I would encourage you to contact a lawyer that has an understanding of your business and a background in technology law for your own due diligence. However, does your company have policies, standards and supporting procedures regarding confidentiality and non-disclosure, handling of sensitive information or data, general security and professional behavior or ethics policies? If so, perhaps an addendum to the contract whereby the vendor will sign off understanding and acceptance of your company's established policies and procedures will do. Then again, I'm not a lawyer, take the above with a grain of salt.
If your company does not have any written documentation that relates to your concerns, perhaps this is a perfect opportunity to sell your superiors on the idea of establishing proper policy, in turn better managing your risk. ---------------------------------- John Daniele Technical Security & Intelligence http://www.tsintel.com ----------------------------------