Is this related to highly sensitive PII (like hippa or whatever covers local health-care record treatment)? If so, I'd strongly suggest not doing anything and seeking a remedy from contractual obligations by the vendor (i.e. seek HIPPA Ready software or a vendor willing to make that promise).

If not, you'll definitely want to focus on data persistence and transmission.

Make sure there aren't outgoing network calls to fixed locations (if they're for error reporting to the vendor you can either ask if they can disable the reporting, black hole the reporting with network configuration or carefully inspect the way data gets to that reporting and ensure user data can't be captured - a common oversight being logging function parameters).

Make sure the persistence is secure by looking at the main persistence module (i.e. a database or flat file) to make sure unnecessary information isn't being stored, verification only information is being written to persistence through one way hashes, and data that should be two-way encrypted is. Then double check the same stuff with regards to secondary persistence methods - again a huge issue here is logging.

Those two points are where I'd suggest focusing the majority of your effort but, back to the hippa part, make sure you're comfortable doing this. It's pretty easy for auditors to be the fall guys if something goes wrong so if you want to be careful one approach is to carefully document what you've checked for and how you checked for them then get someone above you to sign off that your level of auditing was sufficient - if shit ever does hit the fan you'll be less exposed.