How to Audit Your Vendor Contracts for Data Sovereignty Risk

When you signed the original vendor contract, someone assessed the data terms. Maybe it was you, maybe it was a lawyer, maybe it was whoever was in the IT manager role before you. That assessment had a shelf life. Most companies don't know what it was.

Three things change between the original signature and the third or fourth renewal that procurement teams rarely re-check:

Vendor corporate structure. Acquisitions happen. A SaaS vendor you signed with in 2020 may be owned by a US private equity firm today, with data processing infrastructure that has moved jurisdictions. The contract you have may still reference the original entity. The data is somewhere else.

The sub-processor list. Vendors add sub-processors quietly. The new cloud logging tool, the new analytics provider, the new payment processor - these show up in updated Data Processing Agreements (DPAs) buried in renewal packs, if they show up at all. Some vendors maintain their sub-processor list as a webpage and update it without notifying customers. The contractual reference is a link to a page that changed six months ago.

The legal basis for transfer. Schrems II (the 2020 Court of Justice of the EU judgment) invalidated Privacy Shield, the previous mechanism for transferring personal data between the EU and the US. Any vendor contract signed before late 2021 that relied on Privacy Shield has a gap. Standard Contractual Clauses (SCCs) are still valid, but only where a Transfer Impact Assessment (TIA) has been completed. If your vendor contract pre-dates Schrems II and has never been renegotiated, the legal basis for that data transfer may be unclear at best and unenforceable at worst.

Then there's the newer layer. The Digital Operational Resilience Act (DORA) has been active since January 2025. It applies specifically to financial entities regulated under EU and UK law - banks, insurers, investment firms, payment processors, and their direct technology vendors. If you operate in financial services, DORA requires you to demonstrate contractual oversight of what the regulation calls “critical third-party providers.” That oversight has to exist at each renewal, not just at the original signing. A contract that met the standard in 2022 may not meet DORA Article 30 requirements today.

If you're not in financial services, DORA doesn't apply to you directly. But UK GDPR and Schrems II do. Those aren't optional.

Let me be clear about what this is. It is not a legal exercise. You are not redlining contracts or conducting a full legal review. You are doing procurement triage - making a list of what you have and flagging which vendor contracts need attention before they auto-renew.

You don't need a legal team for the initial audit. You need a spreadsheet and three hours.

For each vendor contract you hold, you are answering four questions before the next renewal date:

1. Where is data processed, contractually?Not where you assume it is processed. Not where the vendor's sales team told you it was. Where the contract states it is processed. “Data may be processed in countries where we operate” is not an answer. That clause is essentially meaningless from a compliance standpoint. You want a named country or region.

2. Who are the sub-processors, and where are they based?Is there a sub-processor list? Is it annexed to the contract or linked to a webpage? When was it last updated? A sub-processor list that hasn't been updated in two years is almost certainly incomplete.

3. What is the legal basis for any data transfers outside the UK or EU?If the vendor is US-based or uses US-based infrastructure and processes personal data, the basis needs to be one of: an adequacy decision, SCCs backed by a current TIA, or binding corporate rules. “We're ISO 27001 certified” is not a data transfer mechanism.

4. Has the DPA been updated since the original signature?If the answer is “we don't know,” that is itself a red flag. A vendor relationship that has run for three years without a DPA review has almost certainly drifted from its original compliance position.

The ICO's guidance on international data transfers is the practical reference for UK companies working through these questions. It's detailed, it's free, and it covers the current UK GDPR position post-Brexit. Read it alongside your vendor contract, not instead of it.

For DORA-regulated entities, add a fifth question: Is this vendor classified as a critical third-party provider under DORA? If yes, does the contract include the mandatory clauses under DORA Article 30 - specifically, the right to audit, sub-contractor disclosure obligations, and business continuity provisions?

The goal is documentation, not perfection. Regulators assessing ICO complaints or FCA inquiries want to see that you took reasonable, documented steps to understand your data flows. A structured audit with clear gaps identified is far stronger than no audit at all.

Not all vendor contracts carry the same data risk. If you have 80 vendor contracts and three hours, start here:

Cloud storage and productivity tools. Microsoft 365 and Google Workspace both offer region-specific tenancy, but the defaults vary and the contractual terms matter. Where is your tenant actually hosted? That question has a specific answer in the contract, and it may not match your assumption.

HR and payroll software. Personal data about your employees - salaries, bank details, addresses, performance records. If this vendor is US-based or has US sub-processors, you need a current transfer mechanism in place.

CRM and customer management tools. Personal data about your clients. If your industry has sector-specific obligations (see below), this vendor probably sits at the centre of your highest-risk exposure.

Any vendor that processes financial data. Payments, invoicing, accountancy tools. These often involve sub-processors across multiple jurisdictions, and the sub-processor list changes frequently.

Cyber security vendors. The irony: your security vendors often have the broadest access to your environment and the least scrutinised data processing terms. They have access to everything. Read their DPAs carefully.

Communication platforms with message archiving. If a vendor is archiving internal communications for compliance purposes, they are processing significant volumes of potentially sensitive data. Where is that archive stored?

EMR and clinical software for healthcare organisations.NHS data security standards (the DSP Toolkit) require healthcare organisations to demonstrate that personal data is processed in accordance with the data security and protection requirements. A clinical software vendor renewal that doesn't re-confirm the processing location creates a DSP Toolkit gap that the Care Quality Commission and NHS England both care about.

For law firms specifically: client confidentiality obligations stack on top of GDPR. A matter management or practice management software vendor that has been acquired by a US parent company creates a double obligation. The Solicitors Regulation Authority expects law firms to understand where client data goes. If the vendor contract hasn't been renegotiated post-acquisition, you may not be able to answer that question.

Lowest risk (but still worth a flag): single-user SaaS tools with no personal data input, physical goods vendors, one-off professional services engagements without data sharing. These can wait for a second pass.

Here is the operational reality that makes data sovereignty audits time-sensitive.

Even if you find a sovereignty gap in a vendor contract, you need time to fix it. Most B2B vendor contracts carry 60 to 90 day notice windows. Some SaaS vendors require only 30. Enterprise software vendors sometimes require 180 days.

If you audit your vendor contracts and find a sovereignty gap six weeks before the renewal date, your options are: renegotiate fast (hard, and vendors know you're under pressure), accept the auto-renewal (you have now documented non-compliance), or terminate (costly and disruptive). None of those options are good.

The practical answer is that your data sovereignty audit needs to happen inside the notice window, not the week before it closes. Ninety days before renewal is not just a reminder best practice. For data-sensitive vendor contracts, it's the minimum time to get a DPA addendum agreed, a Transfer Impact Assessment completed, and updated SCCs signed if needed.

This is exactly why procurement teams searching for CLM platforms with 90-day renewal notifications are looking for the right thing. The point isn't the notification itself. The point is having enough runway to act on what the notification reveals.

The auto-renewal notice window is the point of maximum leverage with a vendor. It's also the point at which data sovereignty issues need to be resolved, not flagged. A DPA renegotiation that runs past the notice window leaves you either locked in or in breach.

The budget impact of getting this wrong is real. Procurement managers who handle SaaS renewal forecasting know that unexpected auto-renewals create budget variance. Unexpected auto-renewals with compliance strings attached create something worse - a liability that shows up as a line item in your next data protection impact assessment.

For a practical framework on structuring the renewal process end to end, the vendor contract renewal checklist walks through the sequence from 120 days out to signature.

Start with your contract register. If you don't have one, the 5-day vendor contract audit gives you a structured process to build one from scratch. The data sovereignty register is a layer you add on top.

One practical question before you start: who owns vendor renewals in your organisation? In many companies this is genuinely unclear - IT manages the relationship, finance controls the PO, legal signs the DPA, and procurement is brought in late. If nobody owns the data sovereignty review, it won't happen. Assign it before you build the register.

For each vendor contract in your portfolio, capture five fields alongside the standard renewal data (renewal date, notice period, contract value, owner):

Field 1: Data processing location.The country or region stated in the contract. If the contract doesn't specify, that's your first gap to address.

Field 2: Sub-processor list reference. Where is the list? Annexed to the contract, or linked to a webpage? When was it last updated? Note the date.

Field 3: Legal transfer mechanism.What covers the data transfer, if any? Options: adequacy decision, SCCs with TIA, binding corporate rules, or unclear/missing. “Unclear/missing” is a red flag.

Field 4: DPA date.When was the Data Processing Agreement last signed or formally updated? If you don't have a signed DPA, note that separately.

Field 5: DORA classification.If you're in financial services: is this vendor critical, important, or out of scope under DORA? If you're not in financial services, mark this field N/A.

Once you have those five fields for each vendor contract, apply a simple risk flag:

• Red: No DPA, data processing location unknown, US sub-processors with no documented transfer mechanism post-Schrems II. These vendor contracts need legal review before the next renewal.
• Amber: DPA exists but hasn't been updated since 2021, or the sub-processor list is a linked webpage with no version date. These need a review prompt at 90 days before renewal.
• Green: DPA is current, transfer mechanism is confirmed, data processing location is stated. These can renew as normal - with a note to re-check at the following renewal.

The goal is not to become an expert in GDPR law. The goal is to know which five vendor contracts in your portfolio of 80 need attention before they auto-renew. The register gives you that answer in a single view.

For the European Data Protection Board's guidance on SCCs and Transfer Impact Assessments, the EDPB published practical recommendations that translate the post-Schrems II requirements into steps your legal team (or a competent DPA) can follow. It's dense, but Section 3 is the operational part.

When you're renegotiating a vendor contract or reviewing a renewal pack, these clauses give you sovereignty protection. If the current contract lacks them, use renewal as the moment to push for them.

Explicit data processing location.Not “data may be processed in countries where we operate.” A named country or a named cloud region (e.g., “EU-West-1 on AWS infrastructure”). This is non-negotiable for any vendor handling personal data.

Sub-processor notification obligation. The vendor must notify you before adding a new sub-processor, with a reasonable objection period. Ten to thirty days is standard. Without this clause, the vendor can add a US-based analytics sub-processor and update their webpage without telling you.

DPA as an annexed schedule.Not a hyperlink to a webpage. A signed, versioned document that forms part of the contract. A hyperlinked DPA can be unilaterally updated by the vendor without your knowledge or signature. That's not a DPA, it's a terms-of-service trick.

Right to audit.At minimum, the right to request audit results from the vendor's existing certifications - ISO 27001 reports, SOC 2 Type II summaries. A vendor that refuses to share any audit evidence is a vendor you should be cautious about renewing with.

Data deletion on termination.With a defined timeline and a confirmation certificate. “We'll delete your data in accordance with our retention policy” is not an answer. You want 30 or 60 days post-termination, in writing, with confirmation.

For DORA-regulated entities, Article 30 makes some of these mandatory. The right to audit, business continuity provisions, and sub-contractor disclosure are minimum requirements for contracts with critical and important third-party providers.

One more thing worth noting: vendors also slip changes into renewal packs. How auto-renewal clauses work in most vendor contracts means that the price, the term, and sometimes the data processing terms roll over automatically unless you actively negotiate. The same discipline that catches auto-renewal clause changes catches DPA version changes. Read the renewal pack, not just the cover email.

If your current vendor contract has none of these clauses, you have a position to negotiate from. Most mid-market SaaS vendors would rather accept a DPA addendum than lose a multi-year contract. Use the renewal as the moment to push.

Does DORA apply to my company if I'm not a bank?

DORA directly applies to financial entities regulated under EU and UK law - banks, insurers, investment firms, payment processors, and their direct technology vendors. If you are a professional services firm or technology vendor supplying those regulated entities, your clients may require DORA-compliant contract clauses from you as part of their own vendor management obligations. You may be asked to demonstrate compliance contractually even if DORA doesn't apply to you directly. If you are not in financial services and do not supply financial entities, DORA does not apply. UK GDPR and Schrems II still do.

What is Schrems II and why does it affect my vendor contracts?

The Schrems II judgment (Court of Justice of the EU, 2020) invalidated the EU-US Privacy Shield - the mechanism that most companies used to legally transfer personal data from the EU to the US. Since then, US-based vendors processing EU personal data need to rely on Standard Contractual Clauses backed by a Transfer Impact Assessment, or another approved mechanism. Contracts signed before late 2021 that relied on Privacy Shield have a gap. Many of those contracts have since auto-renewed without anyone addressing it.

How do I find data sovereignty clauses in my vendor contracts?

Look for the Data Processing Agreement (DPA) - usually a schedule or exhibit attached to the main service agreement, sometimes a separately signed document. The relevant clauses are in sections titled “Data Processing,” “International Transfers,” “Sub-processors,” and “Data Residency.” Many vendors maintain a sub-processor list as a separate webpage linked from the DPA. Check when that page was last updated - and then check whether the contract requires them to notify you when it changes. If it doesn't, that's a clause to add at renewal.

What should I do if a vendor refuses to provide a compliant DPA?

Document the refusal in writing. Then assess the risk: how much personal data does this vendor process, and what category? If the vendor processes significant personal data and cannot provide adequate contractual protections, this is material risk that should appear in your next data protection impact assessment. At renewal, the refusal is leverage - most mid-market SaaS vendors will engage on DPA terms rather than lose a contract. If a vendor continues to refuse, escalate to your DPO or legal counsel before renewing. Renewing without a compliant DPA when you have documented the gap is harder to defend than not having known.

How far in advance should I audit vendor contracts for data sovereignty issues?

At least 90 days before the renewal date. For any vendor classified as high-risk - processes significant personal data, US-registered parent, or subject to DORA requirements - start at 120 days. That's the minimum window to renegotiate DPA terms, complete a Transfer Impact Assessment if needed, and get updated SCCs signed before the auto-renewal window closes. Auditing at 30 days leaves you no negotiating position and no realistic path to compliance before the renewal locks in.

Data sovereignty audits belong in your renewal workflow, not in your one-time procurement process. The risk compounds every time a data-sensitive vendor contract auto-renews without review. The 2021 assessment that passed is doing real work in 2026 - covering vendor relationships that have changed, under a regulatory framework that has changed, for a company that has probably changed too.

You don't need a perfect system to fix this. You need a register, five extra fields per vendor, and a 90-day alert. That's the whole thing. The law firms and ICO guidance pages that dominate this topic make it sound like a legal project. It's a procurement project with a legal outcome.

Renewly pulls renewal dates and auto-renewal clauses directly from vendor contract PDFs. We're building out fields for data processing location, sub-processor jurisdiction, and DPA version date - so when you open your renewal dashboard at the 90-day mark, you can filter by data risk alongside renewal date. No cross-referencing spreadsheets. No pulling PDFs one by one. The vendor contracts that need attention before they auto-renew show up at the top.

If you don't have a vendor contract register yet, that's the first step. The 5-day vendor contract audit gives you a structured process to build one from nothing. Start there, then add the sovereignty fields.

Your vendors' contracts were written to protect their interests. The data terms are no different. Read them before you sign them again.