Contract

Contracts are where third-party security obligations become enforceable — DPAs (data processing), BAAs (HIPAA business associates), MSAs (master services), and NDAs each bind a different aspect. Essential security clauses include right-to-audit, breach-notification timelines, and data return/destruction on termination. Negotiate these at contract time; leverage to add them evaporates once the vendor is entrenched.