The vendor risk level is determined by your organization and can be marked by low-risk, medium-risk, and high-risk.
Here are guidelines for determining those risk levels:
- High: High-risk vendors are those that can have a serious impact on your business such as cloud infrastructure services, databases as a service, version control, and an email service. In addition, any service that stores sensitive customer data, beyond just the customer name or basic information, should be designated as high-risk.
- Medium: Medium-risk vendors are those that may store your own employee PII and knowledge tools such as Lever, Gusto, Trinet, or Notion to store confidential information.
- Low: Low-risk vendors are those that don’t store sensitive information. Examples of low-risk vendors are design or video tools such as Figma, Zapier, Zoom, etc.