Enter Vendor Privacy Inputs
The calculator uses a responsive grid: three columns on large screens, two on tablets, and one on mobile.
Formula Used
Category Score = Σ(Component Score × Component Weight) ÷ Σ(Weights)
Overall Score = 0.35 × Exposure + 0.30 × Controls + 0.20 × Lifecycle + 0.15 × Responsiveness + Adjustment Points
Add points for sensitive data without encryption, high access without MFA, cross-border transfers without safeguards, and long retention with weak deletion support.
| Category | What It Measures | Weight |
|---|---|---|
| Exposure | Data sensitivity, volume, record count, access level, and processing scope. | 35% |
| Controls | Encryption, MFA, certification, DPA status, audit rights, and privacy maturity. | 30% |
| Lifecycle | Transfers, subprocessors, retention, and lawful transfer safeguards. | 20% |
| Responsiveness | Incident history, breach notice timing, DSAR support, and deletion quality. | 15% |
How to Use This Calculator
- Enter the vendor name and the review date.
- Rate the type of data shared and how broadly the vendor can access it.
- Estimate data volume, record count, retention, and subprocessor usage.
- Mark whether core controls exist, including encryption, MFA, DPA, and audit rights.
- Add operational details such as incidents, breach notice timing, and DSAR support days.
- Click the calculate button to see the score, category breakdown, recommendations, and chart.
- Use the CSV or PDF options to save the current assessment result.
Example Data Table
| Vendor | Sensitivity | Access | Transfers | Retention | Incidents | Controls Snapshot | Sample Risk View |
|---|---|---|---|---|---|---|---|
| MailFlow Services | 3/5 | 2/5 | 1 country | 12 months | 0 | DPA, MFA, encryption, audit rights | Moderate-Low |
| Insight Metrics Cloud | 4/5 | 4/5 | 3 countries | 24 months | 1 | Strong controls, average DSAR timing | Moderate |
| Global Support Desk | 4/5 | 5/5 | 5 countries | 36 months | 2 | No audit rights, slower breach notice | High |
| Behavioral Profiling Engine | 5/5 | 5/5 | 8 countries | 60 months | 4 | Weak deletion and missing transfer mechanism | Critical |
Frequently Asked Questions
1. What does this calculator measure?
It estimates privacy risk from a vendor using exposure, controls, lifecycle, and responsiveness. The result helps compare vendors consistently during procurement, onboarding, and renewal reviews.
2. Is a higher score always bad?
Yes. Higher scores reflect greater privacy risk. A high score does not automatically reject a vendor, but it should trigger stronger contractual, technical, or governance requirements.
3. Why are adjustment points added?
Adjustment points catch combinations that deserve extra attention, such as sensitive data without encryption or broad access without MFA. These situations often create outsized operational and regulatory risk.
4. Can I use this for all vendors?
Yes. It works best for processors, service providers, cloud tools, support vendors, analytics partners, and subcontractors that handle personal or confidential information.
5. How often should vendors be reassessed?
Review critical vendors at least annually. Reassess sooner when there are incidents, major scope changes, new subprocessors, new transfer locations, or contract renewals.
6. Does a certification remove privacy risk?
No. Certifications help, but they do not replace contract review, transfer analysis, access controls, deletion testing, or incident due diligence. They reduce uncertainty rather than eliminate risk.
7. What if I do not know exact data volume?
Use a reasonable estimate. Relative comparisons are often enough for triage. You can update the score later when the vendor provides a fuller data flow or architecture response.
8. Should this replace legal review?
No. This is a screening and prioritization tool. Legal, privacy, and security teams should still review high-risk vendors, contracts, transfer mechanisms, and remediation commitments.