Quite often with software service providers, we see that the vendor only provides an order form with a link to an online EULA or clickwrap agreement. Dependent on the service/solution the vendor provides, I suggest having your legal team thoroughly review the terms to ensure your institution is protected. If the service provider will have access to confidential or sensitive information, you could prepare an in-house Data Processing Addendum or other document including data protection, security and business continuity provisions to present on such occasions. While there are no guarantees the vendor will sign this, it would be good practice to have one ready. I would love to hear thoughts from others in the community on this.