The Operations Leader's Guide to Vendor Vetting
GDPR Article 28, DORA, NIS2, SOC 2, ISO 27001, and Know Your Vendor (KYV) — explained, verified, and packaged into a 30-point checklist you can run before signing your next integration contract.
The Integration Vendor Vetting Checklist
A 30-point due-diligence framework covering corporate identity, SOC 2 verification, ISO 27001 lookup, GDPR Article 28 readiness, DORA & NIS2 obligations, and operational controls. Use this before granting any third party access to production systems.
- Beneficial ownership & sanctions screening
- SOC 2 report verification under NDA
- ISO 27001 IAF/UKAS lookup steps
- GDPR Article 28 + Article 27 EU Rep
- DORA pre-contract assessment clauses
- NIS2 incident-reporting timelines
What ‘vendor vetting’ actually covers in 2026
Four overlapping regulatory and operational frameworks that together define the modern duty of care for integration vendors.
GDPR Article 28
The controller — not the processor — is fined when a vendor mishandles personal data. Article 28 requires a signed DPA, documented legal bases, and a 30-day SLA on data subject requests.
DORA & NIS2 (EU)
DORA (effective 17 Jan 2025) mandates pre-contractual ICT third-party assessments, audit rights, and incident notification clauses. NIS2 adds 24-hour early warning and 72-hour incident reporting.
SOC 2 & ISO 27001
SOC 2 is an AICPA attestation report — not a certificate. ISO 27001 carries a unique number you can verify on IAF CertSearch and UKAS CertCheck. Badges without proof are marketing, not compliance.
Know Your Vendor (KYV)
Regulated firms spend millions on KYC, then hand production credentials to unverified offshore developers. KYV applies the same rigor — beneficial ownership, sanctions screening, audit rights — to your vendor file.
Who needs a vendor vetting program in 2026
Six roles carrying personal or organizational liability for third-party integration vendors — and the specific obligation this hub addresses for each.
VPs of Operations & COOs
Mid-market commerce and SaaS leaders granting integration vendors persistent access to ERP, OMS, and customer data — and carrying the operational liability when something breaks.
CISOs & Security Leaders
Security teams building third-party risk management (TPRM) programs and needing repeatable verification steps for SOC 2, ISO 27001, and GDPR Article 28 vendor claims.
EU financial entities under DORA
Banks, payment institutions, insurers, and crypto-asset service providers required to document pre-contractual ICT third-party assessments and exit strategies under DORA.
Procurement & Vendor Management
Procurement leaders standardizing vendor onboarding playbooks across integration, iPaaS, and offshore-developer engagements — with audit-ready evidence per vendor.
Founders evaluating iPaaS vendors
Growth-stage founders comparing integration platforms and needing to separate verifiable compliance from compliance theater before signing a multi-year contract.
Privacy & Data Protection Officers
DPOs and privacy counsel responsible for Article 28 processor diligence, named EU Representative requirements, and 30-day data subject request SLAs.
Read the full cluster
Three deep-dive articles covering the regulatory framework, the badge-verification playbook, and the offshore developer risk profile.
SOC 2, ISO 27001, and GDPR Badges: What Integration Vendors Are Not Telling You
Most integration vendors display SOC 2, ISO 27001, and GDPR badges with no verifiable proof. Here is how to check a SOC 2 certified integration platform — and what we found when we audited the market.
KYC vs. KYV: Why Vendor Vetting Is Not Optional in 2026
KYC vs. KYV explained: how DORA, NIS2, GDPR Article 28, and CCPA make Know Your Vendor a legal obligation — and why integration vendors are the highest-risk category most operations leaders fail to vet.
Offshore Integration Developer Risks: The Hidden Cost of Cheap Integration in 2026
Offshore integration developer risks explained: SOC 2 fraud, GDPR Article 28 liability, IP exposure, and the 10-point vendor due-diligence checklist every operations leader should run before signing.
Red flags that should stop the procurement
Five signals we have documented across India-based and freelance integration vendors marketing into UK and US mid-market buyers.
- Vendor refuses to share SOC 2 report under NDA.
- ISO 27001 badge displayed but no certificate number — or no result on IAF/UKAS.
- GDPR claim with no DPA and no named EU Representative under Article 27.
- Headcount, tenure, or client volume claims that cannot be substantiated.
- Production access requested before contract and DPA are signed.
- Compliance ‘trust center’ that contradicts the marketing page.
Mapping KYC discipline to vendor onboarding
Treat every integration vendor like a regulated counterparty. The same seven controls your finance team applies to KYC translate directly into Know Your Vendor obligations under GDPR Article 28, DORA, and NIS2.
| Onboarding requirement | KYC (Know Your Customer) | KYV (Know Your Vendor) |
|---|---|---|
| Identity & legal entity verification | Government ID, proof of address, UBO disclosure under AML directives. | Certificate of incorporation, registered address, beneficial ownership ≥25%, D-U-N-S or company number. |
| Sanctions & watchlist screening | OFAC, EU Consolidated List, UN, HMT — screened at onboarding and continuously. | Same lists applied to the vendor entity, parent company, and named directors. Re-screen annually. |
| Source-of-funds / financial standing | Income verification, source-of-wealth declarations for higher-risk customers. | Audited financials or D&B credit report, insurance certificates (E&O, cyber, professional liability). |
| Risk rating & tiering | PEP status, geography, transaction profile drive low/medium/high risk tiers. | Data sensitivity, system access scope, and data residency drive Tier 1–3 vendor classification. |
| Contractual & regulatory obligations | AML program, customer due diligence file, suspicious activity reporting. | Signed DPA (GDPR Art. 28), DORA/NIS2 clauses, audit rights, exit strategy, sub-processor list. |
| Ongoing monitoring | Transaction monitoring, periodic refresh of customer file (typically 1–3 years). | Annual SOC 2 / ISO 27001 refresh, quarterly access review, breach-notification SLA tracking. |
| Evidence retained for audit | KYC file produced for the regulator on request — retention 5–7 years post-relationship. | Vendor file produced for the controller, supervisory authority, or financial regulator on request. |
Reference: GDPR Articles 27 & 28, EU DORA (Reg. 2022/2554), NIS2 Directive (2022/2555), AICPA SOC 2 Trust Services Criteria, ISO/IEC 27001:2022.
How APIWORX fits
Where APIWORX sits in the iPaaS landscape
APIWORX is one of several capable integration platforms operations leaders evaluate alongside Workato, Boomi, Celigo, MuleSoft, and Tray.io. Each platform has genuine strengths — Workato and Boomi for enterprise breadth, MuleSoft for API management depth, Celigo for SaaS-to-SaaS templates, and Tray.io for developer tooling. We encourage running the same vendor vetting checklist against every shortlisted vendor, including us.
What we believe sets APIWORX apart for mid-market commerce and ERP buyers is the combination of a verifiable compliance posture, a managed-service operating model, and an audit-ready data layer purpose-built for trading-partner ecosystems. If a competitor is the right fit for your stack, that is a good outcome — provided the same evidence standard was applied. Compare us directly on our comparison hub.
Vendor vetting, in plain English
The questions operations and security leaders ask most often when standing up a vendor vetting program.
What is vendor vetting and why does it matter for integration platforms?+
Vendor vetting (sometimes called Know Your Vendor or KYV) is the structured due-diligence process you run before granting a third party access to production systems. For integration platforms, the risk is uniquely high: the vendor holds persistent, programmatic, multi-system credentials. A compromised integration vendor exposes everything they connect to.
What does GDPR Article 28 require from data processors?+
Controllers must ensure processors provide ‘sufficient guarantees’ of technical and organizational compliance. In practice that means a signed Data Processing Agreement, a named EU Representative under Article 27 for non-EU processors, documented legal bases for each processing activity, and a 30-day response window on data subject requests under Article 12. Liability for vendor non-compliance lands on the controller.
Who must comply with DORA and what does it require for vendors?+
DORA — the EU Digital Operational Resilience Act, effective 17 January 2025 — applies to EU financial entities and their ICT third-party providers. It requires pre-contractual third-party assessments, specific contractual clauses covering audit rights and incident notification, and ongoing monitoring. Financial entities remain fully responsible for regulatory obligations even when functions are outsourced.
How do I verify a SOC 2 or ISO 27001 claim?+
For SOC 2, request the actual audit report under NDA — confirm a named CPA firm, Type II designation, and a report date within the past 12 months. For ISO 27001, ask for the certificate number and accredited certification body, then verify it on iafcertsearch.org or certcheck.ukas.com. Verification takes under a minute. No number means no certificate.
What is the difference between KYC and KYV?+
KYC (Know Your Customer) is a regulated obligation for financial institutions — verify identity, screen against sanctions, monitor ongoing activity. KYV (Know Your Vendor) applies the same discipline to third parties you grant operational access to. KYC has a single regulator with subpoena power. KYV is enforced through a fragmented mosaic — GDPR, DORA, NIS2, CCPA — but the legal obligations are equally binding.