The Vendor Directory allows you to track all vendors you work with and their security posture.
Vendor Management is a security subsection that may be examined during your SOC 2 audit. Specifically, Drata addresses the control for maintaining a vendor directory including agreements specifying terms, conditions and responsibilities as well as compliance reports.
Vendor page overview
On the left navigation of your screen within Drata, select 'Vendors'.
On the Vendor Directory page, the list of your vendors with their names, business units, risk level, status, password policy, type, person responsible for security/compliance within your company, and reminder indicator is displayed. Reminder can be enabled to review vendor information on a periodic basis.
Use the filter to filter any data on the table.
You have two ways to add a vendor into your Vendor Directory. You can add a single or multiple vendors at a time.
Add a Single Vendor
To add a single vendor, select 'Add vendor' and then 'Add single vendor' in the upper right corner. A drawer will open from the right side of your screen, and you will be prompted to add details about the vendor as well as upload their security policy or SOC 2 report.
These are the risk level when choosing the Risk for vendors.
High: The failure of the vendor poses a high risk to your business because the vendor stores or has access to sensitive data and/or your business is highly dependent on the vendor’s service(s) operationally.
Moderate: The failure of the vendor poses a moderate risk to your business because the vendor has limited/restricted access to sensitive data and/or the loss of its service(s) would be disruptive to your business.
Low: The failure of the vendor poses a low risk to your business because the vendor does not have access to sensitive data and its loss of service(s) would not be disruptive to your business.
Add or update through bulk upload
To upload or update vendors in bulk, select "Add vendor" and then "Add / Update in bulk" to select the add or update in bulk.
On the modal, select “Download Template”.
Upload your vendors
To upload vendors, enter the details of your vendors into the CSV.
The following table shows the fields and values that must be entered. The field name indicates whether the field is required or optional. For all the fields except for open text, URL and address fields, enter the exact values and spelling listed. Select one value for each field.
Note: Vendors with the same name or URL will be updated with the updated CSV information.
Field name | Acceptable value |
Name (Required) | Open text |
Website URL (Required) | URL |
Privacy URL (Optional) | URL |
Terms Of Use URL (Optional) | URL |
Provided Services (Optional) | Open text |
Risk (Optional) | Low, Moderate, High |
Impact Level (Optional) | Insignificant, Minor, Moderate, Major, Critical |
Type (Optional) | Vendor, Supplier, Contractor, Partner, Other |
Status (Optional) | Active, Under Review, Flagged, On Hold, Approved, Rejected, Offboarded, Archived |
Annual Contract Value (Optional) | Number |
Subprocessor (Optional) | Yes, No |
Business Unit (Optional) | Engineering, Product, Marketing, Customer Success, Sales, Legal, Finance, Administrative, Human Resources, Security |
Password Policy (Optional) | Username & Password, SSO, LDAP |
Stores PII (Optional) | Yes, No |
Stored Data (Optional) | Open text |
Contact at Vendor (Optional) | Open text |
Contact’s Email (Optional) | Valid email address |
Once you’ve entered your details, save your file as a CSV, upload your file and select “Next”.
A warning message is displayed on upload if a required field is not included or does not match the requirements above. Resolve the error and re-upload.
The field will be empty after uploading if the values for an optional field does not follow the acceptable value requirement.
For example, if Risk is entered as “Medium” instead of “Moderate”, the Risk's value will be empty since “Medium” is not a value in our system.
After you continue, you will see a step that will confirm the summary of changes in your file.
Update your vendors
To update vendors, please add the Vendor name and URL as it exists in the Directory into your CSV. Enter any information into the fields that you would like to change. If a field is left blank, it will not be updated to an empty state, only fields with differing inputted values or information will be updated.
Once you click “Continue”, you will see step that confirms a summary of changes, including the number of fields that will be updated.
Excluded vendors
The summary of changes modal showcases any vendors that are excluded and the reason for the exclusion.
Once you finalize, a confirmation notifies you when the vendors are ready.
After updating or uploading, on the Vendor Directory page, you will see your recently uploaded and updated vendors at the top of the Directory with a blue line indication.
After refreshing the page, the vendors will be sorted into the default alphabetical order and the blue line will not be displayed.
Responsibilities in the Vendor Drawer
There are three fields in the Vendor drawer where you can add the contact of a personnel or vendor. Here is how we define the responsibilities:
Responsibilities | Description |
Security owner | This is the person at your company who is responsible for reviewing this vendor’s security posture. They must hold the admin, information security lead, or workspace manager role within Drata. |
Vendor relationship contact | This is an internal contact at your company that most likely requested the vendor and/or manages the relationship. Reach out to this person if you have questions about this vendor. They must be a current employee or contractor in Drata. |
Contact at vendor | This is the main point of contact at the vendor’s organization. This person is external to your company. |
Setting Vendor Reminder
You may set a reminder to review vendor information in the future. To set a reminder for vendor review, open the vendor drawer, enable the reminder toggle, pick a date (by default 1 year from today is pre-filled) and click on Set reminder Date.
Vendor reminder can have 4 different states
Reminder on: reminder is enabled for the vendor and is more than 1 week away
Due soon: reminder is enabled and is less than 1 week away
Due: reminder is past due
Reminder off: Vendor does not have any reminders enabled
Compliance Report Management
If you have vendors that are in scope for SOC 2 and have a high impact on your business, it is advised that you obtain a SOC 2 report and must also review it. To complete this process open the vendor you are reviewing, navigate to the Reports and Documents tab, then upload the Vendor’s SOC2 report.
Afterwards, navigate to the Security Reviews tab, and turn on the Compliance report review section.
And click on ‘Start review’.
If you ‘Start Review’ in Drata, using the SOC 2 report as reference and following the guidance here, fill out each section of the review and, once completed, click ‘Finish Review.’
Note: If you need to complete the SOC 2 report review outside of Drata, you can obtain a template from within the Compliance Report Management section and opt for the ‘Upload a review report’ option once it has been filled out.
Finally, it is recommended that you update the vendor’s reminder to one year in the future, or the next time you expect to update the vendor’s information or SOC 2 report. Instructions for using the reminder feature can be found here.
Archive Vendor
You may archive a vendor if you no longer work with them, but want to retain a record of their compliance and risk data for your company. To do so, click into any vendor profile, click the “Actions” drop-down in the upper right corner, and select "Archive Vendor”.
Restore Vendor
You may restore a vendor if you enter in a new agreement with them, or want this vendor to be shown to your auditor. To do so, click into a Vendor directory and select "Archived" in the first filter dropdown. Click into any archived vendor row, click the “Actions” drop-down in the upper right corner, and select "Restore Vendor”.
Delete Vendor
NOTE: This cannot be undone. You may delete a vendor if you make a mistake or wish to erase a vendor and its associated data. To do so, click into any vendor row. Click the small three-dot icon in the upper right corner, and select "Delete Vendor." You will see a modal where you can confirm or cancel this action.
