Vendor Domain Due Diligence

Screen vendor domains before onboarding to identify privacy risk, tracking behavior, and security gaps in your supply chain.

Why Vendor Domain Screening Matters

Every vendor you integrate introduces third-party risk. Their domains load scripts on your users' browsers, set cookies, and may transmit data to advertising networks. Without screening, you inherit their privacy practices.

  • Supply chain risk — Vendors embed trackers that follow your users across the web
  • Compliance exposure — Unvetted vendors can violate GDPR, CCPA, and other privacy regulations
  • Security surface — Missing security headers and weak TLS configuration increase attack vectors
  • Reputation impact — Users associate your brand with the privacy practices of your vendors

What to Check

A thorough vendor domain assessment examines observable behavior, not policy promises:

Third-Party Trackers

How many external tracking scripts does the vendor load? Are they advertising trackers or necessary analytics?

Cookie Practices

Are cookies secured with HttpOnly, Secure, and SameSite flags? How many third-party cookies are set?

Fingerprinting Detection

Does the vendor use canvas, WebGL, or audio fingerprinting to track visitors without cookies?

Security Headers

Are CSP, HSTS, Referrer-Policy, and Permissions-Policy properly configured?

TLS Configuration

Is the vendor using TLS 1.3? Is HSTS enabled? Are certificates valid and properly configured?

How to Automate Due Diligence

Manual vendor screening doesn't scale. Automated domain intelligence provides consistent, repeatable assessments:

  1. Scan vendor domains before signing contracts using the Domain Risk Checker
  2. Integrate programmatically with the Domain Intelligence API in your procurement workflow
  3. Monitor continuously with daily rescanning to detect changes in vendor privacy practices
  4. Benchmark against peers to understand whether vendor practices are above or below industry norms

GeckoAdvisor's Approach

GeckoAdvisor monitors 142K+ domains daily, providing the data infrastructure for vendor privacy assessment:

  • Automated scanning against known tracker databases (EasyPrivacy, WhoTracks.me)
  • Deterministic scoring with published methodology and penalty breakdowns
  • Stability scoring to distinguish consistently good vendors from volatile ones
  • Change detection with historical tracking for audit trails