Skip to main content
All CollectionsVendors
Add a prospective vendor
Add a prospective vendor
Updated this week

You can now add prospective vendors, conduct security reviews, and document security decisions for your team. For the vendors you continue working with, you can activate them and track ongoing reviews. Adding prospective vendors allows you to efficiently assess their compliance with your organization's standards while saving time through Drata's streamlined automated impact assessments and documentation processes.

Add a prospective vendor

  1. Go to the Vendors page, select the Prospective tab to view your list of prospective vendors and their security review statuses (if you have any). Then, select Add vendor.

  2. Enter the Vendor details, Contact information, and Request details sections. There are some fields that are optional.

    • Vendor details section

      • Vendor name: Enter the name of the vendor.

      • Vendor website URL (optional): Enter the website of the vendor.

      • Business Unit: Enter the internal department or team in your organization that will primarily interact with or benefit from the vendor's services.

      • Provided services (optional): Enter a brief description of the services vendor will provide to your organization.

    • Contact information section

      • Contact at vendor (optional): Enter the name of the primary contact at the vendor, typically the person responsible for the relationship or discussions.

      • Contact's email address (optional): Provide the email address of the vendor’s contact.

    • Request details section

      • Requester: The internal team member interested in the new service.

      • Internal security owner (optional): This is the person at your company responsible for reviewing this vendor’s security posture.

        • Note: They must hold the admin, information security lead, or workspace manager role within Drata.

      • Request date: Record the date when the vendor request was submitted.

      • Review deadline: Indicate the date by which a decision regarding the vendor must be finalized.

      • Impact Level (Non-TPRM Plan): Manually enter the impact level if you do not have a TPRM plan.

  3. (Only for those on the TPRM plan)

    • In the next step, you can select the applicable options to determine the Impact Level.

      • Recommended impact level: An automated impact assessment evaluates potential risks and impacts based on factors such as:

        • Data Accessed: The type and sensitivity of data the vendor will access.

        • Operational Impact: The extent to which the vendor could affect your business operations.

        • Environment Access: The level of access the vendor will have to your systems or infrastructure.

  4. After adding the vendor information, proceed to determine the Review Scope and include any relevant documentation.

    • This may include:

      • Files such as SOC 2 reports or certifications.

      • Questionnaires sent through Drata’s platform.

      • Manually uploaded responses provided by the vendor.

Complete security review

  1. After adding a prospective vendor, you'll be taken to a security review page to document observations about the vendor's security posture.

  2. View and annotate questionnaires sent and received through Drata. If enabled, view AI summaries of uploaded questionnaires.

  3. After documenting observations, finalize the review with a security decision (Approve, Approve with Exceptions, or Reject) and include a note.

  4. Once the security review is marked complete, you'll be directed to an overview page summarizing the review. You can download this summary to share with colleagues. If necessary, re-open the review for further updates.

Learn more about reviewing your vendors at Start a review for your vendors.

To continue working with the vendor, mark them as active.

Mark prospective vendor as active

Mark the vendor as active and follow the three-step activation flow. Determine the risk level and, for those on the TPRM plan, convert observations into risks.

  1. After completing your security review, select Mark as active from the banner that indicates the review is complete.

  2. Determine the risk level and, for those on the TPRM plan, convert observations into risks.

  3. Establish a recurring review schedule, creating a task within Drata. Vendors nearing the review deadline will be tagged Due Soon and Overdue if the deadline passes.

  4. After activation, review the risk level, added risks, and the next review deadline.

Did this answer your question?