The Vendor Directory allows you to track all vendors you work with and their security posture.
Vendor Management is a security subsection that may be examined during your SOC 2 audit. Specifically, Drata addresses the control for maintaining a vendor directory including agreements specifying terms, conditions and responsibilities as well as compliance reports.
Access the Vendors Page
In the left navigation within Drata, select Vendors.
On the Vendors page, you can view the list of your vendors with the following details: vendor names, business units, risk levels, status, password policy, type, person responsible for security/compliance within the company, and reminder indicator. You can enable reminders to periodically review vendor information.
Add Vendors
You have two ways to add a vendor. You can add a single or multiple vendors at a time.
Add a single Vendor
On the Vendors page, select Add vendor and then Add a single vendor in the upper right corner.
A drawer will open from the right side of your screen, prompting you to add details about the vendor and upload their security policy or SOC 2 report. These are the risk when choosing the risk for vendors.
High: The failure of the vendor poses a high risk to your business because the vendor stores or has access to sensitive data and/or your business is highly dependent on the vendor’s service(s) operationally.
Moderate: The failure of the vendor poses a moderate risk to your business because the vendor has limited/restricted access to sensitive data and/or the loss of its service(s) would be disruptive to your business.
Low: The failure of the vendor poses a low risk to your business because the vendor does not have access to sensitive data and its loss of service(s) would not be disruptive to your business.
Bulk uploading or updating
On the Vendors page, select Add vendor and then Add / Update in bulk.
On the modal, download the template to import your vendors. On the template, enter the details of your vendors into the CSV.
The following table shows the fields and values that must be entered. The field name indicates whether the field is required or optional. For all the fields except for open text, URL and address fields, enter the exact values and spelling listed. Select one value for each field.
Note:
Vendors with the same name or URL will be updated with the updated CSV information.
Bulk Upload will not include Impact Assessment fields (Data Accessed, Operational Impact, Access To Environments), but will include Impact Level.
Field name | Acceptable value |
Name (Required) | Open text |
Website URL (Optional) | URL |
Privacy URL (Optional) | URL |
Terms Of Use URL (Optional) | URL |
Provided Services (Optional) | Open text |
Risk (Optional) |
|
Impact Level (Optional) |
|
Type (Optional) |
|
Status (Optional) |
|
Annual Contract Value (Optional) |
|
Additional Notes | Open text |
Subprocessor (Optional) |
|
Subprocessor Data Location (Optional) | Open text |
Integrations | Vendor name within your Vendor directory. |
Business Unit (Optional) |
|
Stores PII (Optional) |
|
Stored Data (Optional) | Open text |
Vendor Relationship Contact (Optional) |
|
Security Owner (Optional) |
|
Contact at Vendor (Optional) | Open text |
Contact’s Email (Optional) | Valid email address |
Password Policy (Optional) |
|
Password Requires Minimum Length (Optional) |
|
Password Minimum Length (Optional) |
|
Password Requires Number (Optional) |
|
Password Requires Symbol (Optional) |
|
Password MFA Enabled (Optional) |
|
Upload your vendors with custom fields
Note: Ensure you have the custom fields feature. To learn more about custom fields, go to the Custom fields overview help article.
Custom fields added to Vendors are included in the bulk upload. The following table showcases the acceptable value for each custom field type.
Custom field type | Acceptable value |
Currency | Number with or without decimal |
Number | Number |
Dropdown | Valid options for the dropdown |
Short Answer | Open text. Up to a maximum of 191 characters. |
Long Answer | Open text. Up to a maximum of 30,000 characters. |
If the value of a required custom field does not match the acceptable value, vendors will not be added. If the value of an optional custom field does not match the acceptable value, those fields will be ignored.
Once you’ve entered your details, save your file as a CSV, upload your file, and select Next.
A warning message is displayed if a required field is not included or does not match the requirements above. Resolve the error and re-upload. The field will be empty after uploading if the values for an optional field do not follow the acceptable value requirement. For example, if Risk is entered as “Medium” instead of “Moderate”, the Risk value will be empty since “Medium” is not a recognized value in our system.
After you continue, you will see a step that confirms the summary of changes in your file.
Update your vendors
To update vendors, add the vendor name and URL as they exist in the directory into your CSV. Enter any information into the fields you would like to change. If a field is left blank, it will not be updated to an empty state; only fields with differing input values will be updated.
Once you select Continue, you will see a step that confirms a summary of changes, including the number of fields that will be updated.
Excluded vendors
The summary of changes modal showcases any vendors that are excluded and the reason for the exclusion.
Once you finalize, a confirmation notifies you when the vendors are ready.
After updating or uploading, on the Vendor Directory page, you will see your recently uploaded and updated vendors at the top of the Directory with a blue line indication.
After refreshing the page, the vendors will be sorted into the default alphabetical order and the blue line will not be displayed.
Responsibilities in the Vendor Drawer
There are three fields in the Vendor drawer where you can add the contact of a personnel or vendor. Here is how we define the responsibilities:
Responsibilities | Description |
Security owner | This is the person at your company responsible for reviewing this vendor’s security posture. They must hold the admin, information security lead, or workspace manager role within Drata. |
Vendor relationship contact | This is an internal contact at your company who most likely requested the vendor and/or manages the relationship. Reach out to this person if you have questions about this vendor. They must be a current employee or contractor in Drata. |
Contact at vendor | This is the main point of contact at the vendor’s organization. This person is external to your company. |
Archive Vendor
You may archive a vendor if you no longer work with them but want to retain a record of their compliance and risk data for your company. To do so, select the vendor profile, select the ellipse and select Archive Vendor.
Restore Vendor
You may restore a vendor if you enter in a new agreement with them, or want this vendor to be shown to your auditor. To do so, you need to find the archived vendors. To find the archived vendors, navigate to the Vendors page and select Archived within the All Statuses filter, and select Archived. You may have to scroll down to select the Archived option.
You may restore a vendor if you enter into a new agreement with them or want this vendor to be shown to your auditor. To do so, navigate to the Vendors page, select Archived within the All Statuses filter. You may need to scroll down to select the Archived option.
Select the desired archived vendor, then select the ellipse and then Restore Vendor.
Delete Vendor
⚠️ NOTE: This cannot be undone.
You may delete a vendor if you make a mistake or wish to erase a vendor and its associated data. To do so, select the vendor profile, select the ellipse and select Delete Vendor. You will see a modal where you can confirm or cancel this action.
Additional information