💡 Still using the classic Drata experience? Refer to Add a prospective vendor for the original UI.
This workflow helps you conduct security reviews, document decisions, and activate vendors only after they meet your organization’s requirements.
Prospective vendors separate evaluation from ongoing vendor management, which supports audit clarity and internal approval processes.
How Prospective Vendors Work
Prospective vendors represent vendors that are still under consideration.
With prospective vendors, you can:
Run a security review and collect evidence
Send questionnaires or upload vendor responses
Document review decisions and approval outcomes
Activate vendors only after review completion
Once activated, the vendor moves to Current vendors, and review history is retained for audit purposes.
Access Prospective Vendors
Go to Vendors → Prospective vendors
Select Add vendor
Step 1: Add Vendor Details
Complete the vendor intake form. Some fields are optional.
Vendor Details
Vendor name: Select or enter the vendor name.
Vendor website URL (optional): Enter the vendor’s website.
Important: Do not include
wwwin the URL.✅
https://vendor.com❌
https://www.vendor.com
Business unit: Internal team that will use or benefit from the vendor.
Provided services (optional): Brief description of the services the vendor will provide.
Contact Information (Optional)
Contact at vendor: Primary external contact
Contact’s email address: Email address for the vendor contact
Request Details
Request date: Date the request was submitted
Review deadline: Date a decision must be finalized
Requester: Internal team member requesting the vendor
Internal security owner (optional): Person responsible for reviewing the vendor’s security posture
Internal security owners must have one of the following roles: Admin, Information Security Lead, or Workspace Manager
Step 2: Select the Impact Level
Next, determine the vendor’s impact level based on the type of access and business criticality.
You’ll select options such as:
Data accessed: Type and sensitivity of data the vendor will access
Operational impact: Potential effect on business operations
Access to environments: Level of access to systems or infrastructure
Impact level: Drata uses these selections to calculate the overall impact level and recommends an impact level. Some plans may require you to select an impact level without having Drata’s recommended impact level.
Step 3: Define Security Review Scope and Attach Evidence
After adding the vendor, define what you want to review and gather supporting documentation.
You can include:
Uploaded files (for example, SOC 2 reports or certifications)
Questionnaires sent through Drata
Manually uploaded vendor responses
Step 4: Complete the Security Review
After the prospective vendor is created, Drata opens the security review automatically. From the review page, you can:
View and annotate questionnaires
Review uploaded documentation
View AI-generated summaries (VRM Agent), if enabled
When ready, finalize the review by selecting a decision:
Pending
Approved
Approved with conditions
Rejected
Add notes to document the decision rationale for auditors or internal stakeholders. After completion, you’re redirected to a review summary page, which you can download and share.
You can also reopen the review if updates are needed.
Activate the Vendor
If you decide to continue working with the vendor, activate them after the review is complete.
Select Mark as active
Complete the activation steps:
Confirm or assign the vendor risk level
(TPRM only) Convert observations into vendor risks
Set a recurring review schedule
After activation:
The vendor moves to Vendors → Current vendors
Review deadlines are tracked
Vendors approaching deadlines are marked Due soon or Overdue