For DPOs & procurement

Vendor checks before the DPA — without final_final.xlsx

Structured online questionnaire for Art. 28 GDPR vendor assessment: TOMs, sub-processors, third-country transfers, certifications. One version, fully completed, by the right contact.

Start template
What is assessed?

~45 Min of mail ping-pong saved per vendor assessment

How it works today

Excel version chaos

The questionnaire goes out as .xlsx, comes back as "final_final_v3.xlsx" — half completed, formatting broken, mandatory questions skipped. Which version is the valid one?

Wrong contact answers

The vendor's sales team fills in what they know — for TOMs, sub-processor lists and third-country transfers it says "see website". The vendor's DPO never saw the form.

No accountability trail

Art. 28(1) GDPR requires processors with "sufficient guarantees" — and Art. 5(2) requires you to prove it. An Excel attachment in a mailbox is not a defensible record.

How Questee fixes this

  1. 1

    Set up the assessment once

    Customise the "pre-DPA questionnaire" template: TOMs per Art. 32, sub-processors, third-country transfers incl. SCCs, certifications (ISO 27001, TISAX, C5). Mandatory questions cannot be skipped.

  2. 2

    Send the link to the vendor

    The vendor fills in online — conditional logic only asks for SCCs when a third-country transfer is declared. Evidence like ISO certificates is uploaded directly. Draft saving lets the vendor's DPO add their part.

  3. 3

    Receive a complete assessment file

    You receive a complete, timestamped response with all uploads — exportable as CSV/PDF for your records of processing. For the next review you simply resend the same link.

Built for Art. 28 assessments

Enforced mandatory questions

No submission with gaps — TOMs, sub-processors and transfers must be answered.

Conditional logic

SCC and TIA questions only appear for third-country transfers. The form stays as short as possible.

Evidence upload

ISO 27001 certificate, TOM document, sub-processor list — attached directly, virus-scanned.

Draft saving for the DPO

Sales starts, the vendor's DPO completes later via the same link.

Timestamp & audit trail

When was what answered — provable for accountability under Art. 5(2) GDPR.

Hosted in Germany

The questionnaire itself runs GDPR-compliant on German servers — we provide our own DPA, of course.

SMB pricing instead of enterprise suite

Free to test (3 forms). Pro for ongoing assessments (unlimited forms, 10,000 responses/month) — a fraction of vendor-risk suites.

Free

3 forms, 250 responses/month

Pro

Unlimited, 10,000 responses/month, AI included

View all plans

Answers from data-protection practice

Which questions belong in a pre-DPA questionnaire?
Core blocks: technical and organisational measures per Art. 32 GDPR, sub-processors with country of establishment, third-country transfers incl. transfer mechanism (SCCs, adequacy decision), certifications (ISO 27001, TISAX, BSI C5), data-protection contact, breach notification paths. The template covers all blocks and is fully customisable.
Does the questionnaire replace the DPA?
No — the questionnaire is the assessment BEFORE signing the DPA. Art. 28(1) GDPR requires processors with sufficient guarantees. The questionnaire documents exactly that assessment; the DPA itself remains a separate contract under Art. 28(3).
How do I make sure the vendor's DPO answers?
The form asks for the respondent's role and contact details upfront — you immediately see who answered. With draft saving, sales can start and forward the link internally to the DPO, who completes the technical parts. Mandatory fields prevent TOM questions slipping through as "see website".
Can I export responses for my records of processing?
Yes — every response exports as CSV or PDF for your records of processing activities (Art. 30 GDPR) or vendor register. Uploaded evidence like certificates is stored securely and retrievable via signed links.
How does the annual re-assessment work?
You resend the same form link to the vendor. Every response is timestamped — you see what changed since the last review (e.g. new sub-processors). This builds a complete assessment history per vendor without extra effort.
Why not just OneTrust or a privacy suite?
Vendor-risk modules of big suites are built for corporations with hundreds of vendors — with pricing and implementation effort to match. If you assess 5 to 50 vendors, you need a clean, structured questionnaire with evidence upload and audit trail. Exactly that, for €9/month.
Are vendor responses confidential?
Yes — TOM descriptions are sensitive security information. Responses are tenant-isolated on German servers, file downloads run via signed tokens, and you can additionally password-protect the form so only the invited vendor can respond.

Your next vendor assessment without Excel

Start template, customise the assessment, send the link. Free trial, no contract.

Try template now