Supplier Risk Assessment Template:
Tournament Management Systems

Where is the product hosted, and how is the infrastructure architected for reliability?

Why this matters

Most modern software is cloud-based, but the implementation matters. A single-server deployment is very different from enterprise-grade infrastructure. Ask about redundancy across multiple data centers, automatic scaling, and 24/7 monitoring.

What happens if a server or data center goes down?

Why this matters

Ask whether the system can survive a complete data center failure without downtime. Products running in a single availability zone or on a single server cannot make this guarantee.

Has the system been proven under real peak-load conditions?

Why this matters

Tournament software faces sudden traffic spikes as thousands of golfers check leaderboards at the same time. Unproven systems risk failure during spikes, so ask for load test results or scaling plans.

Has the supplier been independently audited against a recognized security standard?

Why this matters

An independent audit means a qualified third party has verified the supplier's security claims. PCI DSS Level 1, the highest tier of the Payment Card Industry standard, requires an annual audit by a Qualified Security Assessor. Many software suppliers have never undergone any independent security audit. If a supplier cannot produce a current audit report, their security claims are unverified.

Does the supplier conduct penetration testing by an independent third party?

Why this matters

Many suppliers claim their products are secure, but have never had them tested by an independent security professional. Penetration testing is a simulated real-world attack. The key words to look for are "independent" and "third-party"; a supplier that has only tested its own systems provides limited assurance.

Does the supplier perform regular vulnerability scanning?

Why this matters

Automated scanning continuously identifies known security flaws. Ask for current results; a supplier who scans but does not remediate is no safer than one that does not scan at all.

Does the supplier comply with applicable data protection regulations?

Why this matters

If the supplier handles any personal data, compliance with privacy regulations like GDPR and CCPA is not optional. Ask whether the supplier has published a Privacy Policy and Data Processing Agreement, and whether they can support data subject requests such as deletion.

How is credit card data protected when processing payments?

Why this matters

The safest approach is tokenization, in which a certified payment processor handles all card data and the supplier never sees it. Some suppliers may process payments directly on their own servers; this significantly increases the risk to your facility. Other suppliers use established credit card processors (e.g., Stripe), but it is not sufficient to say "we are PCI-compliant because we use Stripe". In all cases, ask the supplier for their PCI DSS Level 1 certification from an independent third party to ensure your credit card transactions are secure.

How is data encrypted, and how are passwords stored? Are encryption keys protected?

Why this matters

Encryption at rest and in transit are baseline expectations, but ask for specifics. AES-256 is the standard for data at rest; TLS 1.2+ for data in transit. Passwords should be hashed using a strong algorithm like bcrypt. If a supplier cannot tell you exactly how passwords are stored, that is a red flag. Equally important is how encryption keys are managed.

Who owns the data stored in the system?

Why this matters

You should always own your data. Read the supplier's terms of service carefully; some suppliers claim broad rights to use, analyze, or retain your data for their own purposes.

What personal information does the system collect or store?

Why this matters

Understanding what personal data the system handles is the first step in assessing privacy risk. Some products require extensive personal information to function; others are designed to minimize data collection.

What is the data backup and restoration process?

Why this matters

Backups are only valuable if they can be restored. Ask how often they're tested, where they're stored, and when the process was last tested. "We have backups" without tested restoration is not a credible answer.

Does the supplier maintain activity logs to help managers resolve registration and payment issues?

Why this matters

In high-volume event registrations, multiple golfers may sign up at the same time, causing quick waitlist changes, payment attempts, and refunds. When disputes happen (like a charge without a confirmed spot or a refund that doesn't show up), managers need a clear record of what happened and when. Without detailed activity logs, solving these issues depends on guesswork.

Does the supplier follow a formal Secure Software Development process?

Why this matters

Ask your supplier to describe their development process. A documented process with mandatory code reviews and security checks means every release has been reviewed for vulnerabilities. Undocumented processes risk vulnerabilities, so seek details on reviews and testing.

Does the supplier use a Web Application Firewall (WAF)?

Why this matters

A WAF is the first line of defense against attacks on internet-facing applications. Without one, the application is directly exposed to every threat on the internet. WAF setup needs expertise, confirmation implementation and management.

How does the supplier manage vulnerabilities in third-party software libraries?

Why this matters

Modern applications depend on hundreds of open-source libraries, each a potential entry point for attackers. Ask how many libraries the supplier tracks, whether they actively monitor for vulnerabilities, and how many security alerts they've resolved. A supplier who cannot answer these questions likely does not track this risk.

How does the supplier manage access to production systems?

Why this matters

Multi-factor authentication, individual accounts, and regular access reviews are indicators of a mature security program. Be cautious of suppliers where developers share credentials or have unrestricted access to production data.

How quickly does the supplier apply security patches?

Why this matters

Unpatched software is one of the most common attack vectors. Look for defined timelines, not "when we get to it."

Does the supplier have a formal Incident Response Plan, and has it been tested?

Why this matters

Every supplier will eventually face an incident. Ask specifically: is the plan written? Has it been tested? Who is on the response team? Untested plans will limit response, so it's important to verify documentation and drills.

Does the supplier have 24/7 monitoring and on-call support for security incidents?

Why this matters

Security incidents can happen at any time. Ask specifically: who responds at 2 AM on a Saturday? Is there a defined response time? Ask for details on their response team and SLAs.

Has the supplier experienced any data breaches or security incidents?

Why this matters

A supplier with years of clean operation provides more assurance than one with no track record to evaluate. Ask how long they've been in business and whether they've had any incidents during that time.

What is the supplier's uptime track record?

Why this matters

Ask for historical performance data, not just a target. A supplier that has operated for years with documented uptime provides more confidence than a new product with no history to reference.

How does the supplier notify customers during an incident?

Why this matters

When something goes wrong, you need to know about it quickly. Ask what communication channels exist and how the supplier has handled past incidents. A mature supplier will have established processes rather than improvising each time.

Does the supplier have a disaster recovery plan, and is it tested?

Why this matters

A disaster recovery plan that has never been tested is not a plan; it is a hope.

Does the supplier perform background checks on employees?

Why this matters

Employees with access to your data should be vetted before being granted access. Not all suppliers have formal hiring and screening processes.

Does the supplier provide security awareness training for employees?

Why this matters

Human error is the leading cause of security breaches. Ask how often employees are trained and whether they are tested with simulated phishing attacks. Monthly simulations are best practice.

Does the supplier assess the security of their own third-party providers?

Why this matters

Your supplier's security is only as strong as its weakest link. Ask which third parties have access to your data and how they verify their security. Suppliers without a formal third-party risk program may not know the answer.

Does the supplier carry cybersecurity insurance?

Why this matters

Obtaining cybersecurity insurance requires the supplier to meet baseline security standards set by the insurer; it also provides a financial backstop in the event of an incident.

Are there formal policies governing employee use of systems and data?

Why this matters

Policies without enforcement are suggestions. Look for signed acknowledgments and a disciplinary process.

How long has the supplier been in business, and how many customers do they serve?

Why this matters

A supplier's track record is a strong indicator of stability, operational maturity, and ability to support your facility long-term. New entrants may offer attractive features but lack the operational history to demonstrate reliability under real-world conditions.

Is the supplier profitable? How many full-time staff members does the supplier have? How many full-time PGA Professionals does the supplier have on their team?

Why this matters

With a small team, heavy dependence on a few key staff members, and unsustainable financial conditions, a loss of customers or people can quickly impact a small provider's viability, support, bug fixes, and roadmap execution—potentially forcing you into a disruptive transition.

Does the supplier measure customer satisfaction using Net Promoter Score? Are they willing to share it with you?

Why this matters

User satisfaction is the best measure of quality and value. Mature suppliers make it a priority to collect and measure user satisfaction to underscore strengths, identify pain points, and feed this information back into the product roadmap to drive ongoing innovation and higher satisfaction over time. Conversely, low satisfaction or the unwillingness to share satisfaction levels is a source of supplier risk.