IndexableAudit evidenceLast reviewed 2026-05-21

SOC 2 vendor review evidence template

Use this template to turn a vendor source review into an audit-ready record. It is intentionally narrow: vendor, source, commitment, finding, reviewer, and follow-up. It does not decide whether the vendor is acceptable.

Download Markdown Download CSV Generate this automatically

Who it is for

Security, GRC, privacy, or founder operators who need a repeatable vendor review record before an audit or customer security review.

Template

SOC 2 evidence table with 5 starter rows.

Download formats

Markdown for docs, CSV for spreadsheet review.

When to use it

Before a SOC 2 audit request asks for a vendor monitoring evidence packet.
Before reusing an old customer security questionnaire answer.
After an AI, DPA, subprocessor, retention, or security source changes.

How to fill it out

Create one row per vendor and product path, not one row per parent company.
Attach official vendor sources and your own implementation evidence in the same record.
Close the review only after unresolved customer commitments have an owner or qualified note.

SOC 2 evidence table

Use these rows as a starting point, then replace the example language with your vendor, source, customer data, and owner details.

4 columns

Item: Vendor and service
What to record: Vendor name, product, workspace, region, and whether the service is production or internal use.
Evidence to attach: Vendor profile page, source links, contract path, and internal system owner note.
Owner: Security or GRC

Item: Customer data categories
What to record: Prompts, files, logs, tickets, billing records, CRM data, or workspace content involved.
Evidence to attach: Data-flow note, architecture note, screenshot of settings, or approved internal system record.
Owner: Engineering owner

Item: Official sources reviewed
What to record: Privacy, terms, DPA, subprocessor, retention, AI data-use, and security links checked.
Evidence to attach: Current source URLs and last reviewed date.
Owner: Privacy or security

Item: Commitment comparison
What to record: Customer-facing statement that may depend on the vendor source.
Evidence to attach: Trust Center text, questionnaire answer, DPA exhibit, or policy excerpt.
Owner: Legal or customer security

Item: Review outcome
What to record: No action, update evidence, change customer answer, pause rollout, or escalate.
Evidence to attach: Reviewer note, ticket link, and due date for unresolved items.
Owner: Review owner

Item	What to record	Evidence to attach	Owner
Vendor and service	Vendor name, product, workspace, region, and whether the service is production or internal use.	Vendor profile page, source links, contract path, and internal system owner note.	Security or GRC
Customer data categories	Prompts, files, logs, tickets, billing records, CRM data, or workspace content involved.	Data-flow note, architecture note, screenshot of settings, or approved internal system record.	Engineering owner
Official sources reviewed	Privacy, terms, DPA, subprocessor, retention, AI data-use, and security links checked.	Current source URLs and last reviewed date.	Privacy or security
Commitment comparison	Customer-facing statement that may depend on the vendor source.	Trust Center text, questionnaire answer, DPA exhibit, or policy excerpt.	Legal or customer security
Review outcome	No action, update evidence, change customer answer, pause rollout, or escalate.	Reviewer note, ticket link, and due date for unresolved items.	Review owner

Common mistakes

Using a privacy policy as the only evidence for model training, retention, or subprocessors.
Listing a vendor without naming the product or account path in use.
Marking the review complete while customer-facing wording still needs an owner.

Example entry

OpenAI API Platform, production support summarization, prompts and ticket excerpts, platform data controls reviewed on 2026-05-21, customer training statement still accurate for API use, app logging retention needs a separate engineering note.

AI Vendor Packet organizes review packet evidence and review workflow support. This template is not legal advice.

Related vendor pages

Use these vendor pages to fill in vendor-specific rows before sharing the template with customers or auditors.

OpenAIReview OpenAI API, DPA, privacy, subprocessors, retention, and model training sources for SaaS customer commitments.AnthropicReview Anthropic Claude commercial terms, DPA, model training, retention, and privacy sources for SaaS review packet evidence.Azure OpenAI / Microsoft AIReview Microsoft Azure AI Foundry data privacy, Azure terms, DPA, and privacy sources for SaaS customer commitments.AWS BedrockReview Amazon Bedrock data protection, abuse detection, AWS service terms, and security sources for SaaS AI commitments.

Related templates

These templates pair well when the review leads to a customer-facing update, evidence packet, or internal decision.

AI vendor monitoring evidence packet templateUse this packet to show what sources were reviewed, what changed, and which customer commitments need follow-up. It is built for a short review meeting, not a long risk committee packet.Vendor commitment drift registerUse this register as the working list for vendor changes that may affect customer promises. It is not a risk score. It is a way to avoid quiet drift.

Turn this template into a review packet.

Select your vendors, customer commitments, and data categories. AI Vendor Packet turns official-source checks into a review packet your team can keep as evidence.

Generate SOC 2 evidence from your vendors View all templates