Your security review answered one question: does this vendor look secure? It never answered the second one: what happens when that turns out to be wrong?
Here is why the second question gets skipped. Once security signs off, everyone in the room shifts from evaluating risk to processing paperwork. That is also the exact moment your leverage peaks, and the moment most buyers stop using it.
The Contract Is the Only Document That Obligates the Vendor
A SOC 2 report describes controls the vendor's own auditors examined, at a point in time, under a scope the vendor selected. A questionnaire records what the vendor says about themselves. Both are worth collecting. Neither creates a single obligation to you.
The contract is the only document in the entire evaluation that defines what the vendor has agreed to owe you if something goes wrong. Everything else you gathered is evidence about the vendor. Only the agreement turns any of it into accountability.
So treat the passed review as the start of the commercial negotiation, not the end of the evaluation. The vendor still wants your signature, and you can still walk.
Check These Three Things Before You Sign
When a vendor's security fails, three clauses decide what happens next.
How fast they have to tell you. Look for a breach notification obligation measured in hours. "Prompt notification" is a sentence a lawyer wrote to avoid committing to a timeline.
What your remedies actually are. Something breaks, the vendor underdelivers, and the contract points you to pages of SLA math to calculate service credits, assuming you documented every outage and requested them in time. Unless you negotiated something stronger, those credits are your remedy, and the vendor's side of the table priced them.
Whether you can leave. Termination rights decide if a security failure ends the relationship or just discounts next month's invoice.
What the Vendor's Response Tells You
Ask for the right to terminate without penalty after a material security failure, then pay attention to the shape of the response. Some vendors reject it outright. Some offer a narrower version. Some will tie it to a defined security event with a cure period.
Each answer tells you how the vendor thinks about accountability before an incident ever happens. You can only learn that before you sign.
While the contract is open, find the limitation of liability section too. The cap on what a vendor can ever owe you deserves its own read, and we broke down how liability caps work and what experienced buyers negotiate instead.
A Security Review and a Contract Aren't the Same Thing
Keep running security reviews. They reduce uncertainty about who you are dealing with. Contracts do a different job: they allocate risk when the uncertainty resolves badly. Treating those as the same job is how buyers discover what their contract says only after they need it.
If a renewal or a new agreement is in front of you right now, this is where to start. It covers what is at stake in the signature window and what independent representation changes about the outcome.
If you have a vendor evaluation closing this quarter, or a renewal where the security review was the reason you're staying, this applies to you today, not eventually.
We'll tell you if this deal is actually competitive.
Get Started. No pitch. No prep. Just answers.


