Skip to main content
All CollectionsVendor Management
Vendor Directory & Profiles
Vendor Directory & Profiles

The Vendor Directory allows you to track all vendors you work with and their security posture.

Ashley Hyman avatar
Written by Ashley Hyman
Updated this week

The Vendor Directory allows you to track all vendors you work with and their security posture.

Vendor Management is a security subsection that may be examined during your SOC 2 audit. Specifically, Drata addresses the control for maintaining a vendor directory including agreements specifying terms, conditions and responsibilities as well as compliance reports.

Vendor page overview

On the left navigation within Drata, select 'Vendors'.

On the Vendor Directory page, the list of your vendors with their names, business units, risk level, status, password policy, type, person responsible for security/compliance within your company, and reminder indicator is displayed. Reminders can be enabled to review vendor information on a periodic basis.

You have two ways to add a vendor to your Vendor Directory. You can add a single or multiple vendors at a time.

Add a Single Vendor

To add a single vendor, select 'Add vendor' and then 'Add single vendor' in the upper right corner. A drawer will open from the right side of your screen, and you will be prompted to add details about the vendor as well as upload their security policy or SOC 2 report.

These are the risk levels when choosing the risk for vendors.

  • High: The failure of the vendor poses a high risk to your business because the vendor stores or has access to sensitive data and/or your business is highly dependent on the vendor’s service(s) operationally.

    Moderate: The failure of the vendor poses a moderate risk to your business because the vendor has limited/restricted access to sensitive data and/or the loss of its service(s) would be disruptive to your business.

    Low: The failure of the vendor poses a low risk to your business because the vendor does not have access to sensitive data and its loss of service(s) would not be disruptive to your business.

Upload or update through bulk upload

To upload or update vendors in bulk, select Add vendor and then Add / Update in bulk.

On the modal, download the template to import your vendors. On the template, enter the details of your vendors into the CSV.

The following table shows the fields and values that must be entered. The field name indicates whether the field is required or optional. For all the fields except for open text, URL and address fields, enter the exact values and spelling listed. Select one value for each field.

Note: Vendors with the same name or URL will be updated with the updated CSV information.

Field name

Acceptable value

Name (Required)

Open text

Website URL (Optional)

URL

Privacy URL (Optional)

URL

Terms Of Use URL (Optional)

URL

Provided Services (Optional)

Open text

Risk (Optional)

Low, Moderate, High

Impact Level (Optional)

Insignificant, Minor, Moderate, Major, Critical

Type (Optional)

Vendor, Supplier, Contractor, Partner, Other

Status (Optional)

Active, Under Review, Flagged, On Hold, Approved, Rejected, Offboarded, Archived

Annual Contract Value (Optional)

Number

Additional Notes

Open text

Subprocessor (Optional)

Yes, No

Subprocessor Data Location (Optional)

Open text

Integrations

Vendor name within your Vendor directory.

Business Unit (Optional)

Engineering, Product, Marketing, Customer Success, Sales, Legal, Finance, Administrative, Human Resources, Security

Stores PII (Optional)

Yes, No

Stored Data (Optional)

Open text

Vendor Relationship Contact (Optional)

Email

  • Ensure that the entered email is the same email that is saved in Drata. You can go to the Personnel page to view the emails that are saved for each personnel.

Security Owner (Optional)

Email

  • Ensure that the entered email is the same email that is saved in Drata. You can go to the Personnel page to view the emails that are saved for each personnel.

Contact at Vendor (Optional)

Open text

Contact’s Email (Optional)

Valid email address

Password Policy (Optional)

Username & Password, SSO, LDAP

Password Requires Minimum Length (Optional)

Yes, No

Password Minimum Length (Optional)

6, 7, 8, 9, 10, 11, 12+

Password Requires Number (Optional)

Yes, No

Password Requires Symbol (Optional)

Yes, No

Password MFA Enabled (Optional)

Yes, No

Note: Bulk Upload will not include Impact Assessment fields (Data Accessed, Operational Impact, Access To Environments), but will include Impact Level.

Upload your vendors with custom fields

Note: Ensure you have the custom fields feature. To learn more about custom fields, go to the Custom fields overview help article.

Custom fields added to Vendors are included in the bulk upload. The following table showcases the acceptable value for each custom field type.

Custom field type

Acceptable value

Currency

Number with or without decimal

Number

Number

Dropdown

Valid options for the dropdown

Short Answer

Open text. Up to a maximum of 191 characters.

If the value of a required custom field does not match the acceptable value, vendors will not be added. If the value of an optional custom field does not match the acceptable value, those fields will be ignored.

Once you’ve entered your details, save your file as a CSV, upload your file, and select Next.

A warning message is displayed if a required field is not included or does not match the requirements above. Resolve the error and re-upload. The field will be empty after uploading if the values for an optional field do not follow the acceptable value requirement. For example, if Risk is entered as “Medium” instead of “Moderate”, the Risk value will be empty since “Medium” is not a recognized value in our system.

After you continue, you will see a step that confirms the summary of changes in your file.

Update your vendors

To update vendors, add the vendor name and URL as they exist in the directory into your CSV. Enter any information into the fields that you would like to change. If a field is left blank, it will not be updated to an empty state; only fields with differing input values will be updated.

Once you click “Continue,” you will see a step that confirms a summary of changes, including the number of fields that will be updated.

Excluded vendors

The summary of changes modal showcases any vendors that are excluded and the reason for the exclusion.

Once you finalize, a confirmation notifies you when the vendors are ready.

After updating or uploading, on the Vendor Directory page, you will see your recently uploaded and updated vendors at the top of the Directory with a blue line indication.

After refreshing the page, the vendors will be sorted into the default alphabetical order and the blue line will not be displayed.

Responsibilities in the Vendor Drawer

There are three fields in the Vendor drawer where you can add the contact of a personnel or vendor. Here is how we define the responsibilities:

Responsibilities

Description

Security owner

This is the person at your company responsible for reviewing this vendor’s security posture. They must hold the admin, information security lead, or workspace manager role within Drata.

Vendor relationship contact

This is an internal contact at your company who most likely requested the vendor and/or manages the relationship. Reach out to this person if you have questions about this vendor. They must be a current employee or contractor in Drata.

Contact at vendor

This is the main point of contact at the vendor’s organization. This person is external to your company.

Setting Vendor Reminder

You may set a reminder to review vendor information in the future. To set a reminder for vendor review, open the vendor drawer, enable the reminder toggle, pick a date (by default 1 year from today is pre-filled) and click on Set reminder Date.

Vendor reminder can have 4 different states

  • Reminder on: reminder is enabled for the vendor and is more than 1 week away

  • Due soon: reminder is enabled and is less than 1 week away

  • Due: reminder is past due

  • Reminder off: Vendor does not have any reminders enabled

Compliance Report Management

If you have vendors that are in scope for SOC 2 and have a high impact on your business, it is advised that you obtain a SOC 2 report and must also review it. To complete this process open the vendor you are reviewing, navigate to the Reports and Documents tab, then upload the Vendor’s SOC2 report.

Afterwards, navigate to the Security Reviews tab, and turn on the Compliance report review section.

And click on ‘Start review’.

If you ‘Start Review’ in Drata, using the SOC 2 report as reference and following the guidance here, fill out each section of the review and, once completed, click ‘Finish Review.’

Note: If you need to complete the SOC 2 report review outside of Drata, you can obtain a template from within the Compliance Report Management section and opt for the ‘Upload a review report’ option once it has been filled out.

Finally, it is recommended that you update the vendor’s reminder to one year in the future, or the next time you expect to update the vendor’s information or SOC 2 report. Instructions for using the reminder feature can be found here.

Archive Vendor

You may archive a vendor if you no longer work with them but want to retain a record of their compliance and risk data for your company. To do so, click into any vendor profile, click the “Actions” drop-down in the upper right corner, and select "Archive Vendor”.

Restore Vendor

You may restore a vendor if you enter in a new agreement with them, or want this vendor to be shown to your auditor. To do so, click into a Vendor directory, and select "Archived" in the first filter dropdown. Click into any archived vendor row, click the “Actions” drop-down in the upper right corner, and select "Restore Vendor”.

Delete Vendor

NOTE: This cannot be undone. You may delete a vendor if you make a mistake or wish to erase a vendor and its associated data. To do so, click into any vendor row. Click the small three-dot icon in the upper right corner and select "Delete Vendor". You will see a modal where you can confirm or cancel this action.

Did this answer your question?