⚠️ Select your experience
The steps to manage your vendors depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
The Vendors area centralizes third-party vendor management in Drata so you can track vendor security posture, review status, and supporting evidence.
Understand the Vendors area
Vendors includes multiple pages for different workflows:
Vendor insights: Dashboard-level overview (active vendors, reviews due/overdue, risk and impact breakdowns)
Current vendors: Vendors you actively work with
Prospective vendors: Vendors under evaluation before onboarding
Vendor risks: Risks associated with vendors
Criteria: Evaluation criteria used in vendor reviews
Vendor settings: Defaults for reminders, recurring reviews, and vendor-facing email settings
This article focuses on managing vendors in Current vendors.
Access Current vendors
Select Vendors → Current vendors. From Current vendors, you can:
Filter vendors by fields such as Status, Type, Inherent risk, Residual risk, Security review status, Next review deadline, Business unit, and Security owner
Search vendors by name
Download the vendor list for audit review
Add a single vendor
Select Add vendor.
Enter vendor details.
Upload supporting documentation as needed (for example, a security policy or SOC report).
Save your changes.
Residual risk levels
Use risk levels to reflect how vendor failure or compromise would impact your organization:
High: The vendor stores or can access sensitive data, or the business is highly dependent on the vendor's services.
Moderate: The vendor has limited access to sensitive data, or service loss would be disruptive.
Low: The vendor does not access sensitive data and service loss would not be disruptive.
Add or Update Vendors in Bulk
If you manage many vendors, you can upload them in bulk using a CSV file. Bulk upload becomes available after at least one vendor exists in your directory.
Go to Vendors → Current vendors
Select Add vendor → Add / update in bulk
Download the CSV template
Enter vendor details in the template
Save the file as a CSV
Upload the CSV and select Next
Review the summary of changes and finalize the upload
Bulk upload behavior
Vendors with the same name or website URL are updated.
Blank fields do not overwrite existing values.
Bulk upload does not include certain impact assessment fields, but it does include Inherent risk.
Bulk Upload Field Requirements (Reference)
Your CSV must include all required and optional column headers. Optional fields do not require values, but the column header must still be present in the file.
Valid URL Format
URL fields accept either:
A domain name (for example,
drata.comorwww.example.com)A full URL (for example,
https://example.com/page)
Do not use backslashes (\) or incomplete values (for example, example).
Supported Vendor Fields
Field name | Acceptable value |
Name (Required) | Open text |
Website URL (Optional) | URL |
Privacy URL (Optional) | URL |
Terms Of Use URL (Optional) | URL |
Provided Services (Optional) | Open text |
Risk (Optional) |
|
Inherent risk (Optional) |
|
Type (Optional) |
|
Status (Optional) |
|
Annual Contract Value (Optional) |
|
Additional Notes | Open text |
Subprocessor (Optional) |
|
Subprocessor Data Location (Optional) | Open text |
Integrations | Vendor name within your Vendor directory. |
Business Unit (Optional) |
|
Stores PII (Optional) |
|
Stored Data (Optional) | Open text |
Vendor Relationship Contact (Optional) | Email |
Security Owner (Optional) | Email |
Contact at Vendor (Optional) | Open text |
Contact's Email (Optional) | Valid email address |
Password Policy (Optional) |
|
Password Requires Minimum Length (Optional) |
|
Password Minimum Length (Optional) |
|
Password Requires Number (Optional) |
|
Password Requires Symbol (Optional) |
|
Password Two-Factor Authentication Enable Enabled (Optional) |
|
Upload Vendors with Custom Fields
If your account uses custom vendor fields, they are included in bulk uploads.
Custom field type | Acceptable value |
Currency | Number (with or without decimals) |
Number | Number |
Dropdown | Valid dropdown option |
Short Answer | Open text (max 191 characters) |
Long Answer | Open text (max 30,000 characters) |
If a required custom field contains an invalid value, the vendor will not be added. Invalid values for optional custom fields are ignored.
Archive a vendor
Archive vendors you no longer work with but want to retain for audit history.
Open the vendor profile.
Select the ellipsis (⋯).
Select Archive vendor.
Restore a vendor
Open Vendors → Current vendors.
Filter by Status → Archived.
Select the vendor.
Select the ellipsis (⋯).
Select Restore vendor.
Delete a vendor
⚠️ This action cannot be undone.
Delete vendors only if they were added in error.
Open the vendor profile.
Select the ellipsis (⋯).
Select Delete vendor and confirm.
Instructions for the Classic Experience ⬇️
The Vendor Directory allows you to track all vendors you work with and their security posture.
Vendor Management is a security subsection that may be examined during your SOC 2 audit. Specifically, Drata addresses the control for maintaining a vendor directory including agreements specifying terms, conditions and responsibilities as well as compliance reports.
Access the Vendors Page
In the left navigation within Drata, select Vendors.
On the Vendors page, you can view the list of your vendors with the following details: vendor names, business units, risk levels, status, password policy, type, person responsible for security/compliance within the company, and reminder indicator. You can enable reminders to periodically review vendor information.
Manage Vendors
You have two ways to add a vendor. You can add a single or multiple vendors at a time.
Add a single Vendor
On the Vendors page, select Add vendor and then Add a single vendor in the upper right corner.
A drawer will open from the right side of your screen, prompting you to add details about the vendor and upload their security policy or SOC 2 report. These are the risk when choosing the risk for vendors.
High: The failure of the vendor poses a high risk to your business because the vendor stores or has access to sensitive data and/or your business is highly dependent on the vendor's service(s) operationally.
Moderate: The failure of the vendor poses a moderate risk to your business because the vendor has limited/restricted access to sensitive data and/or the loss of its service(s) would be disruptive to your business.
Low: The failure of the vendor poses a low risk to your business because the vendor does not have access to sensitive data and its loss of service(s) would not be disruptive to your business.
Bulk uploading or updating
Note: The Bulk Upload option only becomes available after you have added at least one vendor to your directory. If this is your first time setting up vendors, add a single vendor first before attempting to bulk upload.
On the Vendors page, select Add vendor and then Add / Update in bulk.
On the modal, download the template to import your vendors. On the template, enter the details of your vendors into the CSV.
The following table shows the fields and values that must be entered. The field name indicates whether the field is required or optional. For all the fields except for open text, URL and address fields, enter the exact values and spelling listed. Select one value for each field.
Note:
Vendors with the same name or URL will be updated with the updated CSV information.
Bulk Upload will not include Impact Assessment fields (Data Accessed, Operational Impact, Access To Environments), but will include Impact Level.
Table of Field Name and Acceptable Values
Your CSV must include all required and optional column headers. Fields marked as optional do not require a value, but the column header must still be present in the file.
Note about URL Fields:
Accepts either a domain name (
drata.com,www.zte.com) or a fully qualified web address (https://example.com,https://example.com/page.html).Do not use backslashes (
\) or incomplete values (for example,example).
Field name | Acceptable value |
Name (Required) | Open text |
Website URL (Optional) | URL |
Privacy URL (Optional) | URL |
Terms Of Use URL (Optional) | URL |
Provided Services (Optional) | Open text |
Risk (Optional) |
|
Impact Level (Optional) |
|
Type (Optional) |
|
Status (Optional) |
|
Annual Contract Value (Optional) |
|
Additional Notes | Open text |
Subprocessor (Optional) |
|
Subprocessor Data Location (Optional) | Open text |
Integrations | Vendor name within your Vendor directory. |
Business Unit (Optional) |
|
Stores PII (Optional) |
|
Stored Data (Optional) | Open text |
Vendor Relationship Contact (Optional) | Email |
Security Owner (Optional) | Email |
Contact at Vendor (Optional) | Open text |
Vendor contact email address (required) | Valid email address |
Password Policy (Optional) |
|
Password Requires Minimum Length (Optional) |
|
Password Minimum Length (Optional) |
|
Password Requires Number (Optional) |
|
Password Requires Symbol (Optional) |
|
Password Two-Factor Authentication Enable Enabled (Optional) |
|
Upload your vendors with custom fields
Note: Ensure you have the custom fields feature. To learn more about custom fields, go to the Custom fields overview help article.
Custom fields added to Vendors are included in the bulk upload. The following table showcases the acceptable value for each custom field type.
Custom field type | Acceptable value |
Currency | Number with or without decimal |
Number | Number |
Dropdown | Valid options for the dropdown |
Short Answer | Open text. Up to a maximum of 191 characters. |
Long Answer | Open text. Up to a maximum of 30,000 characters. |
If the value of a required custom field does not match the acceptable value, vendors will not be added. If the value of an optional custom field does not match the acceptable value, those fields will be ignored.
Once you've entered your details, save your file as a CSV, upload your file, and select Next.
A warning message is displayed if a required field is not included or does not match the requirements above. Resolve the error and re-upload. The field will be empty after uploading if the values for an optional field do not follow the acceptable value requirement. For example, if Risk is entered as "Medium" instead of "Moderate", the Risk value will be empty since "Medium" is not a recognized value in our system.
After you continue, you will see a step that confirms the summary of changes in your file.
Update your vendors
To update vendors, add the vendor name and URL as they exist in the directory into your CSV. Enter any information into the fields you would like to change. If a field is left blank, it will not be updated to an empty state; only fields with differing input values will be updated.
Once you select Continue, you will see a step that confirms a summary of changes, including the number of fields that will be updated.
Excluded vendors
The summary of changes modal showcases any vendors that are excluded and the reason for the exclusion.
Once you finalize, a confirmation notifies you when the vendors are ready.
After updating or uploading, on the Vendor Directory page, you will see your recently uploaded and updated vendors at the top of the Directory with a blue line indication.
After refreshing the page, the vendors will be sorted into the default alphabetical order and the blue line will not be displayed.
Responsibilities in the Vendor Drawer
There are three fields in the Vendor drawer where you can add the contact of a personnel or vendor. Here is how we define the responsibilities:
Responsibilities | Description |
Security owner | This is the person at your company responsible for reviewing this vendor's security posture. They must hold the admin, information security lead, or workspace manager role within Drata. |
Vendor relationship contact | This is an internal contact at your company who most likely requested the vendor and/or manages the relationship. Reach out to this person if you have questions about this vendor. They must be a current employee or contractor in Drata. |
Contact at vendor | This is the main point of contact at the vendor's organization. This person is external to your company. |
Archive Vendor
You may archive a vendor if you no longer work with them but want to retain a record of their compliance and risk data for your company. To do so, select the vendor profile, select the ellipse and select Archive Vendor.
Restore Vendor
You may restore a vendor if you enter in a new agreement with them, or want this vendor to be shown to your auditor. To do so, navigate to the Vendors page, select Archived within the All Statuses filter. You may need to scroll down to select the Archived option.
Select the desired archived vendor, then select the ellipse and then Restore Vendor.
Delete Vendor
⚠️ NOTE: This cannot be undone.
You may delete a vendor if you make a mistake or wish to erase a vendor and its associated data. To do so, select the vendor profile, select the ellipse and select Delete Vendor. You will see a modal where you can confirm or cancel this action.