Skip to main content
Back to Indigenous Services

Fictional Proof Asset Preview

Vendor Risk Review Sample for Indigenous Organizations

A public preview of a fictional vendor risk review sample built for Indigenous organizations evaluating software, MSP, cloud, and health system providers.

View all proof assets
8Assessment criteriaSecurity, privacy, sovereignty, support, and exit readiness
4Vendor typesMSP, SaaS, health records, and cloud providers
Conditional approval memoOutputRecommended, conditional, or not recommended

What this preview shows

This preview shows how a vendor review can score security, data sovereignty, implementation risk, and accountability before a contract is signed, renewed, or renegotiated.

Best fit

Communities and Indigenous organizations reviewing vendors that host, process, support, or access sensitive community data.

Tier 3: Implementation and Procurement

Procurement Gate Review

The sample is built to support pre-signing and renewal decisions, not only technical implementation planning.

  • Documents renewal timing, vendor dependency, and community exposure before the next term
  • Confirms whether community data is hosted in Canada
  • Reviews whether subprocessors can access sensitive records
  • Checks termination and data return obligations before lock-in occurs

Contract Follow-Up

The review produces negotiation priorities and a decision memo so procurement and leadership know what to fix before signing or renewal.

  • Breach notification timelines and named contacts
  • Right to export community data in a usable format
  • Security reporting cadence, subprocessor visibility, and incident escalation responsibilities

Sample vendor scoring extract

The table below is a limited public excerpt from a fictional sample. The full version includes more context, assumptions, and implementation notes.

CriterionWeightReview focus
Data sovereignty and residency20%Ownership, hosting location, subprocessors, and export terms
Security controls20%MFA, logging, encryption, backup, and vulnerability management
Incident accountability15%Notification timeline, response role, and escalation contact

Related control areas

Third-party riskData residencyContract reviewIncident escalation

Request the complete fictional sample

See the full sample structure

The public preview is intentionally limited. Request the full fictional sample if you want to review how this deliverable is fully structured and sequenced in practice. The full fictional sample includes a renewal context, weighted scoring, a conditional approval decision memo, negotiation priorities, and follow-up actions for procurement and contract renewal.

Book a consultation