vendor-risk-assessment

# Vendor Risk Assessment

Evaluate any AI/SaaS vendor across 6 risk dimensions. Outputs a scored report with go/no-go recommendation.

## When to Use
- Onboarding a new SaaS or AI vendor
- Annual vendor review cycle
- Evaluating build-vs-buy decisions
- Due diligence for partnerships or acquisitions
- Compliance requirements (SOC2, ISO 27001, GDPR)

## How to Use

The user provides vendor details (name, product, website, any available documentation).
The agent researches and scores the vendor across 6 dimensions.

### Input Format
```
Vendor: [Company Name]
Product: [Product/Service Name]
Website: [URL]
Use Case: [What you'd use it for]
Data Sensitivity: [low/medium/high/critical]
Additional Context: [Any docs, certifications, or concerns]
```

## Assessment Framework

### 6 Risk Dimensions (each scored 1-10)

#### 1. Security Posture
- SOC2 Type II certification?
- Penetration testing cadence
- Encryption (at rest + in transit)
- Access controls and authentication
- Incident response plan
- Bug bounty program

#### 2. Data Handling & Privacy
- Data residency and sovereignty
- Data retention and deletion policies
- Sub-processor transparency
- GDPR/CCPA compliance
- Data portability (can you get your data out?)
- AI training opt-out policies

#### 3. Compliance & Certifications
- SOC2, ISO 27001, HIPAA, FedRAMP
- Industry-specific (PCI-DSS, HITRUST, etc.)
- AI-specific (EU AI Act readiness, NIST AI RMF)
- Audit frequency and transparency
- Regulatory track record

#### 4. Financial Stability
- Funding stage and runway
- Revenue indicators (public or estimated)
- Customer concentration risk
- Acquisition risk
- Pricing stability history

#### 5. Operational Resilience
- Uptime SLA and historical performance
- Disaster recovery plan
- Multi-region availability
- Dependency on single cloud provider
- Support responsiveness and escalation paths
- Change management process

#### 6. Contractual Terms
- Termination and exit clauses
- Liability caps and indemnification
- IP...