What's the minimum you should do for vendor risk assessments as a small team?

Looking for practical, real-world advice on vendor risk assessment for small teams (2-5 people) who handle it as part of their job, not as a dedicated function. If you've onboarded a lot of vendors but never had a formal assessment process, what's the minimum you'd actually want in place? Specifically:

• What checks would you feel genuinely uncomfortable skipping before letting a vendor in?
• Is there a short questionnaire that covers the essentials without being a 200-question spreadsheet?
• What contract clauses do you always insist on?
• What are the biggest red flags in vendor responses that should make you walk away?
• How do you handle ongoing monitoring without it becoming a full-time job? The goal is a simple, repeatable workflow — something where if something goes wrong, you can at least show you did the reasonable and sensible thing given your size and constraints. Would appreciate any real-world experience or templates people are willing to share.

Been doing this for a while at a company of similar size, so here's what actually works in practice.

First thing — tier your vendors. Don't treat your coffee supplier the same as your cloud provider. We use three buckets: high risk (they touch sensitive data or are critical to operations), medium risk (limited data access, not mission-critical), and low risk (no data, easily replaceable). High risk gets the full treatment, low risk gets a quick Google search and you move on.

For every vendor, regardless of tier, spend 5 minutes on this:

• Google their name + "breach" or "lawsuit" or "complaint". You'd be surprised what comes up.
• Run them through OFAC and EU sanctions lists. It's free and takes a minute.
• Skim their Terms of Service and privacy policy. If a SaaS company doesn't have a privacy policy, run.

For high-risk vendors, we send a short questionnaire. Ours is about 15 questions, not 150. We ask about: what data they'll access, where it's stored, if it's encrypted, whether they have SOC 2 or ISO 27001, when their last pen test was, what their breach notification timeline looks like, and whether they use subcontractors to handle our data. That's really it. Vendors actually respond to this because it doesn't take them three weeks to fill out.

Red flags that made us walk away:

• Refused to answer basic security questions. Not "we need to check with legal" — flat out refused.
• Couldn't tell us who their subprocessors were. If they don't know where our data goes, nobody does.
• Had a breach last year with zero public acknowledgment. Stuff happens, but pretending it didn't is a dealbreaker.
• Liability capped at $0 in the contract. Basically saying "we're not responsible for anything, ever."
• No way to get your data back when you leave. You'd be shocked how common this is.

Contract clauses we always push for, even with smaller vendors:

• Right to terminate with 30 days notice if there's a material breach
• Data deletion within 30 days of termination
• Breach notification within 72 hours
• They're on the hook for their subprocessors, not just themselves
• Data processing agreement if they touch any personal data

For ongoing monitoring, keep it simple. High-risk vendors get a calendar reminder once a year — request updated certs, re-run sanctions checks, takes maybe 15 minutes per vendor. Medium risk every two years. Low risk only if something changes.

The whole point isn't to be perfect. It's to have a consistent process so that if something does go wrong, you can show you weren't just winging it. A small team doing the basics consistently beats a big team doing nothing.

Hope that helps. Happy to share our questionnaire template if anyone wants it.