When conducting a vendor security review using the TPRM Agent, you can document your findings and reasoning directly on each criterion using two types of annotations: Internal Notes and Observations.
These help your team maintain audit defensibility and capture vendor-specific context without exposing internal reasoning to the vendor.
Understand Internal Notes and Observations
Internal Note: Private notes visible only to your organization. Use these to document your reasoning, especially when overriding an AI-generated assessment. Internal notes are never shared with vendors and support audit defensibility.
Observation: Vendor-specific findings that capture posture details surfaced during the review. Observations are visible to review participants but are never shared externally with the vendor.
For current vendors, observations can be converted into risks after the review is finalized.
For prospective vendors, observations are recorded but cannot be converted into risks, as risks cannot be assigned to prospective vendors.
Add an Internal Note or Observation
There are two ways to add an internal note or observation, and which one you use affects how the Context field is pre-populated.
Option 1: Not tied to a specific criterion
Use this when your note or observation applies to the review generally rather than to a specific criterion.
From an in-progress security review, select the book icon in the right-side panel.
Select either the Internal Note tab or the Observation tab.
Enter your text.
The Context field will be pre-populated with the security review name followed by (general).
Select Save. The entry is saved with your name and a timestamp.
Option 2: Tied to a specific criterion
Use this when your note or observation is directly related to a specific criterion in the review.
From an in-progress security review, select a criterion.
In the criterion panel, select either the Add internal note or the Add observation button.
Enter your text.
The Context field will be pre-populated with the criterion name.
Select Save. The entry is saved with your name and a timestamp.
Important notes:
Notes can be up to 30,000 characters.
Select Save. The note is saved with your name and a timestamp.
💡 Internal notes are ideal for documenting override rationale — for example, explaining why you changed an AI-generated status, or noting additional context from a vendor call that isn’t captured in the questionnaire. |
💡 Observations capture vendor-specific posture and can be converted into risks after the review is finalized. They are visible to review participants but are not shared externally with the vendor.  |
Finalize a security review
Once you have completed your assessment across all criteria, you can finalize the review.
From the security review, select Finalize review in the top-right corner.
In the Finalize Security Review dialog, select a Decision (for example, Approved).
Optionally, add a Note to summarize your overall assessment or finalization rationale. Closing the criteria details panel will change the notes context automatically to the Security review.
Select Mark review as complete. The review status updates and a confirmation toast is shown.
💡 After finalizing, criteria statuses, internal notes, and observations are locked as part of the review record. Observations can be added to your risk register from the finalized review. |