Vendors
Vendors track the third-party suppliers and service providers your organization depends on, so you can score their risk, capture evidence, run questionnaires, and keep assessments on a recurring schedule.
Overview
The Vendors module is the central place for managing your third-party suppliers and service providers. It connects each vendor to Controls, Assets, and Risks, captures supporting Evidence, and drives recurring Vendor Assessments so you always know how much risk each relationship carries.
Vendors are scored like risks — on an inherent and a residual point — and their current risk moves between the two as you complete treatment actions. You assign an owner, schedule reassessments, gather information with reusable Questionnaires, run periodic Vendor Reviews, and surface everything visually in the Assessment Matrix.
Vendors
A vendor represents a single third-party relationship — a cloud provider, payment processor, SaaS tool, or any external party that processes data or supports your operations. Each vendor aggregates its assessments, evidence, and links to controls, assets, and risks.
Vendor Fields
| Field | Description | Example |
|---|---|---|
Name | The name of the vendor (required) | Amazon Web Services |
Slug | Unique identifier used in URLs and API calls (required) | aws |
Owner | Role responsible for managing this vendor (required) | IT Operations |
Category | What kind of supplier this is | Cloud, SaaS, Infrastructure, Processor, Hardware, Professional services, Other |
Relationship | The data-protection role of the vendor (relevant to NIS2/DORA) | Processor, Sub-processor, Controller, Other |
Status | Whether the vendor relationship is active | Active, Inactive, Offboarded |
Description | Additional information about the vendor | Primary cloud infrastructure provider |
Labels | Free-form tags to group and filter the vendor (multiple allowed) | Critical, EU, Subprocessor |
Website | Vendor homepage URL | https://aws.amazon.com |
Contact name | Primary point of contact at the vendor | Enterprise Support |
Contact email | Email address for the primary contact | tam@amazon.com |
Location | Primary country or office of the vendor | Ireland |
Contract expiry | When the current contract ends | 31.12.2025 |
Reassessment frequency | Cadence at which this vendor should be reassessed (a Schedule) | Annually |
Inherent probability | Likelihood before treatment, 0–10 | 7 |
Inherent impact | Impact before treatment, 0–10 | 8 |
Residual probability | Likelihood after treatment, 0–10 | 3 |
Residual impact | Impact after treatment, 0–10 | 4 |
Treatment strategy | How the vendor risk is being addressed | Mitigate, Accept, Avoid, Transfer |
Treatment actions | Linked actions that reduce this vendor's risk (multiple allowed) | Sign DPA, Enable SSO |
Controls | Controls this vendor supports compliance for (multiple allowed) | Access Control Policy, Encryption |
Assets | Assets this vendor operates, processes, or can access (multiple) | Production Database, Billing System |
Labels
Labels are free-form, color-coded tags you manage centrally under Collections → Labels and attach to a vendor to capture cross-cutting groupings the structured fields don't — criticality, geography, the type of data shared, or a sourcing initiative. A vendor can carry any number of labels, and the vendor list offers a Labels filter to narrow to everything sharing a tag. The same labels can be applied to risks and assets, giving you one consistent vocabulary across the product.
Vendor Risk
Vendors are scored exactly like Risks, on two points — there is no single inherent "tier":
- Inherent — probability × impact before any treatment. This is the raw exposure the relationship carries.
- Residual — probability × impact after your treatment is fully in place. Residual can never exceed inherent.
- Current — interpolated between inherent and residual based on the share of the vendor's linked treatment actions that are Implemented. With none implemented, current equals inherent; with all implemented, current equals residual. As the team completes treatment actions, the vendor's current risk moves from inherent toward residual.
This lets you see both the worst case and the target, and track real progress toward the target as work gets done.
Status
- Active — The vendor is in use; assessments and evidence are expected to be kept current.
- Inactive — The relationship is paused or the contract has lapsed, but the vendor is still on record.
- Offboarded — The relationship has been fully wound down. Offboarded vendors remain on record for historical and audit purposes.
Assessment Status
Separately from its lifecycle Status, every vendor carries a derived assessment status, shown as a badge and available as a list filter. It is computed from the vendor's latest assessment and its reassessment schedule:
- Never assessed — No assessment has ever been completed.
- In progress — The latest assessment is still a draft.
- Assessed — A completed assessment is current.
- Overdue — A completed assessment exists, but the next review date has already passed.
Relationships
Vendors connect to the rest of the platform to keep coverage and risk traceable:
- Controls — Link the controls a vendor helps you satisfy. This contributes to compliance coverage tracking and documents your reliance on the supplier.
- Assets — Link the assets a vendor operates, processes, or can access, so data flows and access paths are visible.
- Risks — Vendors can be linked to risks in your register. These links are managed manually — completing an assessment no longer creates or closes risks automatically.
Vendor Assessments
A Vendor Assessment is a lightweight point-in-time snapshot of a single vendor. Rather than computing a score from a questionnaire, an assessment captures the vendor's risk scores as they stood at a moment in time, alongside the assessor's findings and recommendations.
Assessment Fields
| Field | Description | Example |
|---|---|---|
Title | A descriptive name for the assessment (required) | AWS Annual Security Review |
Vendor | The vendor being assessed (required) | Amazon Web Services |
Assessor | Role responsible for performing the assessment (required) | Security Team |
Status | Draft while being prepared, Completed once finalized | Draft, Completed |
Findings | What the assessor observed about the vendor | SOC 2 report current, no exceptions |
Recommendations | Suggested follow-up or next steps | Renew DPA before expiry |
Performed at | When the assessment was carried out | 04.10.2025 |
Next review | When the vendor is due for reassessment | 04.10.2026 |
Captured scores | The vendor's inherent and residual scores, frozen at completion | Inherent 7×8, Residual 3×4 |
Lifecycle
Assessments move through two states:
- Draft — The assessment is being prepared. The assessor reviews the vendor, sets its risk scores, and records findings and recommendations. A draft does not yet count as the vendor's current assessment.
- Completed — The assessment is finalized.
Performed atis stamped,Next reviewis computed from the vendor's Reassessment frequency schedule, and the vendor's current inherent and residual scores are copied and frozen into the snapshot. The assessment becomes the vendor's latest assessment and drives its assessment status.
A completed assessment can be reopened back to Draft if corrections are needed.
The assessor sets the vendor's scores; the assessment captures them. There is no auto-rating computed from answers and no automatic risk propagation into your register.
Working with Assessments
From the all-assessments list you add an assessment by picking a vendor. The list offers search, a Due this month filter and an Overdue filter, export, and bulk delete, so you can manage reassessment work across your whole vendor portfolio in one place.
Evidence
Evidence is supporting documentation attached to a vendor, such as certifications and reports. Each piece of evidence has a kind, a title, and optional issued and expiry dates so you can track validity over time.
| Evidence kind | Example |
|---|---|
SOC 2 | SOC 2 Type II report |
ISO 27001 | ISO/IEC 27001 certificate |
Pentest | Penetration test report |
DPA | Data Processing Agreement |
AOC | PCI Attestation of Compliance |
Other | Any other supporting document |
A vendor's evidence can be linked to File-type questionnaire answers, so reviewers can see exactly which document backs each response.
Reassessment and Deadlines
When a vendor has a Reassessment frequency schedule, completing an assessment sets the Next review date to the next occurrence of that schedule. These due dates surface in the Deadlines view, and the assessments list highlights items that are overdue so reassessments never quietly slip.
Questionnaires
Questionnaires are a separate, reusable instrument for gathering information from and about a vendor. They are decoupled from scoring — a questionnaire collects answers, it does not compute a risk rating. Use them to standardize the questions you ask, while the assessor sets the vendor's scores independently.
Builder Structure
You build a questionnaire in a builder made up of ordered Sections, each containing Questions. Each question has a response type:
| Response type | Behavior |
|---|---|
Yes / No / NA | Single choice between yes, no, or not applicable |
Single select | Pick one option from a list |
Multi select | Pick several options from a list |
Text | Free-text answer |
File | Attach a piece of evidence as the answer |
Info | Read-only guidance with no answer (section context) |
Questions can include guidance text, be marked required, be shown or hidden conditionally based on earlier answers, and — for the select types — carry their own list of options.
Centralized and Custom Questionnaires
- Centralized — Provided by devguard and read-only. Use them as ready-made instruments without maintaining them yourself.
- Custom — Authored by your organization, fully editable.
Import and Export
Questionnaires can be exported and imported as JSON, so you can share an instrument between organizations, reuse it across environments, or keep a version under your own control. Importing recreates the sections, questions, and options from the file as a new custom questionnaire.
Sending a Questionnaire to a Vendor
Instead of filling a questionnaire in-house, you can have the vendor complete it themselves over a secure link — no devguard account required. From a Draft assessment that has a questionnaire attached, open the Questionnaire tab and use Send to vendor:
- Enter the contact's email (and optionally a name) and choose when the link expires.
- devguard emails the contact a unique magic link. It opens a clean, branded page showing only that one questionnaire — never any of your other data.
- The vendor answers the questions, can upload files as evidence, and submits for review when finished. Answers save automatically as they go.
- You review the submission read-only, then Approve it or Request changes — which sends it back with a note so the vendor can edit and resubmit.
Approving the submission completes the assessment: the vendor's answers and the vendor's scores are captured and frozen, and everything locks, exactly as if you had completed it yourself.
Invite Status
The send panel tracks where the invite stands:
- Awaiting vendor — The link is active; the vendor can edit and submit.
- Submitted for review — The vendor has submitted; it is waiting for you to approve or request changes.
- Approved — You approved the submission and the assessment is complete.
- Revoked — You disabled the link; it no longer works. You can send a fresh one at any time.
While an invite is active, the questionnaire is locked for internal editing — only the vendor can change answers — so you never both edit at once. Revoke the link to take back control, resend to issue a new link, or rely on the expiry so stale links stop working on their own.
The link is single-use-per-click and tamper-resistant: the vendor only ever sees the questionnaire for their own assessment, and a revoked or expired link fails closed with a generic message.
Sending questionnaires to vendors is available on the Business plan.
Vendor Reviews
A Vendor Review is a periodic review campaign over your vendors — mirroring Risk and Asset reviews. Rather than touching one vendor at a time, a review lets a coordinator work through a batch of vendors against a deadline.
To run a review:
- Pick a priority filter to decide which vendors are in scope (for example, the higher-risk ones or those due soon).
- Assign a coordinator and a deadline.
- Work through each vendor in the review, approving the ones that still look acceptable or withdrawing the ones that need follow-up.
A completed review can be turned into a Vendor Reviews report, giving you a point-in-time record of who reviewed which vendors and what was decided.
Assessment Matrix
The Assessment Matrix is a true probability × impact risk matrix — the same shape as the Risks matrix. Each vendor is plotted by its scores so you can see exactly where it sits and how much treatment moves it.
- Inherent scores are drawn as faded markers.
- Residual scores are drawn as solid markers.
Seeing both for the same vendor shows the shift your treatment achieves — the distance between the faded and solid markers is the risk reduction you are working toward.
Cells are colored by combined severity, so the corner where high probability meets high impact reads as danger, easing toward safe at low combined exposure.
Best Practices
- Set realistic inherent and residual scores up front — residual is your target, not a guess at today's state.
- Link concrete treatment actions and mark them Implemented as they land, so each vendor's current risk reflects real progress.
- Watch the gap between faded and solid markers: a large gap with few implemented actions is unrealized risk reduction.
- Use Reassessment frequency so assessments recur automatically and snapshots stay current rather than drifting out of date.
How is this guide?
Assets
Assets represent valuable resources like data, systems, or processes that need protection, serving as the foundation for risk assessment and control implementation across your organization.
Actions
Automate recurring procedures and routine tasks to maintain compliance and oversight, enabling you to trigger tickets and notifications that keep your controls and policies actively enforced. Manage all connected integrations from the Integrations page.