LET'S TALK
← All work
SOC2 CC9.2GDPR Art 28ISO 27001 A.5.19NIST 800-161Deep Prototype

VendorOnboardingCheck — 28-Step Vendor Onboarding Pipeline

14 in-flight vendor onboardings × 28-step pipeline. Commercial intake → spend approval → SIG/CAIQ → SOC2/ISO review → pen-test review → DPA + SCC + DPF + TIA → sanctions screening → MSA → RoPA + DPIA + DPADeskbook → IT integration + SSO → egress firewall + audit hooks → offboarding plan + production access. Surfaces 4 stuck mid-pipeline + 2 with production access before security review.

VendorOnboardingCheck — 28-Step Vendor Onboarding Pipeline preview
Open live →

What it is

The shape behind every healthy vendor-onboarding program. Most companies have an “onboarding checklist” in a Google Doc that nobody runs. The artifact every SOC2 auditor pulls under CC9.2 — and the artifact every CISO who has lost sleep over shadow-IT wishes they’d built earlier.

What’s in it

  • 28-step canonical pipeline spanning commercial → security → privacy → IT → ops:
    • Steps 1-4: commercial intake, spend approval, scoping, data classification
    • Steps 5-8: SIG / CAIQ, SOC2 review, pen-test review, sub-processor list
    • Steps 9-12: DPA negotiation, SCC 2021/914 module, DPF self-cert verification, adequacy / TIA
    • Steps 13-16: sanctions screening, insurance certificate, MSA + DPA execution, SLAs
    • Steps 17-20: risk register, RoPA update, DPIA if Art 35 triggered, DPADeskbook entry
    • Steps 21-24: IT integration, SSO/SCIM, provisioning automation, egress firewall (EgressGate)
    • Steps 25-28: logging + audit hooks, offboarding plan, quarterly review cadence, production access granted
  • 14 in-flight onboardings with concrete blockers:
    • VO-002 Anthropic — STUCK at step 9 (DPA), but production access already granted (BYPASS — see EgressGate E12)
    • VO-003 OpenAI extended use — stuck at step 12 (TIA) pending DPF status
    • VO-005 PartnerCo (BR) + VO-006 TranslateCo (IN) — stuck at TIA (non-adequate jurisdictions)
    • VO-012 Twilio replacement — stuck at step 12 + 18 (cross-references RFC-1255)
    • VO-014 — VENDOR-ACCESS GRANTED before security review. Marketing prematurely cut over. Escalated to CISO; access revoked; restart from step 5.
  • Per-onboarding visualization — 28-step list with done / in-progress / blocked / todo / skipped per step.

Why this shape

SOC2 CC9.2 (vendor risk management) + GDPR Art 28 (processor obligations) + ISO 27001 A.5.19-A.5.23 (supplier relationships) + NIST SP 800-161 (supply-chain risk) all demand the same artifact: per-vendor evidence of due-diligence at each step before production access is granted. The killer audit finding: a vendor with production access whose DPA was never signed. VendorOnboardingCheck surfaces those by default.

How it ships

Single HTML file, ~15KB. Zero dependencies. 14 vendors × 28-step pipeline + bypass detection in 200 lines of vanilla JavaScript.

Open the tool →