Vendor Risk Assessment

Evaluate any AI/SaaS vendor across 6 risk dimensions. Outputs a scored report with go/no-go recommendation.

When to Use

• Onboarding a new SaaS or AI vendor
• Annual vendor review cycle
• Evaluating build-vs-buy decisions
• Due diligence for partnerships or acquisitions
• Compliance requirements (SOC2, ISO 27001, GDPR)

How to Use

The user provides vendor details (name, product, website, any available documentation). The agent researches and scores the vendor across 6 dimensions.

Input Format

Vendor: [Company Name]
Product: [Product/Service Name]
Website: [URL]
Use Case: [What you'd use it for]
Data Sensitivity: [low/medium/high/critical]
Additional Context: [Any docs, certifications, or concerns]

Assessment Framework

6 Risk Dimensions (each scored 1-10)

1. Security Posture

• SOC2 Type II certification?
• Penetration testing cadence
• Encryption (at rest + in transit)
• Access controls and authentication
• Incident response plan
• Bug bounty program

2. Data Handling & Privacy

• Data residency and sovereignty
• Data retention and deletion policies
• Sub-processor transparency
• GDPR/CCPA compliance
• Data portability (can you get your data out?)
• AI training opt-out policies

3. Compliance & Certifications

• SOC2, ISO 27001, HIPAA, FedRAMP
• Industry-specific (PCI-DSS, HITRUST, etc.)
• AI-specific (EU AI Act readiness, NIST AI RMF)
• Audit frequency and transparency
• Regulatory track record

4. Financial Stability

• Funding stage and runway
• Revenue indicators (public or estimated)
• Customer concentration risk
• Acquisition risk
• Pricing stability history

5. Operational Resilience

• Uptime SLA and historical performance
• Disaster recovery plan
• Multi-region availability
• Dependency on single cloud provider
• Support responsiveness and escalation paths
• Change management process

6. Contractual Terms

• Termination and exit clauses
• Liability caps and indemnification
• IP ownership clarity
• Auto-renewal traps
• Price increase limitations
• SLA breach remedies

Output Format

# Vendor Risk Assessment: [Vendor Name]
**Date:** YYYY-MM-DD
**Assessor:** AI Agent (AfrexAI)
**Data Sensitivity Level:** [low/medium/high/critical]

## Overall Risk Score: [X/10] — [LOW/MEDIUM/HIGH/CRITICAL]

## Dimension Scores
| Dimension | Score | Risk Level | Key Finding |
|-----------|-------|------------|-------------|
| Security Posture | X/10 | LOW/MED/HIGH | ... |
| Data Handling | X/10 | LOW/MED/HIGH | ... |
| Compliance | X/10 | LOW/MED/HIGH | ... |
| Financial Stability | X/10 | LOW/MED/HIGH | ... |
| Operational Resilience | X/10 | LOW/MED/HIGH | ... |
| Contractual Terms | X/10 | LOW/MED/HIGH | ... |

## Recommendation: [APPROVE / APPROVE WITH CONDITIONS / REJECT]

## Critical Findings
- [Finding 1]
- [Finding 2]

## Mitigation Requirements (if Approve with Conditions)
1. [Requirement 1 — deadline]
2. [Requirement 2 — deadline]