Vendor Due Diligence Checklist for Singapore Businesses
A practical vendor due diligence checklist for Singapore businesses to manage PDPA compliance when sharing personal data with third-party vendors and processors.
Vendor Due Diligence Checklist for Singapore Businesses
Most Singapore SMEs rely on a web of external vendors — cloud hosting, payroll bureaus, email marketing tools, CRMs, and IT support — and almost every one of them touches personal data. Conducting proper vendor due diligence is how your organisation keeps control of that data and stays compliant with the Personal Data Protection Act 2012 (PDPA). The hard truth is that outsourcing the work never outsources the liability: under the PDPA, your organisation remains accountable for personal data even when a third party processes it on your behalf.
This guide breaks the process into a clear, actionable checklist — what to ask, what to document, and which PDPA obligations sit with you versus your vendor.
TL;DR — Key Takeaways
- Under PDPA Section 4(2), a vendor acting as your "data intermediary" is only responsible for the Protection and Retention obligations. Every other obligation — Consent, Purpose Limitation, Accountability, Notification of breaches — stays with your organisation.
- A written data processing agreement is the cornerstone of vendor due diligence; without one, a vendor may be deemed an independent controller.
- The PDPC can impose financial penalties of up to S$1 million, or up to 10% of annual turnover for organisations with local turnover exceeding S$10 million (in force since 1 October 2022).
- Review high-risk vendors at least annually and maintain a dated vendor register to evidence accountability.
What Is Vendor Due Diligence Under the PDPA?
Vendor due diligence is the structured process of assessing, contracting with, and monitoring any third party that collects, uses, stores, or processes personal data on your behalf. Under Singapore's PDPA, it is a practical expression of the Accountability Obligation (Sections 11 and 12), which requires your organisation to be responsible for personal data in its possession or under its control — including data physically held by a vendor.
The PDPA introduces a specific role here: the data intermediary. Section 2 defines a data intermediary as an organisation that processes personal data on behalf of, and for the purposes of, another organisation under a written contract. This distinction matters because Section 4(2) carves out a narrow allocation of duties.
Definitive statement: When a vendor acts purely as your data intermediary, that vendor is legally bound only by the Protection Obligation (Section 24) and the Retention Limitation Obligation (Section 25). Your organisation — the data controller — remains liable for the full set of PDPA obligations, including consent, purpose limitation, accuracy, and data breach notification.
In plain terms: if your email marketing vendor leaks 50,000 customer records, the PDPC will look first at your organisation. This is precisely why due diligence is not paperwork for its own sake — it is your primary defence.
Who counts as a vendor that needs assessment?
Any external party that can access personal data, including:
- Cloud and SaaS providers (hosting, CRM, helpdesk, file storage)
- Payroll, HR, and accounting outsourcing firms
- Marketing agencies and email/SMS platforms
- IT support, managed service providers, and developers
- Payment processors and logistics/delivery partners
- Call centres and customer-support outsourcers
If a vendor never touches personal data — for example, a vendor supplying anonymous aggregate analytics or office stationery — it falls outside this scope.
The Vendor Due Diligence Checklist: Before You Sign
The strongest moment to set expectations is before money changes hands. Use this pre-engagement checklist for every vendor that will handle personal data. Each item maps to a specific PDPA obligation, so you can evidence your reasoning later.
1. Define and minimise the data shared (Purpose Limitation, Section 18). Document exactly which personal data the vendor needs and why. Share only what is necessary. A delivery partner needs a name, address, and contact number — not a customer's full purchase history or NRIC.
2. Confirm the vendor's legal role. Establish in writing whether the vendor is acting as a data intermediary (processing only on your instructions) or as an independent controller (deciding its own purposes). This single classification changes the entire liability picture.
3. Assess security posture (Protection Obligation, Section 24). Ask for evidence of reasonable security arrangements — access controls, encryption in transit and at rest, staff training, and incident-response procedures. Certifications such as ISO 27001 or PDPC's Data Protection Trustmark (DPTM) are strong signals. Our practical guide to ISO 27001 certification for Singapore SMEs explains how to read these credentials.
4. Check cross-border data transfers (Transfer Limitation Obligation, Section 26). If the vendor stores or processes data outside Singapore, you must ensure the overseas recipient provides a standard of protection comparable to the PDPA. Ask where data centres are located and what contractual safeguards apply.
5. Review the vendor's breach-notification commitments. Singapore's mandatory Data Breach Notification regime (Part 6A, in force since 1 February 2021) requires your organisation to notify the PDPC of a notifiable breach within 3 calendar days of assessing it as notifiable, and to notify affected individuals where there is likely significant harm. Your vendor must alert you fast enough for you to meet that clock — ideally within 24 hours of discovery.
6. Verify retention and deletion practices (Retention Limitation, Section 25). Confirm the vendor will return or securely destroy personal data once the contract ends or the purpose is fulfilled.
The Vendor Due Diligence Contract: What to Put in Writing
A handshake is not due diligence. The PDPC's Advisory Guidelines on Key Concepts expect a written data processing agreement whenever you appoint a data intermediary, and that contract is what converts an ordinary supplier into a legally constrained intermediary under Section 4(2).
Snippet-ready answer: A PDPA-ready vendor contract should, at minimum, restrict the vendor to processing data only on your documented instructions, impose the Protection and Retention Obligations, require prompt breach notification to your organisation, prohibit unauthorised sub-processing, mandate secure deletion at termination, and grant you audit rights.
Your vendor data processing agreement should specify:
| Contract clause | PDPA obligation it supports |
|---|---|
| Processing limited to your written instructions | Purpose Limitation (s18) |
| Defined security controls and standards | Protection (s24) |
| Breach notification to you within 24 hours | Notification (Part 6A) |
| Sub-processor approval and flow-down terms | Accountability (s11–12) |
| Data return/destruction at termination | Retention Limitation (s25) |
| Cross-border safeguards | Transfer Limitation (s26) |
| Audit and inspection rights | Accountability (s11–12) |
If you outsource to specialist providers — software developers, integrators, or managed IT — make these terms a standard part of your procurement template. Singapore firms building bespoke systems often work with partners like Adaptels, which builds custom digital solutions for local SMEs; whoever you choose, the same contractual safeguards apply.
For SaaS and cloud vendors specifically, the allocation of responsibility can be nuanced — our PDPA compliance guide for SaaS companies in Singapore unpacks the shared-responsibility model in detail.
Ongoing Vendor Due Diligence: Monitoring After Onboarding
Due diligence does not end at signature. The Accountability Obligation expects continuous oversight, because a vendor that was secure last year may have changed its practices, suffered an incident, or been acquired.
Definitive statement: The PDPC treats a one-time onboarding check as insufficient; organisations are expected to maintain ongoing supervision of their data intermediaries proportionate to the risk involved.
A practical monitoring cadence:
- Annually — Re-assess high-risk vendors (large data volumes, sensitive data such as financial details, health, or NRIC numbers) and refresh their security attestations.
- At contract renewal — Re-confirm the data shared, the purposes, and the security terms.
- After any incident — Re-evaluate immediately if the vendor reports a breach or you detect a problem.
- On material change — Reassess if the vendor changes sub-processors, relocates data, or alters its service.
Keep a vendor register: a living record listing each vendor, the data shared, the contract date, the assessment date, and the risk rating. When the PDPC investigates a breach, a well-maintained register is compelling evidence that your organisation took accountability seriously — and it is often the difference between a warning and a financial penalty.
This is exactly the kind of recurring administrative burden that drains SME owners. ComplyHQ offers AI-powered compliance that handles your PDPA obligations in minutes, not weeks — generating vendor agreements, tracking your data intermediaries, and flagging review dates automatically, so your due diligence stays current without becoming a full-time job.
What Happens When Vendor Due Diligence Fails
Singapore enforcement history makes the stakes concrete. Many of the PDPC's published decisions involve breaches that began with a vendor or third-party processor — from misconfigured databases to lost laptops and unsecured credentials. In these cases, the engaging organisation was frequently found in breach of the Protection Obligation for failing to exercise reasonable oversight of its intermediary.
Snippet-ready answer: The maximum financial penalty under the PDPA is the higher of S$1 million or 10% of an organisation's annual turnover in Singapore (for organisations with local turnover above S$10 million), following amendments in force from 1 October 2022. Even smaller SMEs have faced five-figure penalties for vendor-related lapses.
To understand how these cases unfold and what the PDPC weighs, see our breakdown of real PDPA penalties and enforcement cases. And because human error inside both your team and your vendor's remains the leading cause of breaches, pair vendor controls with internal readiness — our PDPA staff training requirements guide and the step-by-step data breach response guide cover the people and process sides.
Putting It All Together
Effective vendor due diligence for your organisation comes down to three disciplines: assess before you engage, contract clearly, and monitor continuously. Each maps directly to a PDPA obligation, and together they demonstrate the accountability the PDPC expects.
Start today by listing every vendor that touches personal data, classifying each as a data intermediary or independent controller, and confirming a signed data processing agreement is in place. From there, build your vendor register and set annual review dates. For a broader view of where vendor management fits within your overall obligations, work through our PDPA compliance checklist for Singapore SMEs.
Done well, vendor due diligence stops being a defensive chore and becomes a genuine competitive advantage — the kind of trust signal that wins enterprise clients who demand it.
Sources
Simplify Your Compliance
ComplyHQ's AI can assess your PDPA compliance gaps in under 15 minutes and generate the policies you need.
Try Free AssessmentFrequently Asked Questions
Is my business liable if a vendor causes a PDPA data breach?
Do I need a written contract with every vendor that handles personal data?
How often should I review my vendors for PDPA compliance?
Ready to get PDPA compliant?
Stop guessing about compliance. ComplyHQ uses AI to assess your gaps, generate policies, and guide you through every PDPA obligation.