Register each vendor
Add a vendor with an owner and a status, then attach its certs and evidence as files, a SOC 2 or ISO 27001 report, a DPA, a pentest AoC. The register shows at a glance who’s reviewed, who’s due and who’s scheduled.
Keep a third-party register where each vendor has an owner, a status and a next-review date. Attach its certs and evidence as files, a SOC 2 or ISO 27001 report, a DPA, alongside the security questionnaires you run, and let each completed review set the next review date so nothing quietly slips past due.
One register for every third party, with each vendor’s attached certs and evidence, the questionnaires you run, and its next review date in the same place.
Add a vendor with an owner and a status, then attach its certs and evidence as files, a SOC 2 or ISO 27001 report, a DPA, a pentest AoC. The register shows at a glance who’s reviewed, who’s due and who’s scheduled.
Send and store the security questionnaire, VSAQ or CAIQ, and keep the evidence files the vendor returns attached to the vendor. The assessment and its proof sit on the vendor record, not in an inbox.
Periodic reviews run on a cadence, and completing a review sets the vendor’s next review date. The next date is set on completion, so the review schedule maintains itself.
Completing a vendor review sets the next review date in the same step, so a vendor moves from reviewed to due to scheduled on its own rather than being chased by memory.
Four choices behind how the vendor register works here, each one something you can check, not an adjective.
You attach the vendor’s certs and evidence to the record, a SOC 2 or ISO 27001 report, a DPA, a pentest AoC, so what a third party holds is on file, not in an email thread.
Completing a periodic review sets the vendor’s next review date, so the review schedule maintains itself instead of relying on a reminder.
Security questionnaires, VSAQ or CAIQ, and the evidence files sit on the vendor, so the assessment and its proof are in one place.
Each vendor is reviewed, due or scheduled, so you can see which third parties need attention this week without opening a single file.
Hosted in Switzerland by default, in German and English, with on-premise possible. Your data and evidence are yours and exportable in full at any time, with no lock-in.
Vendors are one module; each vendor reaches into the rest of the workspace, from the risks a third party introduces to the reports you hand an auditor.
Raise a risk against a vendor and tie it to the controls that treat it.
Keep questionnaires and evidence files attached to the vendor they cover.
Export a vendor’s review history and evidence for an auditor or the board.
See each vendor’s next review date alongside every other due item.
A vendor has an owner, a status and a next-review date. You attach its certs and evidence as files, a SOC 2 or ISO 27001 report, a DPA, a pentest AoC, alongside the security questionnaires you run, so the proof stays on that record.
Reviews run on a cadence, and completing one sets the vendor’s next review date in the same step. Because the next date is set on completion, a vendor moves through reviewed, due and scheduled on its own rather than being chased by memory.
You can store the questionnaires you run, including VSAQ and CAIQ, and keep the evidence files a vendor returns attached to the vendor. The assessment and its proof live on the vendor record.
In a spreadsheet, a vendor is a row with a review date nobody updates and certs nobody can find. Here, each vendor is a living record with its certs and evidence files attached alongside the questionnaires you run, a clear status, and a next review date the system sets on completion, so reviews stay current.
Swiss-hosted by default, in German and English, with on-premise possible. You can export your vendor records and questionnaires to CSV; your data is yours, so there’s no lock-in.
Hold one register where you attach each vendor’s certs and evidence files alongside the questionnaires you run, and let completed reviews set the next date. See who’s due this week instead of finding out at the audit.