If you connect an unvetted app or tool to your systems, it can steal customer data, financial records, or employee information—and you become liable. For example, a Delhi-based export company connected a free invoicing app without review; it harvested client bank details and customer lists, leading to a ₹15 lakh fraud case and loss of three major clients. Under the DPDP Act 2023, you can face penalties up to ₹5 crore if personal data is leaked through a third-party app you didn't vet. Your audit will fail and customers will stop trusting you.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You're connecting apps and tools whenever someone asks or finds something useful online, with no formal process. Your team installs software from download links in emails or uses free tools shared by friends without knowing who built them or what data they access.
Initial
You have a basic understanding that apps can be risky and occasionally ask the vendor a question about security before using them. Someone (usually the owner) makes ad-hoc decisions about new tools, but there's no written list of what's connected or approved.
Developing
You maintain a simple spreadsheet listing all connected apps with the vendor name and what data each one touches. Before connecting anything new, your IT person or designated owner asks the vendor basic security questions and documents their answers.
Defined
You have a formal written policy requiring all third-party apps to be reviewed and approved before deployment. You keep a register of approved applications, track what permissions each has, and conduct annual reviews to remove unused tools.
Managed
You conduct security assessments (questionnaires or vendor audits) for all new applications and track their security certifications (ISO 27001, SOC 2, or equivalent). You have contractual clauses requiring vendors to notify you of breaches and maintain audit logs of who accesses data through each app.
Optimised
You perform regular third-party risk assessments, maintain an automated inventory of connected applications with real-time permission monitoring, and conduct penetration testing on critical integrations. Your vendor management includes continuous compliance monitoring and quarterly risk reviews with documented escalation procedures.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Document all applications and online tools currently in use (Google Workspace, WhatsApp Business, Zoho, etc.) and create a simple list with the vendor name and what business function each serves. | Business owner or IT person | 1-2 days |
| 1 → 2 | Create a basic review checklist (vendor name, data accessed, vendor location/country, basic security question responses, approval date) and require it to be completed before any new tool is deployed. Add all current apps retroactively. | IT person or owner | 1 week |
| 2 → 3 | Write a formal Third-Party Application Review Policy stating who approves new tools, what questions must be asked, and what documentation must be kept. Create an approval form and maintain a signed-off register. | Owner with IT person input | 2-3 weeks |
| 3 → 4 | Develop a vendor security assessment template (asking about data encryption, breach notification, certifications, data location, and incident response), require vendors to complete it, and add contractual clauses about breach notification and audits. | IT person with legal review | 4-6 weeks |
| 4 → 5 | Implement an application inventory tool (free or paid), conduct quarterly risk reviews of all connected apps, perform penetration testing on critical integrations, and establish continuous vendor compliance monitoring with documented escalation procedures. | IT team or external security consultant | Ongoing (2-4 hours monthly) |
Documents and records that prove your maturity level.
- Signed Third-Party Application Review and Approval Policy (dated and endorsed by owner/management)
- Application Inventory Register with columns: App name, Vendor, Purpose, Data Accessed, Approval Date, Approved By, Review Date, Security Assessment Score
- Completed vendor security questionnaires or assessment forms for all active applications (signed by vendor representative with date)
- Application Approval Forms or decision logs documenting the review and approval process for each new tool introduced
- Vendor contracts or service agreements with clauses about data security, breach notification timelines, and audit rights
Prepare for these questions from customers or third-party reviewers.
- "Show me your list of all applications connected to your company systems. Who approved each one and when?"
- "Walk me through your process for reviewing a new application before connecting it. What questions do you ask vendors? Who makes the final approval decision?"
- "Do you have written agreements with your application vendors covering data security, confidentiality, and breach notification? Can you share examples?"
- "Tell me about a time you discovered an unapproved or risky application in use. What did you do? How do you prevent this now?"
- "How often do you review your connected applications? Have you ever removed or replaced an app due to security concerns? Show me the documentation."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a simple inventory of all connected applications with review status and data classifications | Google Sheets or LibreOffice Calc (template-based tracking) | Freshservice IT Asset Management (₹8,000–15,000/year for small teams) or Snipe-IT (₹0 self-hosted open-source or ₹2,000/year cloud) |
| Store and manage vendor security questionnaires, assessments, and vendor risk scores | Microsoft Forms or Google Forms combined with Sheets (no cost, basic functionality) | OneTrust Vendor Risk Management (₹50,000+/year, enterprise) or SafetyLine by Prevalent (contact for SME pricing) |
| Monitor active integrations and API connections in real-time to detect unauthorized or rogue applications | No strong free option; manual audit of connected apps via browser settings and admin consoles | Microsoft Defender for Cloud Apps (₹3,000–10,000/user/year) or Netskope (contact for pricing) |
- Assuming free or popular apps (like a free HR tool or invoicing software) are automatically safe because 'many companies use it'—popularity does not mean security; Indian SMEs often skip vetting because the tool seems harmless.
- Connecting apps once and never reviewing them again; data breaches at vendors happen silently, and you won't know your team's data is at risk until it's too late. Many MSMEs forget about tools installed two years ago.
- Allowing individual team members to install and authorize their own apps (like personal WhatsApp, Telegram bots, or freelance time-tracking tools) without IT oversight; this creates shadow IT that bypasses all controls.
- Not distinguishing between apps that touch sensitive data (payroll, customer lists, financials) and those that don't; you may over-review non-critical tools while missing high-risk ones.
- Relying solely on verbal assurances from vendors instead of requiring written security documentation; Indian vendors sometimes say 'haan, secure hai' (yes, it's secure) without providing proof or signed agreements.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (consent and purpose limitation) and Section 10 (accountability and reasonable security measures). Third-party apps processing personal data must be vetted to ensure security and compliance. |
| CERT-In Guidelines 2022 | Guideline 2.4.2 (periodic security assessment of systems including third-party applications and integrations) |
| ISO 27001:2022 | Annex A 5.23 (information security for supplier relationships), A 5.37 (cryptography), and A 8.30 (access control for third parties) |
| NIST CSF 2.0 | Function: GOVERN (GV.RO-02 Third-party risk assessment and management) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →