Vendor Management

Assess and monitor third-party security risks.

Overview

Vendor Management helps you:

Track all third-party vendors
Assess vendor security posture
Monitor ongoing vendor risk
Manage vendor documentation
Meet compliance requirements for third-party risk

Navigate to Vendors in the sidebar.

Vendor Inventory

Vendor Record

Each vendor includes:

Field	Description
Name	Vendor company name
Category	Service category
Criticality	Business criticality level
Risk Tier	Assessed risk level
Status	Active, Inactive, Under Review
Owner	Internal relationship owner
Contract End	Contract expiration date
Data Access	Types of data accessed

Vendor Categories

Organize vendors by service type:

Cloud Infrastructure: AWS, Azure, GCP
SaaS Applications: Business software
Development Tools: CI/CD, code repos
Security Services: Pen testing, SOC
Professional Services: Consultants
IT Services: MSPs, support
HR/Payroll: Employee systems
Financial: Payment processors

Adding Vendors

Manual Entry

Go to Vendors → Add Vendor
Enter vendor details:
- Company name
- Category
- Primary contact
- Services provided
- Data access level
Click Create

Bulk Import

Import multiple vendors:

Click Import
Download CSV template
Fill in vendor data
Upload file
Review and confirm

From Integrations

Professional Feature

Automatic vendor discovery requires Professional or Enterprise plan.

Auto-discover vendors from:

Cloud provider marketplaces
SSO provider app catalogs
Expense management systems

Risk Assessment

Risk Tiers

Categorize vendors by risk level:

Tier	Description	Review Frequency
Tier 1 (Critical)	Access to sensitive data, business-critical	Quarterly
Tier 2 (High)	Moderate data access, important services	Semi-annually
Tier 3 (Medium)	Limited data access, replaceable	Annually
Tier 4 (Low)	No data access, commoditized	Every 2 years

Criticality Assessment

Assess vendor criticality based on:

Data Access: What data can they access?
Business Impact: What happens if they're unavailable?
Compliance Scope: Are they in compliance audit scope?
Integration Depth: How deeply integrated?
Replaceability: How easily replaced?

Security Assessment

Evaluate vendor security:

Open vendor record
Click Assessments tab
Click Start Assessment
Complete questionnaire or upload vendor responses
Review and score

Assessment Questionnaire

Built-in questionnaire covers:

Information Security: Policies, controls
Access Management: Authentication, authorization
Data Protection: Encryption, handling
Incident Response: Breach notification
Business Continuity: DR, backups
Compliance: Certifications, audits

Trust Signals

Gather vendor security evidence:

Signal	Weight	Example
SOC 2 Report	High	SOC 2 Type II
ISO 27001	High	ISO certification
Pen Test Report	Medium	Annual pen test
Security Policy	Medium	Published policy
Questionnaire	Low	Completed SIG

Risk Scoring

Automatic risk score calculation:

Vendor: Cloud Provider X

Risk Factors:
- Data Access: Customer PII (High)
- Criticality: Business-critical (High)
- Security: SOC 2 Type II (Low risk)
- Compliance: In scope (High)

Risk Score: 68/100 (Medium)
Recommended Tier: Tier 2

Due Diligence

Initial Assessment

For new vendors:

Collect basic information
Determine criticality tier
Request security documentation
Complete risk assessment
Review with stakeholders
Approve or reject

Documentation Collection

Track required documents:

Document	Required For	Status	Expires
SOC 2 Report	Tier 1-2	Received	Dec 2026
Insurance Cert	Tier 1-3	Received	Jun 2026
Pen Test	Tier 1	Pending	-
DPA	All	Received	-
BAA	HIPAA	Received	-

Request Portal

Professional Feature

Vendor self-service portal requires Professional or Enterprise plan.

Send vendors a link to:

Complete security questionnaire
Upload documentation
Update company information

Ongoing Monitoring

Continuous Monitoring

Enterprise Feature

Continuous vendor monitoring requires Enterprise plan.

Automated monitoring for:

Security rating changes
News alerts (breaches, incidents)
Certificate changes
Dark web mentions

Scheduled Reviews

Set up periodic reviews:

Open vendor record
Set review frequency based on tier
System sends reminders
Complete review checklist
Update risk assessment

Review Checklist

[ ] Verify vendor still active
[ ] Check for security incidents
[ ] Review updated certifications
[ ] Assess any service changes
[ ] Update data inventory
[ ] Confirm contract status
[ ] Review SLA performance

Contract Management

Contract Details

Track contract information:

Start date
End date
Auto-renewal terms
Termination notice period
Key terms

Contract Alerts

Receive notifications for:

Contract expiration (90, 60, 30 days)
Auto-renewal dates
Required review periods

SLA Tracking

Monitor vendor SLA compliance:

Vendor: Hosting Provider

SLA: 99.9% uptime

Performance:
Jan: 99.95% ✓
Feb: 99.92% ✓
Mar: 99.87% ✗
Apr: 99.94% ✓

Compliance Mapping

Framework Requirements

Map vendors to compliance requirements:

SOC 2 CC9.2 - Vendor Management

Required:
- Maintain vendor inventory ✓
- Risk assessment process ✓
- Ongoing monitoring ✓
- Contract review ✓

Evidence:
- Vendor inventory report
- Assessment questionnaires
- Review documentation

Audit Evidence

Generate evidence packages:

Go to Reports → Vendor Report
Select time period
Include:
- Vendor inventory
- Risk assessments
- Review records
Export for auditors

Reporting

Vendor Dashboard

Vendor Overview

Total Vendors: 45

By Risk Tier:
Tier 1 (Critical)  ███ 3 (7%)
Tier 2 (High)      ████████ 8 (18%)
Tier 3 (Medium)    ███████████████ 15 (33%)
Tier 4 (Low)       ███████████████████ 19 (42%)

Reviews Due (30 days): 5
Assessments Pending: 2
Contracts Expiring: 3

Risk Report

View vendor risk distribution:

Risk Level	Count	% of Total
High Risk	4	9%
Medium Risk	12	27%
Low Risk	29	64%

Compliance Report

Show vendor compliance status:

Vendors with SOC 2: 28 (62%)
Vendors with ISO 27001: 15 (33%)
Vendors with completed assessments: 40 (89%)

API Access

bash

# List vendors
GET /api/v1/vendors?tier=1

# Get vendor details
GET /api/v1/vendors/{vendor_id}

# Create vendor
POST /api/v1/vendors
{
  "name": "Cloud Provider Inc",
  "category": "cloud_infrastructure",
  "criticality": "critical",
  "owner_id": "user_123"
}

# Update assessment
POST /api/v1/vendors/{vendor_id}/assessments
{
  "type": "security",
  "score": 75,
  "notes": "Strong security posture"
}

# Upload document
POST /api/v1/vendors/{vendor_id}/documents
Content-Type: multipart/form-data

See API Reference for full documentation.

Best Practices

Inventory All Vendors: Don't miss any third parties
Tier by Risk: Apply appropriate scrutiny per tier
Collect Evidence: Gather SOC 2, ISO certs
Regular Reviews: Review per tier schedule
Track Contracts: Monitor expirations
Document Everything: Maintain audit trail
Involve Stakeholders: Security, legal, business input

Vendor Management ​

Overview ​

Vendor Inventory ​

Vendor Record ​

Vendor Categories ​

Adding Vendors ​

Manual Entry ​

Bulk Import ​

From Integrations ​

Risk Assessment ​

Risk Tiers ​

Criticality Assessment ​

Security Assessment ​

Assessment Questionnaire ​

Trust Signals ​

Risk Scoring ​

Due Diligence ​

Initial Assessment ​

Documentation Collection ​

Request Portal ​

Ongoing Monitoring ​

Continuous Monitoring ​

Scheduled Reviews ​

Review Checklist ​

Contract Management ​

Contract Details ​

Contract Alerts ​

SLA Tracking ​

Compliance Mapping ​

Framework Requirements ​

Audit Evidence ​

Reporting ​

Vendor Dashboard ​

Risk Report ​

Compliance Report ​

API Access ​

Best Practices ​