What a lot of organizations unfortunately still don’t realize is their legal obligation to audit their vendors under the GDPR. The GDPR distinguishes two direct parties: the controller and the processor.
The controller decides (controls) the scope, nature, etc, and level of security for the protection of their personal data.
The processor processes the personal data on behalf of the controller. The processor may not process the personal data given by the controller for any other reason than what they agreed upon.
You must have a legal binding agreement between processor and controller.
The agreement must mention: