Vendor Follow-Up Request + Escalation (Copy & Paste)
Timing rule: wait 3 business days after your first email. If no response, send Follow-Up #1. If still no response after another 3–4 business days, send Follow-Up #2. If it’s still silence after another 3–5 business days, send the Final.
If the vendor is critical (payments, identity, email, hosting) shorten the timeline by 1–2 days.
Not legal advice. Escalation should follow your contract terms and your counsel’s guidance. Document every attempt (date, method, who you contacted, what they said).
Follow-Up #1 (after 3 business days) — polite nudge
Subject
Follow-up: quick request on data location, incident notification, and how your service connects to us
Email Body
Hello [Vendor Name] team, Following up on the request below (sent on [DATE]). We’re trying to close our vendor records this week. If you’re short on time, the “Minimum Required” items are enough for now: 1) Security/trust page link 2) Incident notification timeframe (after confirmation) 3) Where you post incident/security updates 4) Where our data is hosted (country/region) If the right contact is someone else (security team, trust portal contact, account manager), please forward this and copy us. Thank you, [Your Name] [Company] [Email]
Follow-Up #2 (after +3–4 business days) — escalate to the right person
Subject
Escalation: need vendor security + service-connection details for [Your Company] account
Email Body
Hello [Vendor Name] team, We still haven’t received a response to our vendor security/service-connection request (originally sent [DATE], follow-up [DATE]). Please route this to the correct owner (Security/Trust, Risk/Compliance, or our Account Manager). We only need a short response. Minimum Required: 1) Security/trust page link 2) Incident notification timeframe (after confirmation) 3) Where you post incident/security updates 4) Where our data is hosted (country/region) In addition, we need one plain-English paragraph on how your service connects to us: - the login/portal link we use, - what features are enabled for our account, - how files/data move between us (portal, shared links, integrations, exports), - whether vendor staff ever access our account/data for support, and - whether any other company/system is involved in storing/moving our data. If you can’t share something, “not available” is acceptable — but we need a clear answer either way. Thank you, [Your Name] [Company] [Email]
Final (after +3–5 business days) — firm, still professional
Subject
Final follow-up: vendor risk record pending — please respond or confirm you cannot provide
Email Body
Hello [Vendor Name] team, Final follow-up. We must close our vendor risk record for your service. Please respond by [DATE] with either: A) the Minimum Required items, or B) confirmation that you cannot provide them. Minimum Required: 1) Security/trust page link 2) Incident notification timeframe (after confirmation) 3) Where you post incident/security updates 4) Where our data is hosted (country/region) If we don’t hear back, we will document “no response” and review next steps internally (including restricting usage and/or replacement), consistent with our contract and counsel’s guidance. Regards, [Your Name] [Company] [Email]
What the customer should do if there’s friction (logical escalation ladder)
- Step 1: Try the vendor’s obvious paths: support ticket + “security” email + trust portal contact form (if available).
- Step 2: Pull in the account manager or sales rep (they get things unstuck fastest).
- Step 3: Phone call: ask for “someone who owns trust/security responses” and read the Minimum Required list.
- Step 4: If they say “we don’t share,” respond with: “Links are fine. High-level is fine. Even ‘not available’ is fine. We just need a definitive answer.”
- Step 5: Ask for an NDA option only if necessary (and only if your counsel approves).
- Step 6: Contract reality check: locate your breach notification clause, security addendum, DPA, SLAs. Escalate based on what your contract actually requires.
- Step 7: Executive escalation (last resort): if you’re a meaningful customer and still blocked, escalate to a director/VP. “CEO” is usually noise unless it’s a small vendor. Use the account team first.
- Step 8: If still blocked, choose a business action: restrict scope, reduce data shared, remove integrations, rotate credentials, or plan replacement.
- Step 9: If legal posture matters, stop and follow counsel: send formal notice only with counsel’s guidance.
Practical note: the goal is not to “win an argument.” The goal is to get the four Minimum Required answers and the plain-English service footprint. If the vendor can’t/won’t provide that, treat it as a risk signal and act accordingly.