Free tools · Free · 2 minutes

Processor: are you ready for your clients' questionnaires?

BPO, software vendor, host, IT provider: if you process data for European clients, their GDPR, DORA or NIS2 questionnaires will eventually land — often with a short response deadline. Eight questions to gauge whether your file is ready, or what remains to be built. The score is computed in your browser and nothing is sent without your consent. This is not legal advice.

Do you have a data processing agreement (Article 28 GDPR) signed with each of your clients?
Do you keep a record of the processing activities carried out on behalf of your clients?
Do you keep a register of your own sub-processors (host, SaaS tools, service providers)?
Do you have a procedure to notify your clients of an incident within 72 hours — and have you tested it?
Are your security measures (encryption, backups, access control, monitoring) documented and ready to attach to a contract?
Can you demonstrate where each client's data is hosted and processed?
Do you have a written exit strategy: return or deletion of data at contract end, reversibility?
When client audits and questionnaires come in, do you have a reusable evidence pack rather than starting from scratch each time?

The companion article: GDPR processor: the compliance checklist