Vendors

April 11, 2026

Manage third parties that have access to your systems and data. Assess risks, document contracts, and continuously monitor your vendors' security posture.

The Vendors section lets you manage all third parties that have access to your systems, data, or infrastructure. In the context of compliance, vendors are any external company or service that could represent a risk to your organization's information security.

Why Vendor Management Matters

Most security frameworks — including ISO 27001, SOC 2, and GDPR — require organizations to assess and monitor risks associated with third parties. Strong internal access controls are not enough if a vendor with privileged access doesn't follow the same security practices. Auditors always check whether you have visibility into who accesses your data and what the risk level is for each vendor.

Adding a Vendor

To add a vendor, go to Vendors in the sidebar and click New Vendor. Fill in the basic information:

  • Name — Company name or service name
  • Category — Type of service provided (e.g. cloud infrastructure, SaaS, consulting)
  • Risk level — Initial risk classification (high, medium, low)
  • Data accessed — What types of data the vendor can access
  • Internal owner — Who in your organization is the point of contact for this vendor

Risk Assessment

After adding a vendor, you can start a risk assessment. The assessment is a structured questionnaire covering the main security areas: access practices, incident management, encryption, backup, and regulatory compliance.

The assessment result generates a risk score and can be saved as evidence for the relevant controls in your compliance program — especially Vendor Management controls (VM-001, VM-002).

Continuous Monitoring

The platform lets you set a reassessment frequency for each vendor — annual, semi-annual, or quarterly. As the review date approaches, an action item is created automatically to remind the owner to conduct the reassessment. This keeps your vendor management continuous rather than one-off.

Linking Vendors to Controls

Assessed vendors can be linked directly to Vendor Management controls and other relevant controls. Evidence generated in assessments is automatically associated with those controls, contributing to your compliance program's progress without additional manual work.