In 2020, attackers compromised SolarWinds — a software provider used by thousands of organisations — and used that access to infiltrate their customers’ networks. The targets included government agencies and large enterprises. But the lesson for small businesses is the same: your security is only as strong as the weakest link in your supply chain.

Most small businesses use 10 to 40 SaaS tools. Every one of those tools has access to some combination of your data, your customer records, your financial systems, or your employee information. When you sign up for a new tool without asking the right questions, you’re extending implicit trust to a company you know almost nothing about.

Here’s a practical framework for managing that risk — without a procurement department or a legal team.

Why vendor risk matters more than you think

A supply chain attack targets you not directly, but through a trusted supplier. The attacker compromises a software vendor, a payroll provider, or a managed IT company — then uses that trusted access to reach the vendor’s clients. Because the malicious code or connection comes from a trusted source, it bypasses many security controls.

Small businesses are disproportionately vulnerable because they tend to vet vendors less rigorously than large enterprises. Attackers know this.

There’s also a UK GDPR angle that doesn’t get talked about enough. Every SaaS tool you give access to your Google Workspace or Microsoft 365 can read your emails, calendar, files, or contacts — often far beyond what it actually needs. When your vendor suffers a breach, your customers’ data is exposed. You’re the one who has to notify the ICO, deal with regulatory consequences under the Data Protection Act 2018, and manage the reputational fallout. The vendor just sends you a sorry email.

Many SaaS tools are also connected to each other through API keys and OAuth tokens. If a vendor with one of your API keys is compromised, the attacker now has programmatic access to whatever that key permitted — which might include your payment processor, your cloud storage, or your customer database.

A simple vendor assessment checklist

You don’t need to run a full enterprise risk assessment for every SaaS subscription. You need to ask the right questions before you hand over access or data.

Before you sign up: What data will this vendor access or store? Define it explicitly — is it customer PII, financial records, employee data, health information? Where is the data stored? Data from UK customers held by a US company may trigger UK GDPR obligations. Does the vendor have a SOC 2 Type II report? This is a third-party audit verifying that their security controls work in practice over a sustained period — ask for it, or look for it on their trust/security page. What’s their breach notification policy? Under UK GDPR, you need to be notified promptly if your data is involved in a breach. A vendor who says “we’ll notify you when we can” isn’t acceptable.

Contract and legal requirements: Is there a Data Processing Agreement (DPA)? If the vendor processes personal data on your behalf, a DPA is legally required under UK GDPR. Reputable vendors have a standard DPA available on request. Does the contract include a breach notification clause with a defined timeline? What are the data deletion obligations when you end the service? The vendor should agree to delete your data within a defined period after contract termination.

Ongoing due diligence: Is the vendor’s security page public and up to date? Have they had a notable breach in the past two years? A quick search of their company name plus “breach” or “security incident” takes 60 seconds. Is there a responsible disclosure policy?

Tiering your vendors by risk

Not every vendor deserves the same level of scrutiny. Tiering lets you focus your effort where it matters.

Tier 1 — High risk: Vendors with access to sensitive customer data, financial systems, employee records, or administrative access to your infrastructure. Examples: payroll provider, accounting software, CRM with full customer records, your managed IT provider.

For Tier 1 vendors, complete the full checklist, require a signed DPA, and review their security posture annually.

Tier 2 — Medium risk: Vendors with access to some business data but not your most sensitive records. Examples: project management tools with client names, marketing platforms with email lists.

For Tier 2 vendors, verify SOC 2 or ISO 27001, review their privacy policy, and ensure a DPA is in place if they process personal data.

Tier 3 — Low risk: Productivity tools with no access to sensitive data. Examples: design tools used only for internal assets, a screen recording tool with no cloud upload.

For Tier 3 vendors, apply basic sense-checking and move on. Don’t spend an hour vetting a £10/month utility.

The offboarding process — often overlooked, always important

Most businesses vet new vendors reasonably well. Almost none manage the end of a vendor relationship properly.

When you stop using a vendor’s service: revoke all access tokens and API keys they hold (check your Google Workspace third-party apps, your Microsoft 365 connected apps, and any cloud provider’s IAM console). Request data deletion in writing and keep a record of the confirmation — especially important if you have a DPA that requires them to delete your data within a set period. Remove the vendor from your asset inventory. Change any shared credentials. And note what data the vendor held before you close the account — if they’re ever involved in a breach after offboarding, you’ll need to know whether your customers’ data was affected.

Putting it together: a 30-minute vendor review

Set aside 30 minutes and work through this. List every SaaS tool your business uses — check your email for subscription receipts if you’re not sure. Assign each one to Tier 1, 2, or 3 based on the data they access. For each Tier 1 vendor, spend five minutes checking whether they have a public security page, a SOC 2 Type II report, and a DPA template available. Flag any Tier 1 vendor without these, and contact them to request documentation before your next renewal date.

Vendor risk management doesn’t need to be a complex procurement process. It needs to be a habit: ask the right questions before you share data, document the answers, and clean up access when relationships end. The businesses that do this consistently are the ones that avoid the headline-making breaches — because attackers take the path of least resistance, and a vendor-aware business is rarely the easiest target in the room.