Even though the risk seems low, it is good practice to vet all vendors properly, even those that work on a referral basis. You must consider the duty of care when making such a referral. That means that your organization is confident that the referred organization can safely manage your customer's data and privacy before you refer them. This also applies to situations when the customer supplies the information to the referred vendor). So conducting appropriate due diligence based on the vendor's access to data is essential. Even if the information you provide is publicly available, misusing that data can negatively affect your customers and put your reputation at risk.
If you can't access more reliable documents (a SOC for example), you can still ask your SME to review what you have. In some cases, a phone call or virtual meeting with the vendor's Information Security/Privacy team can provide additional assurance.
I hope that is helpful, but I would love to hear from other members.