⚠️ Select your experience
The steps to manage security reviews depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Security reviews allow you to evaluate, document, and track a vendor's security posture over time. Reviews live on the vendor profile and can include questionnaires, SOC reports, uploaded evidence, and a final security decision.
Use security reviews to:
Assess vendors during onboarding
Perform recurring security reviews
Track review status and deadlines
Maintain audit-ready review documentation
Security review statuses
On the Current vendors page, the table includes two key columns that help you track review health across vendors:
Security review status
Next review deadline
You can filter vendors using either column.
Security review status definitions
Status | Description | Recurring reviews |
Up to date | The vendor completed a review within 90 days of the most recent deadline | Enabled |
Needs review | The review window has started and no review is in progress | Enabled |
In progress | A security review is currently underway | Enabled or disabled |
Completed | A review is complete and recurring reviews are not enabled | Disabled |
No past reviews | The vendor has never completed a review | Enabled or disabled |
Next review deadline indicators
Indicator | Description |
Due soon | The review deadline is within 7 days |
Overdue | The review deadline has passed |
Deadline not set | Recurring reviews are not enabled |
Where security reviews live
To manage security reviews:
Select Vendors.
Open Current vendors or Prospective vendors.
Select a vendor.
Open the Security reviews tab.
Each vendor profile contains a full history of completed and in-progress reviews.
Step 1: Start a security review
To begin a new review:
Select Vendors.
Open Current vendors or Prospective vendors.
Select a vendor.
Open the Security reviews tab.
Select Create review.
Choose one of the following:
Security review
SOC report review
Upload review report
Option 1: Create a security review
A security review allows you to collect evidence and document your assessment.
During a security review, you can:
Upload files (such as SOC 2 reports)
Send questionnaires through Drata
Upload questionnaire responses received outside Drata
View AI summaries (if enabled)
After reviewing the vendor's documentation and questionnaire responses, select a final decision based on your organization's risk and onboarding requirements:
Pending: Select this if the review is still in progress or you are waiting on additional information, documentation, or responses from the vendor.
Approved: Select this if the vendor meets your security and compliance requirements and no further action is needed before onboarding.
Approved with conditions: Select this if the vendor is acceptable to move forward, but requires follow-up actions (such as remediation, contract clauses, or additional controls) before full approval.
Rejected: Select this if the vendor does not meet your organization's security requirements or presents an unacceptable level of risk.
Add notes to document the reason for your decision, including any required follow-up actions or conditions.
After completion, you can:
View the review summary
Download the review package
Re-open the review if updates are required
Option 2: SOC report reviews
SOC report reviews are used to formally review and document SOC reports. To start a SOC report review:
Select Create review → SOC report review.
Complete each section using the SOC report as reference.
Save and close if needed.
Select Finish review when complete.
Note: You cannot start a new SOC report review until the current one is completed or deleted.
Option 3: Upload a completed review report
If a review was completed outside Drata:
Select Create review → SOC report review.
Select Upload review report.
Upload the completed document.
The uploaded report is stored with the vendor's review history for audit purposes.
Schedule recurring reviews
Recurring reviews help ensure vendors are reviewed on a regular cadence.
Configure global recurring review settings
Go to Vendors → Vendor settings.
Scroll down to the Recurring reviews section.
Set how many days before the deadline the review window should open.
Default: 30 days
Scheduled questionnaires are sent automatically on the review window start date.
Enable recurring reviews for a vendor
Open Vendors → Current vendors.
Select a vendor.
Select Manage recurring reviews.
Enable Schedule recurring reviews to get reminders to conduct a security review of this vendor on a recurring basis.
Set the review frequency.
Enable Scheduled questionnaires (optional).
Select the questionnaires to send and the vendor contact email.
Review the start date and deadline.
Automatic deadline adjustment
To maintain a consistent review schedule, Drata may automatically adjust the next review deadline when a review is completed close to its existing due date.
If a review is completed within 90 days of the current deadline, Drata calculates the next deadline based on the original schedule, not the date the review was completed. This prevents deadline drift and keeps recurring reviews aligned to their intended cadence.
For example:
Original deadline: June 25
Review completed: June 10
Review frequency: Every 6 months
Next deadline: December 25
Because the review was completed within 90 days of the deadline, Drata sets the next deadline to December 25 (six months from the original deadline), not December 10. This ensures your review cycle remains consistent over time.
Automated reminder emails
You can automatically remind vendors to complete questionnaires.
To configure reminders:
Go to Vendors → Vendor settings.
Scroll to Questionnaire reminders.
Select Edit to enable Follow-up reminders.
Customize when and how often reminders are sent.
Key distinctions to remember
Security reviews are the container for decisions and evidence
Questionnaires are sent within security reviews
SOC reviews and uploaded reports are review types, not questionnaires
Instructions for the Classic Experience ⬇️
With Drata, you can conduct security reviews for your vendors from their profile's Security Reviews tab. Learn how to:
Track security review statuses
Automate reminders and recurring reviews
Manage SOC reports and review reports
To learn how to create and edit security questionnaires, customize the email template, or send and track responses, go to Vendor Security Questionnaire.
Security review statuses
On the Current tab of the Vendors page, there is a table that showcases all current vendors. This table contains two important columns: Security review status and Next review deadline.
These columns display the state or status of vendors. You can also filter based on these statuses.
Security review status column overview:
Security Review Status | Definition | Recurring review status |
Up-to-date | Vendors have completed a review within 90 days of their most recent deadline. | Enabled |
Needs review | Vendor's review window start date has commenced and no security reviews are in-progress. | Enabled |
In progress | Vendor has a review that is in progress | Enabled or Disabled |
Completed | Vendor has completed a review for their vendor and does not have Recurring reviews enabled. | Disabled |
No past reviews | Vendor has no past reviews. | Enabled or Disabled |
Next review deadline column overview:
Next Review Deadline Status | Definition |
Due Soon | Vendor has a review deadline within 7 days |
Overdue | Vendor's review deadline has passed |
Deadline not set | Vendor does not have Recurring reviews enabled |
Set Up Automated Reminder Emails
After sending out a questionnaire, you can schedule reminder emails to be automatically sent to your vendors, prompting them to complete their questionnaires.
Go to the Vendors page and navigate to the Settings tab.
Scroll down to the Questionnaires section and toggle on Follow-up reminders.
Select the Edit icon to customize when and how often reminder emails should be sent.
Schedule recurring questionnaires
For vendors with recurring reviews, you can set up a schedule to automatically send them your questionnaires.
Go to the Vendors page and navigate to the Settings tab.
Go to the Recurring reviews section, select the edit icon to update the number of days before the deadline that you'd like the vendor's review window to begin.
The default will be 30 days. Any scheduled questionnaires will be sent on the vendor's review window start date.
Go back to the Current tab and select the vendor you'd like to automatically schedule a questionnaire.
Select Manage recurring reviews.
Enable Recurring reviews and then update the Review frequency.
Enable Scheduled questionnaires and choose the questionnaires you'd like to send to your vendor on their next review window. Add the Vendor contact email you would like to send the questionnaire to. View the Review start date and Review deadline.
Save.
Start a Security Review
Navigate to the Vendors page.
Select the desired vendor.
Go to the Security reviews tab to view past reviews, including SOC reviews.
Select New review. You can choose to start a:
Security review,
SOC report review, or
Upload a review report.
Create a Security Review
Select Security Review and enter vendor details.
Add relevant files like SOC 2 reports, send questionnaires through Drata, or manually upload responses.
For questionnaires sent and received through Drata, select View to examine the responses.
If enabled, view AI summaries of uploaded questionnaires.
Add final observations and select a security decision: Approve, Approve with Exceptions, or Reject.
Select Mark Review as Complete to view an overview and download the summary for colleagues. Re-open the review if needed.
If your Security Review deadline falls within 90 days of your review completion date, the deadline will be automatically adjusted based on your review frequency, if you have a recurring review frequency set up.
For example, if you complete a review on June 10th with a June 25th deadline and a 6-month review frequency, the new deadline is December 25th (6 months from the original deadline).
Create a SOC Report Review
Select SOC Report Review to begin. Use the vendor's SOC 2 report for reference and fill out each section according to the guidance here.
You can Save and Close to continue later.
Note: You cannot start a new SOC report review for the vendor until the current review is completed or deleted.
Once completed, select Finish Review.
Upload review report
If you have a review report completed outside of Drata, you can select the Upload review report to upload and store it in the vendor's profile.