Vendor Contracts and SLAs: Building Security and Resilience Expectations Into Agreements.

When a Sligo accountancy firm's cloud accounting platform experienced a significant data breach in 2023, the firm's clients asked what data had been affected, what the platform provider was doing, and when they would be notified. The firm asked the platform provider the same questions. The provider's response was guided entirely by their own terms of service — which contained a limitation of liability clause that capped their exposure at one month's subscription fees and a notification obligation that was significantly less stringent than GDPR requires of the firm itself.

The firm was a data controller under GDPR. Their supplier — the cloud accounting platform — was a data processor. The firm was responsible for ensuring its data processor met appropriate standards. Their contract contained no security requirements, no breach notification obligation, and no audit right.

The firm faced a DPC inquiry. Their supplier faced an internal review.

What Should a Vendor Security Agreement Contain?

A vendor contract or data processing agreement should contain the security obligations the vendor must meet, the notification timelines for security incidents, the audit rights available to your business, and the consequences of non-compliance. Without these provisions, you are relying entirely on the vendor's own standards and goodwill.

Under GDPR, data controllers are required to engage only processors that provide sufficient guarantees regarding technical and organisational security measures. This is a legal obligation, not a negotiating position — and it requires something in writing [^1].

The Provisions Every IT and Cloud Vendor Agreement Needs

Security standards obligation. The vendor must maintain documented security measures appropriate to the risk of the processing. At minimum: encryption of data at rest and in transit, access controls, patch management, and incident response capability. Higher-risk vendors should be required to meet specific standards such as ISO 27001 or Cyber Essentials.

Breach notification. The vendor must notify your business of any security incident affecting your data within a defined timeframe — 24 hours is appropriate, and is necessary to enable you to meet your own GDPR 72-hour DPC notification obligation. The standard "reasonable notice" provision that appears in many template contracts is inadequate for this purpose.

Sub-processor disclosure. Where the vendor uses sub-processors — cloud infrastructure providers, support services, analytics platforms — that sub-contractor chain must be disclosed and must meet equivalent security standards. You cannot manage risks you do not know exist.

Audit right. Your business should have the right to request evidence of the vendor's security measures — security certifications, penetration test summaries, SOC 2 reports — and, for higher-risk vendors, the right to conduct or commission an audit. Few Irish SMEs exercise this right, but having it in the contract creates accountability.

Data return and deletion. At the end of the contract, the vendor must return or delete all your data within a defined period and confirm in writing that deletion is complete.

Liability. The vendor's liability for security incidents should be proportional to the risk — not limited to one month's fees. For a vendor processing significant personal data, a one-month fee cap is not a serious remedy for a breach causing regulatory enforcement and client harm.

When did you last review the contracts with your most critical cloud and IT vendors? Most Irish SME contracts with cloud vendors were signed when the relationship started, on the vendor's standard terms, with no negotiation of security provisions. Book a free 20-minute strategy call — vendor contract security reviews are increasingly a standard component of our SME advisory engagements.

How to Negotiate Security Provisions

Large SaaS vendors and cloud providers typically publish standard data processing agreements (DPAs) that may or may not meet your needs. Review these specifically against the provisions above. Where gaps exist, request amendments. Many vendors will accommodate reasonable security requests, particularly from established customers.

For smaller Irish vendors — local IT providers, specialist software providers, consultants — the negotiation is more direct. A short security schedule appended to the standard terms, drafted by your solicitor, typically adds the provisions that the vendor's standard terms omit.

The Data Protection Commission has published model contractual clauses for data processing relationships that provide a starting framework for the GDPR-related provisions [^1].

Why This Matters Right Now

NIS2 Article 21 requires that organisations in scope address supply chain security as part of their risk management measures. The practical implementation includes contractual requirements on vendors. The DPC has specifically cited inadequate data processing agreements as a compliance gap in enforcement investigations against Irish businesses [^1].

The contract is the only mechanism you have to hold your vendor accountable after an incident. If the contract contains no security obligations, there is nothing to hold them to. The negotiation of security provisions — typically a two to four hour task for your solicitor — is the only investment that creates that accountability.

What Next

1. Identify your highest-risk vendor relationships. Those where the vendor processes significant personal data or has access to critical systems. These are your priority for contract review.

2. Review the security provisions in those contracts. Do they contain breach notification timelines, security standards obligations, audit rights, and adequate liability provisions? If not, identify the gaps.

3. Ask your solicitor to draft a security schedule for new vendor agreements. For existing relationships, negotiate a contract update at the next renewal. Do not wait for an incident to discover that the contract provides no protection.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Third-Party and Supplier Risk: Making Sure Your IT Vendors Aren't Your Weakest Link
• Data Protection and Customer Trust: Using GDPR as a Competitive Advantage
• Choosing and Managing an External IT and Security Provider: Key Questions and Red Flags

[^1]: Data Protection Commission Ireland — Data Processing Agreements [^2]: NCSC Ireland — Supply Chain Security [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.