# SOC 2 vendor review evidence template

Last reviewed: 2026-05-21

AI Vendor Packet organizes review evidence and workflow support. This template is not legal advice.

## Who this is for

Security, GRC, privacy, or founder operators who need a repeatable vendor review record before an audit or customer security review.

## What this template is for

Use this template to turn a vendor source review into an audit-ready record. It is intentionally narrow: vendor, source, commitment, finding, reviewer, and follow-up. It does not decide whether the vendor is acceptable.

## When to use it

- Before a SOC 2 audit request asks for a vendor monitoring evidence packet.
- Before reusing an old customer security questionnaire answer.
- After an AI, DPA, subprocessor, retention, or security source changes.

## SOC 2 evidence table

| Item | What to record | Evidence to attach | Owner |
| --- | --- | --- | --- |
| Vendor and service | Vendor name, product, workspace, region, and whether the service is production or internal use. | Vendor profile page, source links, contract path, and internal system owner note. | Security or GRC |
| Customer data categories | Prompts, files, logs, tickets, billing records, CRM data, or workspace content involved. | Data-flow note, architecture note, screenshot of settings, or approved internal system record. | Engineering owner |
| Official sources reviewed | Privacy, terms, DPA, subprocessor, retention, AI data-use, and security links checked. | Current source URLs and last reviewed date. | Privacy or security |
| Commitment comparison | Customer-facing statement that may depend on the vendor source. | Trust Center text, questionnaire answer, DPA exhibit, or policy excerpt. | Legal or customer security |
| Review outcome | No action, update evidence, change customer answer, pause rollout, or escalate. | Reviewer note, ticket link, and due date for unresolved items. | Review owner |

## How to fill it out

- Create one row per vendor and product path, not one row per parent company.
- Attach official vendor sources and your own implementation evidence in the same record.
- Close the review only after unresolved customer commitments have an owner or qualified note.

## Common mistakes

- Using a privacy policy as the only evidence for model training, retention, or subprocessors.
- Listing a vendor without naming the product or account path in use.
- Marking the review complete while customer-facing wording still needs an owner.

## Example entry

OpenAI API Platform, production support summarization, prompts and ticket excerpts, platform data controls reviewed on 2026-05-21, customer training statement still accurate for API use, app logging retention needs a separate engineering note.

## Generate this automatically

Use the AI Vendor Packet scanner to generate this template from selected vendors, customer data categories, and customer-facing commitments.