# Data Handling in Third-Party Contexts One-sentence definition: Contractual and technical controls for vendors processing or storing your data. ## Key Facts - DPAs/SLAs: security requirements, breach notice, subprocessor transparency. - Technical: encryption, access limits, logs, CMKs, region pinning. - Evidence: SOC/ISO certifications; right-to-audit or equivalents. - Offboarding: data return/delete certifications and timeframes. - Continuous monitoring and reassessment on changes/incidents. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Select missing clause/control in vendor scenarios. **Mnemonic:** “Contract + Crypto + Confirm.” ## Mini Scenario Q: Vendor refuses delete certs after termination—risk? A: Ongoing data exposure and compliance risk. ## Revision Checklist - Name 3 contract clauses. - Map a technical control to each sensitivity level. - Identify offboarding evidence. ## Related [[Third-Party Risk Management (TPRM)]] · [[Contracts, SLAs, OLAs, MOUs]] · [[Cloud Data Protection (SaaS, PaaS, IaaS)]] · [[Data Residency and Sovereignty]] · [[Record Management and Data Retention]] · [[Domain 2 - Index]]