A Compliance Checklist for Investment Firms

Vendor relationships power your operations—but if your agreements do not conform with compliance requirements, they may be your biggest hidden liability. With evolving regulations including DORA, GDPR, and S-P, SEC examinations, and compliance manual provisions pertaining to third-party service provider contract requirements, it’s critical to scrutinize your contracts to assure they meet these requirements. Moreover, as a business matter having proper contract terms can mitigate sensitive data risk. 

Use this compliance-focused checklist to evaluate your current vendor agreements and highlight areas you may need to negotiate changes and additional provisions to address the foregoing requirements and mitigate operational risk.

1. Restrictions on Data Usage and Sharing

Vendor agreements should clearly outline data usage rights for both parties:

For Investment Firms:

• Authorized Users & Use of Credits – Clarify limits on usage (e.g., by seat, location, credit, or API call) and define user types or user groups (internal, affiliate, contractor).

• Affiliates – Define whether data or systems can be accessed by or shared with affiliated entities.

• Third Party Sharing – Define whether vendor approval is required before data is passed to consultants, auditors, or other providers.

• Derivative Works – Limitations on creation or sharing of internal reports, summaries, and documents based on the vendors’ data.

For Vendors:

• Client Usage Data – Limit vendors’ rights to monitor, analyze, or commercialize client behavior or usage patterns without explicit consent.

• Protection of Client Data – Require vendors to maintain appropriate safeguards around the confidentiality, storage, and handling of any investment firm data they receive.

2. Subcontractors and Delegates

Both you and the vendor should be restricted from freely passing responsibilities (or data) downstream:

• Disclosure of Third Parties – Require identification and standard of care for the selection and monitoring of all subcontractors.

• Obligations Flow-Down – Ensure subcontractors are bound to the same compliance standards.

• Change Notification – Be notified before key changes in third-party service providers.

3. Confidential & Proprietary Information

Confidentiality between you and the vendor should be contractually enforced:

• Protection of Confidential Information (CI) – Define what qualifies as CI and require encryption and secure storage.

• Access Limits – Limit access on a need-to-know basis with strict controls.

• Return / Destruction – Set clear deadlines and methods for secure deletion or return of data post-termination.

4. Representations (Reps)

Mutual Reps:

• Compliance with Applicable Law – Affirm both parties comply with:

• Data Privacy Laws – GDPR (General Data Protection and Regulation), CCPA (California Consumer Privacy Act), etc.

• Sanctions & Export Controls.

• Anti-Bribery & AML Requirements.

• Malware / Harmful Code – Confirm systems are free of malicious code.

• Cybersecurity – Include obligations to:

• Review Policies & Controls regularly.

• Notify and Respond Promptly to any breach, vulnerability, or penetration.

Vendor-Specific Reps:

• MNPI – Prohibit disclosure and use of material non-public information in a way that creates insider trading risk.

• Personal Information (DORA Compliance) – Ensure data handling aligns with Digital Operational Resilience Act standards.

• Regulation S-P (U.S. NPI Requirements) – Confirm the vendor maintains safeguards and notification procedures that comply with U.S. privacy regulations, including upcoming Reg S-P amendments.

• Licensing / Infringement – Confirm software or data provided does not infringe on third-party IP rights.

5. Service Level Agreements (SLAs)

Vendors must commit to baseline service performance:

• Defined SLAs – Uptime guarantees, data latency thresholds, and response timelines.

• Downtime Notifications – Require real-time alerts and incident reports.

6. AI Usage

As investment firms explore generative AI and internal models to support research, compliance, and operational workflows, vendor contracts are beginning to include restrictions around how data can be used in these contexts. These terms are often nuanced—and easy to overlook.

For investment firms, vendor agreements may:

• Restrict uploading vendor-provided data into AI systems, especially large language models (LLMs) or external tools.

• Draw a distinction between external AI platforms and internal models—some agreements prohibit use in either, while others are more permissive with internal tools.

• Include provisions requiring the firm to expunge AI-generated outputs after termination—though firms may want to retain those outputs, particularly where they constitute derivative works based on licensed data.

Less common, vendor agreements may also address:

• The vendor’s own use of the firm’s data in training or developing AI tools. These provisions warrant close review, especially when confidential or proprietary information could be incorporated into models beyond the client’s control.

7. Reporting Obligations

Ensure proactive visibility and oversight:

• Incident Reporting – Breach, downtime, and compliance failures should be disclosed within specified timelines.

• Regulatory Inquiries – Require prompt notification of any government or regulator requests involving your data or the vendor’s operations.

• Audit Rights – Retain rights to request compliance evidence, certifications, and test results.

Where Quadrangle Fits In

Our team negotiates these terms daily. Through our legal experts and QDS Platform, we:

• Benchmark vendor terms against a database of thousands of contracts.

• Track compliance obligations across jurisdictions and by vendor type.

• Maintain clause-level visibility, so you know exactly what your contracts say about each term above.

• Help you identify, renegotiate, and manage contract risk at scale.

Ready to Protect Your Firm?

• Book a review session with our legal team.

• Ask how our AI-Powered CLM can help you manage contracts across your vendor stack.