Vendorapp and GDPR

Overview

The General Data Protection Regulation (GDPR) is a key piece of data protection legislation that affects how personal data is collected, processed, and stored across the European Economic Area (EEA) and the United Kingdom. Vendorapp is designed with GDPR principles in mind and helps users meet their compliance obligations when managing vendors and handling personal data.

Data roles

Depending on how you use Vendorapp, both you and Vendorapp may act as either:

Data Controller – deciding why and how personal data is processed
Data Processor – processing personal data on behalf of a controller

Vendorapp typically acts as a data processor, handling data on your behalf within the platform. However, in certain contexts (such as managing your account or providing support), Vendorapp may also act as a controller.

How Vendorapp supports your GDPR obligations

Vendorapp provides built-in features and processes that align with GDPR requirements, including:

GDPR Principle	How Vendorapp supports it
Data minimization	Only essential data is required during vendor onboarding and assessments
Purpose limitation	Data is used solely for providing and improving the service
Transparency	Users are informed about how their data is used through clear documentation
Accuracy	Editable vendor and user records help keep data up to date
Storage limitation	Data retention settings and account-level export/delete tools are available
Integrity and confidentiality	All data is encrypted in transit and at rest, with strict access controls

Lawful basis and consent

Vendorapp relies on several lawful bases for processing personal data, including:

Performance of a contract – to provide you with our services
Legitimate interest – for product improvement and security
Consent – where applicable, especially for marketing communications

Users can manage their preferences and are given control over what data is collected and retained.

Data subject rights

Vendorapp supports your ability to meet data subject rights, including:

Right to access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object

Tools within the platform make it easier to action these requests, including the ability to export and delete user data.

Storage and retention

Vendorapp stores data in secure, access-controlled environments using Microsoft Azure infrastructure. Data is retained only as long as necessary to fulfil the purpose for which it was collected, in line with your organization's data retention policy.

Summary

Vendorapp is committed to helping your organization meet GDPR obligations without unnecessary complexity. Our platform offers transparency and tools to manage personal data responsibly and securely.

On this page