Service provider is an organization that delivers infrastructure, platforms, software, connectivity, or managed technical operations to customers over a network. In security reporting, the term usually means an external provider whose systems, personnel, or integrations process customer data or administer customer environments. Responsibility is shared: the provider secures the services and underlying environment it controls, while the customer must configure access, data handling, and integrations correctly.
Material risks include compromised provider accounts or administrative interfaces, vulnerabilities in shared software or infrastructure, inadequate isolation between customers, and loss of availability at a dependency. Providers should apply least-privilege access, strong authentication, secure development and vulnerability management, tenant isolation, logging, encryption where appropriate, and tested recovery procedures. Customers need evidence of relevant controls, clear contracts covering data use, privacy, breach notification, audit rights, retention and deletion, and coordinated incident response. Reviews should also address subcontractors, service changes, and how data and operations can be recovered or moved if the service is disrupted.