Vendor Due Diligence Toolkit

Vendor due diligence differs from due diligence on prospective and/or current donors, in that typically prospect development professionals will not receive regular requests for vendor due diligence. Rather, vendor due diligence is necessary on the buy-side of any relationship with a vendor, not only prior to purchase but also after said purchase, as vendors change over time – either through acquisition and mergers or through further development of their products and features. This toolkit is designed to help prospect development professionals understand their role in vendor due diligence and is meant to offer best practices and to augment any institutional policy regarding vendor engagement and procurement. If your organization does not already have vendor due diligence policies and procedures in place, this toolkit will help you formulate your own. Additionally, if your organization already has vendor due diligence policies and procedures in place, this toolkit could suggest some improvements to your current policy and/or your current due diligence process. 

What is Vendor Due Diligence

Prospect development professionals are tasked with mitigating risk to their nonprofit organization through a variety of activities. While typically these activities are aimed directly at prospective donors, prospect development professionals’ skills can also be employed for vendor due diligence processes. Vendor due diligence in this context is the analysis of available data to evaluate the risks of entering into an agreement or partnership with a prospective vendor or continuing an existing relationship with a current vendor. As vendors’ offerings change over time and vendors’ terms and conditions of service can update frequently over time, vendor due diligence should be conducted on a regular schedule. Prospect development professionals, as users of data products and software-as-a-service products, are uniquely positioned to perform vendor due diligence in that prospect development professionals understand the importance and confidentiality of an organization’s data as well as how that internal data can be enriched with external data and through available analytics and reporting platforms. 

Vendor due diligence is the specific information analysis through the lens of ethical, legal, security, and privacy concerns the prospective or current vendor presents, either through former, current, or anticipated actions or those of connected persons. These concerns can range from criminal and legal issues to questionable sources of product development, such as with a data vendor the supply chain that vendor took to acquire that data to present such as a product offering. While prospect development professionals may not be the final decision makers, prospect development professionals may make recommendations regarding whether to move forward with a prospective or current vendor.

Reasons to Perform Vendor Due Diligence

Some reasons to perform vendor due diligence research and risks associated with partnering with a prospective vendor or continuing to partner with a current vendor are listed below:

  • Legal and regulatory risk - Could advancing the relationship with a prospective or current vendor expose the organization to legal or regulatory challenge? Is the prospective or current vendor compliant with data privacy and data security regulations? 
  • Financial risk – Could engaging with a prospective or current vendor jeopardize your organization’s reputation or ability to raise money in the future? 
  • Reputational risk – Could engaging with the vendor be perceived as inappropriate or unethical by your organization’s stakeholders?
  • Dependency/operational risk – If the prospective or current vendor had to suddenly shut down its services and/or product lines, how would this impact your organization? 

Internal Partners and Conversations

No department should work alone when it comes to exploring new vendors. Internal colleagues with whom you should consider partnering include:

  • Procurement/Sourcing (vendors)
  • IT and Security/Chief Information Security Officer (CISO) (technology)
  • Finance (budget)
  • Project Management
  • Legal Counsel (contracts)
  • Chief Privacy Officer


Conversations to consider include new vendor exploration, reviewing current vendors and contracts, the ability to provide technical support and training, and data sharing concerns. 

Educause’s Higher Education Community Vendor Assessment Toolkit

Recognizing the need to manage vendor risk in the higher education community, the Higher Education Information Security Council’s (HEISC) Shared Assessments Working Group, working with Internet2 and REN-ISAC, created the Higher Education Community Vendor Assessment Toolkit (HECVAT).  Before signing an agreement with a vendor, you can have the vendor fill out the HECVAT questionnaire so you can understand how they will secure your organization’s information. Apra’s ECC suggests partnering with your IT team, who can provide expertise and insight on the technical aspects covered by the HECVAT toolkit. 

Vendor responses to the HECVAT questionnaire can be accessed by any organization, which should expedite procurement processes. Additionally, the use of the HECVAT tool will create consistency in the procurement process within an organization. There are several assessment tools available for free to download at the HECVAT website. These tools provide numerous questions which can be useful in vetting vendors. More information about HECVAT can be found here:


Vendor Due Diligence Suggested Process

The actual process of performing vendor due diligence can include the following (NOTE: Please reference the Search Terms for Vendor Due Diligence Research located herein.):

  • Review your organization’s current procurement policies.
  • Search court records for any recent and applicable lawsuits.
  • Search the sexual offender registry (C-Suite).
  • Run a negative news search for the vendor and the vendor’s subsidiaries if appropriate.
  • Search for any negative news via social media and read through social media posts by the vendor.
  • Research environmental, social, and governance issues, such as human rights policies.
  • Research vendor’s DEI initiatives and/or C-Suite composition.
  • Discover and read the terms and conditions of the vendor’s services and privacy policy. See herein Privacy Policies or Terms and Conditions for Common Vendors in Our Sector.
  • If the vendor under consideration by your organization is providing data enrichment services to your organization, discover how the vendor sources its data (how and from whom). Does your institution allow you to acquire scraped data? 
  • Ask for details regarding the following questions: What does your vendor do with your organization’s data? How long do they keep it? Where is it stored? Who owns it? With whom do they share it to deliver the services you want? How does the vendor minimize bias in their data and models/scores?

Ask the Ethicist: Vendor Due Diligence

In 2020, the Apra Ethics & Compliance Committee authored an Ask the Ethicist column regarding vendor due diligence. To read it in its entirety, please visit the following:


Privacy Policies or Terms and Condition for Common Vendors in Our Sector

When considering using a vendor and/or renewing services with a current vendor, one should thoroughly review the vendor’s stated terms and conditions in addition to their privacy policy to ensure these are in alignment with your organization’s data security, privacy, and sharing practices. The following chart provides links to various vendors’ terms and conditions and privacy policies; this enumeration does not imply endorsement by Apra nor endorsement by any member of the Ethics & Compliance Committee: 


Privacy Policies or Terms and Conditions for Common Vendors in Our Sector*









Live Alumni 


Relationship Science (RelSci) 


Wealth Engine

(Acquired by Wealth-X in 2020) 



*This does not represent an endorsement by Apra.

Checklist of Sources for Vendor Due Diligence Research


Suggested Search Focus

News databases like Lexis/Nexis or Factiva (see search terms for due diligence research)

Both vendor and C-Suite

Internet search (see search terms for due diligence research)

Both vendor and C-Suite

Court records databases, such as PACER

Both vendor and C-Suite

Website including any associated organizations

Both vendor and C-Suite of parent company

Corporate Watch

Both vendor and C-Suite

Financial Records/Annual Reports

Vendor and pertinent subsidiaries

SEC filings

Vendor, pertinent subsidiaries, and C-Suite of parent company

Companies House

Vendor and pertinent subsidiaries

Corporate registries & business directories, including governmental sites


Foundation Sites like Candid or OSCR


Business and Human Rights Resource Centre


Social Media Presence 


Other Sources as relevant


Risk Assessment Scoring Template

In addition to the Educause HECVAT process, a risk assessment score can further guide your organization in developing a consistent, objective, and transparent approach to scoring vendor risk and helps to aid decision making. You may also wish to assign a numeric value for each incident discovered at certain levels.

Risk Level


Legal & Regulatory 




Evidence of money laundering, fraud, funds misappropriation, and financial irregularities   

Substantial and/or repeated evidence of flouting regulations and laws, e.g., criminal convictions and large fines, etc.

Substantial and/or repeated evidence of serious criticism from other organizations, peers and stakeholders; and/or evidence of practices and behaviors that undermine the organization’s public profile, e.g., conflicts with organization’s donation acceptance policy 

Substantial evidence that the partnership could undermine the organization’s program work, i.e., the acceptance of the partnership could lead to significant changes to your organization’s strategy 


Not applicable

Evidence of minor flouting of regulations and laws and/or allegations of bad practice 

Significant evidence of negative media coverage from other organizations, stakeholders or peers; and/or evidence of practices and behaviors that undermine the organization’s public profile 

Significant evidence and/or historical evidence that the partnership could undermine the organization’s program work i.e. the acceptance of the partnership could lead to minor changes to your organization’s strategy 


Not applicable 

No evidence or allegations of legal and regulatory bad practices

No or minimal negative media coverage on the organization or individual 

No or minimal evidence that the partnership could undermine the organization’s mission

Search Terms for Vendor Due Diligence Research

Below are suggested terms to use while conducting vendor due diligence research, whether through a general internet search or via online news sources, such as a newspaper or magazine. These terms should be used with Boolean terms (e.g., and, not, or or) and connectors (e.g., “”, W/n, etc.) for more exhaustive query results. Additionally, when appropriate and able to do so, use wildcard characters (e.g., !, ?, or *) to expand on the root of a search term (e.g., indict! would also return instances of indicting and indictment and indictments). Boolean search tutorials can be viewed here: 












Court Case


Class Action



















Human Rights 

Child Labor

Supply Chain



Sexual Assault




Lexis Nexis Search Strings


The following is from Lexis Nexis and shared with permission: 

How do I find negative information about a company? 


Intel w/10 abus! or accus! or alleg! or arraign! or arrest! or assault! or attack! or bankrupt! or beat! or breach! or brib! or ( chapter pre/1 7 or 11 ) or charg! or conspir! or co-conspir! or convict! or corrupt! or court! or crime or criminal! or critici! or deceiv! or decept! or defendant or defraud! or denied or deny or disciplin! or discrim! or distort! or embattled or fraud! or guilt! or harass! or illegal! or incriminat! or indict! or inside! info! or insolv! or investigat! or judgement or judgment or launder! or liquidat! or litigat! or manipul! or misappropriat! or misconduct or misdeme! or mismanag! or misrepresent! or negligen! or offen! or probat! or prosecut! or racketeer! or revocation or revoke* or risk! or sabotag! or sanction! or scam! or scandal! or separat! or steal! or stole* or sued or suing or suspen! or terroris! or theft or threat! or unlawful! or verdict or violat! or violen!


This vendor due diligence toolkit was initially drafted by Apra’s Ethics and Compliance Committee’s subcommittee members Elizabeth Goodman, Lori Hood Lawson, Jennifer Schlager, and Megan Horton. This toolkit utilizes many elements of the Due Diligence Toolkit as well.