A dealership lives on integrations. Your DMS feeds your CRM, menus pull rates, recon apps update RO photos, digital retailing pushes credit apps, and sublet vendors email invoices. That web keeps cars moving and cash flowing. It also expands your blast radius. When one vendor hiccups, desks stall, funding slows, and customer trust takes a hit. We’ve all seen it. In 2023 a major platform outage reminded the industry how deeply connected our workflows are.
This post gives you a plain-English way to grade vendors that touch Nonpublic Personal Information (NPI) and operational systems. You’ll walk away with a scorecard, quick due-diligence questions, and copy-ready contract asks you can drop into your next MSA.
Note: Practical guidance, not legal advice. Confirm specifics with counsel and your carrier.
Start with a one-page data map
Before you grade anyone, draw the flow of data your people actually use:
- Leads: Website/chat → CRM → BDC texts → showroom visit
- Deals: CRM → DMS → menu/F&I → lenders → eSign/eVault
- Service: Appointment scheduler → MPI/video/photos → texting → payment
- Back office: AP/AR, payroll, warranty submission, parts cores/sublet
Circle any point where NPI lives: credit apps, DL images, bank details, SSNs. Those vendors are “Tier 1.”
The vendor scorecard (use it across all rooftops)
Score each vendor 0–3 per category. 24 possible points. Anything under 16 needs a remediation plan or leadership sign-off.
| Category | 0 | 1 | 2 | 3 |
|---|---|---|---|---|
| MFA & Access | No MFA | MFA optional | MFA for admins | MFA for all users; SSO available |
| Endpoint & Hosting | Unknown | Shared creds; no EDR | EDR on servers | EDR + hardening; attestations shared |
| Backups & RTO/RPO | Unknown | Backups exist | Off-site backups | Immutable + tested; stated RTO/RPO |
| Data Encryption | None stated | Transit only | Transit + at rest | Transit + at rest + key mgmt clarity |
| Logging & Monitoring | None | Basic logs | Centralized logs | 24/7 monitoring; customer alerting |
| Incident Response | None | “We’ll notify you” | IR plan on request | Contractual timelines + contact tree |
| Privacy & Deletion | Unknown | Generic policy | Retention on request | Defined purge on contract end |
| Integrations & Change Control | Ad-hoc | Email-based | Ticketed changes | Versioned API; change notices |
| Uptime & SLAs | “Best effort” | Status page | 99.5% SLA | 99.9% SLA + credits |
| Compliance Evidence | Marketing PDF | ISO/”in process” | SOC 2 summary | SOC 2 Type II/independent assessment |
| Payments & Wire Controls (AP-facing) | Email only | Template-based | Dual control available | Dual control + callback enforcement |
| Support & Escalation | Email queue | Named rep | 24/7 support | Exec escalation + drills supported |
Pro tip: Keep vendor scores in one shared tab per rooftop. Your QI and Controller should see the same numbers.
The five-minute diligence you can run this week
Ask every Tier 1 vendor these exact questions. Accept screenshots, redacted letters, or short PDFs.
- “Show me how you enforce MFA for my users.”
- “Where is my data stored and backed up? Is any copy immutable and off-domain?”
- “What is your incident-notification timeline and who calls whom?”
- “When I terminate your contract, how and when is my data purged or returned?”
- “Do you have a current SOC 2 Type II or third-party assessment? Send the summary.”
- “If you integrate to my DMS/CRM, how do you authenticate and log changes?”
- “What’s your stated RTO/RPO for outages, and when did you last test restores?”
- “For AP/wires, what prevents a fraudulent change request from being processed?”
If a vendor can’t answer in 5 business days, color them yellow. If their answers are vague or defensive, mark red.
Department-by-department risk to watch
Sales & BDC
- Shadow texting apps that export contact lists.
- Generic CRM users shared across towers.
Fix: SSO/MFA, disable exports, named logins only.
F&I & Menus
- Credit app images in desktops or email.
- Menu tools emailing OFAC/Red Flags results.
Fix: Keep NPI only in approved systems, block email auto-forwarding, encrypt at rest.
Service & Parts
- Video MPI showing driver’s license or payment details.
- Recon apps storing VIN + owner name in vendor cloud without purge dates.
Fix: Train advisors on photo hygiene; require vendor retention schedules.
Accounting/AP
- Vendor bank changes accepted via email threads.
- Outside bookkeeper with broad access and no MFA.
Fix: Dual control, out-of-band callbacks, scoped roles, MFA proof from the bookkeeper.
Contract language you can paste into your next MSA
Breach notification
“Vendor will notify Dealer within 24 hours of confirmed or reasonably suspected unauthorized access to Dealer data. Notification includes nature, scope, data elements, actions taken, and contact escalation.”
Security controls
“Vendor will enforce MFA for all Dealer user accounts, encrypt Dealer data in transit and at rest, and maintain immutable, off-domain backups with quarterly restore tests.”
Evidence & audit
“Upon request annually or after a material change, Vendor will provide a SOC 2 Type II report or equivalent third-party assessment, plus a summary of controls relevant to Dealer data.”
Data return and deletion
“Within 30 days of termination, Vendor will provide Dealer a complete export in a mutually agreed format and certify deletion of all remaining Dealer data, excluding legally required archives.”
Sub-processors
“Vendor will disclose all sub-processors with access to Dealer data and flow down equivalent obligations.”
Service levels
“Vendor will maintain 99.9% monthly uptime for production services. Credits apply for downtime. Vendor will publish real-time status and incident postmortems within 5 business days.”
Payment security
“Vendor will not act on banking changes without out-of-band callback to a known number. Email instructions alone are insufficient.”
Red flags that justify a pause
- “We don’t do MFA because it hurts adoption.”
- “Backups are on the same environment.”
- “We’ll send security details after you sign.”
- Shared “Admin” logins for field techs or agency partners.
- No purge plan for data after contract end.
- Only marketing claims; no third-party assessment.
How to handle legacy or “can’t move yet” vendors
Risk-accept, then ring-fence:
- Move them to a segmented VLAN; restrict outbound to required destinations.
- Limit API scopes and revoke bulk export rights.
- Put a 90-day sunset on shared accounts while you transition.
- Add compensating controls: weekly access audit, heavy logging, and backup snapshots.
Make it operational: one cadence, two artifacts
Monthly, 30 minutes
- Review Tier 1 vendor score changes, open gaps, and expirations on attestations.
- Sample 3 offboarding cases to confirm vendor account removal.
Quarterly, 45 minutes
- Tabletop a vendor outage (menu, recon, or CRM).
- Update the contract clause addendum and send to Procurement/Legal.
Artifacts
- A single “Vendor Risk Register” tab linked to your QI scorecard.
- A “Vendor Evidence” folder with MFA screenshots, SOC summaries, purge confirmations, and RTO/RPO statements.
Talking points for the Dealer Principal
- Faster funding: vendors with real SLAs and proven backups shorten outages that stall contracts-in-transit.
- Lower fraud risk: dual control and callback language stops BEC-driven vendor bank changes.
- Insurance leverage: carriers increasingly ask for vendor diligence; having it pre-packaged helps renewals.
- OEM optics: clean vendor files play well in field audits.
Still Need Help?
Want a fill-in-the-blank Vendor Scorecard and Contract Addendum you can send to your top 10 vendors?