devguard

Vendors

Vendors track the third-party suppliers and service providers your organization depends on, so you can score their risk, capture evidence, run questionnaires, and keep assessments on a recurring schedule.

Overview

The Vendors module is the central place for managing your third-party suppliers and service providers. It connects each vendor to Controls, Assets, and Risks, captures supporting Evidence, and drives recurring Vendor Assessments so you always know how much risk each relationship carries.

Vendors are scored like risks — on an inherent and a residual point — and their current risk moves between the two as you complete treatment actions. You assign an owner, schedule reassessments, gather information with reusable Questionnaires, run periodic Vendor Reviews, and surface everything visually in the Assessment Matrix.

Vendors

A vendor represents a single third-party relationship — a cloud provider, payment processor, SaaS tool, or any external party that processes data or supports your operations. Each vendor aggregates its assessments, evidence, and links to controls, assets, and risks.

Vendor Fields

FieldDescriptionExample
NameThe name of the vendor (required)Amazon Web Services
SlugUnique identifier used in URLs and API calls (required)aws
OwnerRole responsible for managing this vendor (required)IT Operations
CategoryWhat kind of supplier this isCloud, SaaS, Infrastructure, Processor, Hardware, Professional services, Other
RelationshipThe data-protection role of the vendor (relevant to NIS2/DORA)Processor, Sub-processor, Controller, Other
StatusWhether the vendor relationship is activeActive, Inactive, Offboarded
DescriptionAdditional information about the vendorPrimary cloud infrastructure provider
LabelsFree-form tags to group and filter the vendor (multiple allowed)Critical, EU, Subprocessor
WebsiteVendor homepage URLhttps://aws.amazon.com
Contact namePrimary point of contact at the vendorEnterprise Support
Contact emailEmail address for the primary contacttam@amazon.com
LocationPrimary country or office of the vendorIreland
Contract expiryWhen the current contract ends31.12.2025
Reassessment frequencyCadence at which this vendor should be reassessed (a Schedule)Annually
Inherent probabilityLikelihood before treatment, 0107
Inherent impactImpact before treatment, 0108
Residual probabilityLikelihood after treatment, 0103
Residual impactImpact after treatment, 0104
Treatment strategyHow the vendor risk is being addressedMitigate, Accept, Avoid, Transfer
Treatment actionsLinked actions that reduce this vendor's risk (multiple allowed)Sign DPA, Enable SSO
ControlsControls this vendor supports compliance for (multiple allowed)Access Control Policy, Encryption
AssetsAssets this vendor operates, processes, or can access (multiple)Production Database, Billing System

Labels

Labels are free-form, color-coded tags you manage centrally under Collections → Labels and attach to a vendor to capture cross-cutting groupings the structured fields don't — criticality, geography, the type of data shared, or a sourcing initiative. A vendor can carry any number of labels, and the vendor list offers a Labels filter to narrow to everything sharing a tag. The same labels can be applied to risks and assets, giving you one consistent vocabulary across the product.

Vendor Risk

Vendors are scored exactly like Risks, on two points — there is no single inherent "tier":

  • Inherent — probability × impact before any treatment. This is the raw exposure the relationship carries.
  • Residual — probability × impact after your treatment is fully in place. Residual can never exceed inherent.
  • Current — interpolated between inherent and residual based on the share of the vendor's linked treatment actions that are Implemented. With none implemented, current equals inherent; with all implemented, current equals residual. As the team completes treatment actions, the vendor's current risk moves from inherent toward residual.

This lets you see both the worst case and the target, and track real progress toward the target as work gets done.

Status

  • Active — The vendor is in use; assessments and evidence are expected to be kept current.
  • Inactive — The relationship is paused or the contract has lapsed, but the vendor is still on record.
  • Offboarded — The relationship has been fully wound down. Offboarded vendors remain on record for historical and audit purposes.

Assessment Status

Separately from its lifecycle Status, every vendor carries a derived assessment status, shown as a badge and available as a list filter. It is computed from the vendor's latest assessment and its reassessment schedule:

  • Never assessed — No assessment has ever been completed.
  • In progress — The latest assessment is still a draft.
  • Assessed — A completed assessment is current.
  • Overdue — A completed assessment exists, but the next review date has already passed.

Relationships

Vendors connect to the rest of the platform to keep coverage and risk traceable:

  • Controls — Link the controls a vendor helps you satisfy. This contributes to compliance coverage tracking and documents your reliance on the supplier.
  • Assets — Link the assets a vendor operates, processes, or can access, so data flows and access paths are visible.
  • Risks — Vendors can be linked to risks in your register. These links are managed manually — completing an assessment no longer creates or closes risks automatically.

Vendor Assessments

A Vendor Assessment is a lightweight point-in-time snapshot of a single vendor. Rather than computing a score from a questionnaire, an assessment captures the vendor's risk scores as they stood at a moment in time, alongside the assessor's findings and recommendations.

Assessment Fields

FieldDescriptionExample
TitleA descriptive name for the assessment (required)AWS Annual Security Review
VendorThe vendor being assessed (required)Amazon Web Services
AssessorRole responsible for performing the assessment (required)Security Team
StatusDraft while being prepared, Completed once finalizedDraft, Completed
FindingsWhat the assessor observed about the vendorSOC 2 report current, no exceptions
RecommendationsSuggested follow-up or next stepsRenew DPA before expiry
Performed atWhen the assessment was carried out04.10.2025
Next reviewWhen the vendor is due for reassessment04.10.2026
Captured scoresThe vendor's inherent and residual scores, frozen at completionInherent 7×8, Residual 3×4

Lifecycle

Assessments move through two states:

  • Draft — The assessment is being prepared. The assessor reviews the vendor, sets its risk scores, and records findings and recommendations. A draft does not yet count as the vendor's current assessment.
  • Completed — The assessment is finalized. Performed at is stamped, Next review is computed from the vendor's Reassessment frequency schedule, and the vendor's current inherent and residual scores are copied and frozen into the snapshot. The assessment becomes the vendor's latest assessment and drives its assessment status.

A completed assessment can be reopened back to Draft if corrections are needed.

The assessor sets the vendor's scores; the assessment captures them. There is no auto-rating computed from answers and no automatic risk propagation into your register.

Working with Assessments

From the all-assessments list you add an assessment by picking a vendor. The list offers search, a Due this month filter and an Overdue filter, export, and bulk delete, so you can manage reassessment work across your whole vendor portfolio in one place.

Evidence

Evidence is supporting documentation attached to a vendor, such as certifications and reports. Each piece of evidence has a kind, a title, and optional issued and expiry dates so you can track validity over time.

Evidence kindExample
SOC 2SOC 2 Type II report
ISO 27001ISO/IEC 27001 certificate
PentestPenetration test report
DPAData Processing Agreement
AOCPCI Attestation of Compliance
OtherAny other supporting document

A vendor's evidence can be linked to File-type questionnaire answers, so reviewers can see exactly which document backs each response.

Reassessment and Deadlines

When a vendor has a Reassessment frequency schedule, completing an assessment sets the Next review date to the next occurrence of that schedule. These due dates surface in the Deadlines view, and the assessments list highlights items that are overdue so reassessments never quietly slip.


Questionnaires

Questionnaires are a separate, reusable instrument for gathering information from and about a vendor. They are decoupled from scoring — a questionnaire collects answers, it does not compute a risk rating. Use them to standardize the questions you ask, while the assessor sets the vendor's scores independently.

Builder Structure

You build a questionnaire in a builder made up of ordered Sections, each containing Questions. Each question has a response type:

Response typeBehavior
Yes / No / NASingle choice between yes, no, or not applicable
Single selectPick one option from a list
Multi selectPick several options from a list
TextFree-text answer
FileAttach a piece of evidence as the answer
InfoRead-only guidance with no answer (section context)

Questions can include guidance text, be marked required, be shown or hidden conditionally based on earlier answers, and — for the select types — carry their own list of options.

Centralized and Custom Questionnaires

  • Centralized — Provided by devguard and read-only. Use them as ready-made instruments without maintaining them yourself.
  • Custom — Authored by your organization, fully editable.

Import and Export

Questionnaires can be exported and imported as JSON, so you can share an instrument between organizations, reuse it across environments, or keep a version under your own control. Importing recreates the sections, questions, and options from the file as a new custom questionnaire.

Sending a Questionnaire to a Vendor

Instead of filling a questionnaire in-house, you can have the vendor complete it themselves over a secure link — no devguard account required. From a Draft assessment that has a questionnaire attached, open the Questionnaire tab and use Send to vendor:

  1. Enter the contact's email (and optionally a name) and choose when the link expires.
  2. devguard emails the contact a unique magic link. It opens a clean, branded page showing only that one questionnaire — never any of your other data.
  3. The vendor answers the questions, can upload files as evidence, and submits for review when finished. Answers save automatically as they go.
  4. You review the submission read-only, then Approve it or Request changes — which sends it back with a note so the vendor can edit and resubmit.

Approving the submission completes the assessment: the vendor's answers and the vendor's scores are captured and frozen, and everything locks, exactly as if you had completed it yourself.

Invite Status

The send panel tracks where the invite stands:

  • Awaiting vendor — The link is active; the vendor can edit and submit.
  • Submitted for review — The vendor has submitted; it is waiting for you to approve or request changes.
  • Approved — You approved the submission and the assessment is complete.
  • Revoked — You disabled the link; it no longer works. You can send a fresh one at any time.

While an invite is active, the questionnaire is locked for internal editing — only the vendor can change answers — so you never both edit at once. Revoke the link to take back control, resend to issue a new link, or rely on the expiry so stale links stop working on their own.

The link is single-use-per-click and tamper-resistant: the vendor only ever sees the questionnaire for their own assessment, and a revoked or expired link fails closed with a generic message.

Sending questionnaires to vendors is available on the Business plan.


Vendor Reviews

A Vendor Review is a periodic review campaign over your vendors — mirroring Risk and Asset reviews. Rather than touching one vendor at a time, a review lets a coordinator work through a batch of vendors against a deadline.

To run a review:

  1. Pick a priority filter to decide which vendors are in scope (for example, the higher-risk ones or those due soon).
  2. Assign a coordinator and a deadline.
  3. Work through each vendor in the review, approving the ones that still look acceptable or withdrawing the ones that need follow-up.

A completed review can be turned into a Vendor Reviews report, giving you a point-in-time record of who reviewed which vendors and what was decided.


Assessment Matrix

The Assessment Matrix is a true probability × impact risk matrix — the same shape as the Risks matrix. Each vendor is plotted by its scores so you can see exactly where it sits and how much treatment moves it.

  • Inherent scores are drawn as faded markers.
  • Residual scores are drawn as solid markers.

Seeing both for the same vendor shows the shift your treatment achieves — the distance between the faded and solid markers is the risk reduction you are working toward.

Cells are colored by combined severity, so the corner where high probability meets high impact reads as danger, easing toward safe at low combined exposure.

Best Practices

  • Set realistic inherent and residual scores up front — residual is your target, not a guess at today's state.
  • Link concrete treatment actions and mark them Implemented as they land, so each vendor's current risk reflects real progress.
  • Watch the gap between faded and solid markers: a large gap with few implemented actions is unrealized risk reduction.
  • Use Reassessment frequency so assessments recur automatically and snapshots stay current rather than drifting out of date.

How is this guide?

On this page