s public profile, e.g., conflicts with organization’s donation acceptance policy	Substantial evidence that the partnership could undermine the organization’s program work, i.e., the acceptance of the partnership could lead to significant changes to your organization’s strategy
Medium	Not applicable	Evidence of minor flouting of regulations and laws and/or allegations of bad practice	Significant evidence of negative media coverage from other organizations, stakeholders or peers; and/or evidence of practices and behaviors that undermine the organization’s public profile	Significant evidence and/or historical evidence that the partnership could undermine the organization’s program work i.e. the acceptance of the partnership could lead to minor changes to your organization’s strategy
Low	Not applicable	No evidence or allegations of legal and regulatory bad practices	No or minimal negative media coverage on the organization or individual	No or minimal evidence that the partnership could undermine the organization’s mission

Search Terms for Vendor Due Diligence Research

Below are suggested terms to use while conducting vendor due diligence research, whether through a general internet search or via online news sources, such as a newspaper or magazine. These terms should be used with Boolean terms (e.g., and, not, or or) and connectors (e.g., “”, W/n, etc.) for more exhaustive query results. Additionally, when appropriate and able to do so, use wildcard characters (e.g., !, ?, or *) to expand on the root of a search term (e.g., indict! would also return instances of indicting and indictment and indictments). Boolean search tutorials can be viewed here:

SUGGESTED SEARCH TERMS
Scandal	Controversy	Allegation	Corruption	Disgrace
Prosecution	Criticism	Fraud	Investigation	Speculation
Court Case	Lawsuit	Class Action	Sanction	Conspiracy
Defendant	Plaintiff	Verdict	Warrant	Crime
Criminal	Fraudulent	Liable	Damage	Depose
Felony	Malfeasance	Guilty	Misappropriation	Conviction
Indict	Human Rights	Child Labor	Supply Chain	Discrimination
Assault	Sexual Assault	Felony	Racketeering	Antitrust

Lexis Nexis Search Strings

The following is from Lexis Nexis and shared with permission:

How do I find negative information about a company?

Intel w/10 abus! or accus! or alleg! or arraign! or arrest! or assault! or attack! or bankrupt! or beat! or breach! or brib! or ( chapter pre/1 7 or 11 ) or charg! or conspir! or co-conspir! or convict! or corrupt! or court! or crime or criminal! or critici! or deceiv! or decept! or defendant or defraud! or denied or deny or disciplin! or discrim! or distort! or embattled or fraud! or guilt! or harass! or illegal! or incriminat! or indict! or inside! info! or insolv! or investigat! or judgement or judgment or launder! or liquidat! or litigat! or manipul! or misappropriat! or misconduct or misdeme! or mismanag! or misrepresent! or negligen! or offen! or probat! or prosecut! or racketeer! or revocation or revoke* or risk! or sabotag! or sanction! or scam! or scandal! or separat! or steal! or stole* or sued or suing or suspen! or terroris! or theft or threat! or unlawful! or verdict or violat! or violen!

Credits:

This vendor due diligence toolkit was initially drafted by Apra’s Ethics and Compliance Committee’s subcommittee members Elizabeth Goodman, Lori Hood Lawson, Jennifer Schlager, and Megan Horton. This toolkit utilizes many elements of the Due Diligence Toolkit as well.