⚠️ Select your experience
The steps to add a prospective vendor depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
This workflow helps you conduct security reviews, document decisions, and activate vendors only after they meet your organization's requirements.
Prospective vendors separate evaluation from ongoing vendor management, which supports audit clarity and internal approval processes.
How Prospective Vendors Work
Prospective vendors represent vendors that are still under consideration.
With prospective vendors, you can:
Run a security review and collect evidence
Send questionnaires or upload vendor responses
Document review decisions and approval outcomes
Activate vendors only after review completion
Once activated, the vendor moves to Current vendors, and review history is retained for audit purposes.
Access Prospective Vendors
Go to Vendors → Prospective vendors
Select Add vendor
Step 1: Add Vendor Details
Complete the vendor intake form. Some fields are optional.
Vendor Details
Vendor name: Select or enter the vendor name.
Vendor website URL (optional): Enter the vendor's website.
Important: Do not include
wwwin the URL.
Business unit: Internal team that will use or benefit from the vendor.
Provided services (optional): Brief description of the services the vendor will provide.
Contact Information (Optional)
Contact at vendor: Primary external contact
Contact's email address: Email address for the vendor contact
Request Details
Request date: Date the request was submitted
Review deadline: Date a decision must be finalized
Requester: Internal team member requesting the vendor
Internal security owner (optional): Person responsible for reviewing the vendor's security posture
Internal security owners must have one of the following roles: Admin, Information Security Lead, or Workspace Manager
Step 2: Select the Inherent risk
Next, determine the vendor's Inherent risk based on the type of access and business criticality.
You'll select options such as:
Data accessed: Type and sensitivity of data the vendor will access
Operational impact: Potential effect on business operations
Access to environments: Level of access to systems or infrastructure
Inherent risk: Drata uses these selections to calculate the overall Inherent risk and recommends an Inherent risk. Some plans may require you to select an Inherent risk without having Drata's recommended Inherent risk.
Step 3: Define Security Review Scope and Attach Evidence
After adding the vendor, define what you want to review and gather supporting documentation.
You can include:
Uploaded files (for example, SOC 2 reports or certifications)
Questionnaires sent through Drata
Manually uploaded vendor responses
Step 4: Complete the Security Review
After the prospective vendor is created, Drata opens the security review automatically. From the review page, you can:
View and annotate questionnaires
Review uploaded documentation
View AI-generated summaries (VRM Agent), if enabled
When ready, finalize the review by selecting a decision:
Pending
Approved
Approved with conditions
Rejected
Add notes to document the decision rationale for auditors or internal stakeholders. After completion, you're redirected to a review summary page, which you can download and share.
You can also reopen the review if updates are needed.
Activate the Vendor
If you decide to continue working with the vendor, activate them after the review is complete.
Select Mark as active
Complete the activation steps:
Confirm or assign the vendor risk level
(TPRM only) Convert observations into vendor risks
Set a recurring review schedule
After activation:
The vendor moves to Vendors → Current vendors
Review deadlines are tracked
Vendors approaching deadlines are marked Due soon or Overdue
Instructions for the Classic Experience ⬇️
You can now add prospective vendors, conduct security reviews, and document security decisions for your team. For the vendors you continue working with, you can activate them and track ongoing reviews. Adding prospective vendors allows you to efficiently assess their compliance with your organization's standards while saving time through Drata's streamlined automated impact assessments and documentation processes.
Add a prospective vendor
Go to the Vendors page, select the Prospective tab to view your list of prospective vendors and their security review statuses (if you have any). Then, select Add vendor.
Enter the Vendor details, Contact information, and Request details sections. There are some fields that are optional.
Vendor details section
Vendor name: Enter the name of the vendor.
Vendor website URL (optional): Enter the website of the vendor.
Note: Do not include
www.in the website URL. Includingwww.will cause a validation error.
Business Unit: Enter the internal department or team in your organization that will primarily interact with or benefit from the vendor's services.
Provided services (optional): Enter a brief description of the services vendor will provide to your organization.
Contact information section
Contact at vendor (optional): Enter the name of the primary contact at the vendor, typically the person responsible for the relationship or discussions.
Contact's email address (optional): Provide the email address of the vendor's contact.
Request details section
Requester: The internal team member interested in the new service.
Internal security owner (optional): This is the person at your company responsible for reviewing this vendor's security posture.
Note: They must hold the admin, information security lead, or workspace manager role within Drata.
Request date: Record the date when the vendor request was submitted.
Review deadline: Indicate the date by which a decision regarding the vendor must be finalized.
Impact Level (Non-TPRM Plan): Manually enter the impact level if you do not have a TPRM plan.
(Only for those on the TPRM plan)
In the next step, you can select the applicable options to determine the Impact Level.
Recommended impact level: An automated impact assessment evaluates potential risks and impacts based on factors such as:
Data Accessed: The type and sensitivity of data the vendor will access.
Operational Impact: The extent to which the vendor could affect your business operations.
Environment Access: The level of access the vendor will have to your systems or infrastructure.
After adding the vendor information, proceed to determine the Review Scope and include any relevant documentation.
This may include:
Files such as SOC 2 reports or certifications.
Questionnaires sent through Drata's platform.
Manually uploaded responses provided by the vendor.
Complete security review
After adding a prospective vendor, you'll be taken to a security review page to document observations about the vendor's security posture.
View and annotate questionnaires sent and received through Drata. If enabled, view AI summaries of uploaded questionnaires.
After documenting observations, finalize the review with a security decision (Approve, Approve with Exceptions, or Reject) and include a note.
Once the security review is marked complete, you'll be directed to an overview page summarizing the review. You can download this summary to share with colleagues. If necessary, re-open the review for further updates.
Learn more about reviewing your vendors at Start a review for your vendors.
To continue working with the vendor, mark them as active.
Mark prospective vendor as active
Mark the vendor as active and follow the three-step activation flow. Determine the risk level and, for those on the TPRM plan, convert observations into risks.
After completing your security review, select Mark as active from the banner that indicates the review is complete.
Determine the risk level and, for those on the TPRM plan, convert observations into risks.
Establish a recurring review schedule, creating a task within Drata. Vendors nearing the review deadline will be tagged Due Soon and Overdue if the deadline passes.
After activation, review the risk level, added risks, and the next review deadline.
