Pro-tip: do not contractually require your vendor to have an external penetration test done daily unless you are prepared to cover the hundreds of thousands of dollars it would cost. Do other vendors sign contracts without reading them?