Skip to main content
All CollectionsVendors
Add a prospective vendor
Add a prospective vendor
Updated over a week ago

You can now add prospective vendors, conduct security reviews, and document security decisions for your team. For the vendors you continue working with, you can activate them and track ongoing reviews. Adding prospective vendors allows you to efficiently assess their compliance with your organization's standards while saving time through Drata's streamlined automated impact assessments and documentation processes.

Add a prospective vendor

  1. Go to the Vendors page, select the Prospective tab to view your list of prospective vendors and their security review statuses (if you have any). Then, select Add vendor.

  2. Enter the vendor's details, including the requestor's name, internal security owner, request date, and review deadline.

    • Requester: The internal team member interested in the new service.

    • Internal security owner (optional): The team member responsible for the relationship.

    • Request date: The date when the vendor request is made.

    • Review deadline: The date by which the decision needs to be completed.

    • Impact Level: (Non-TPRM Plan) Manually enter the impact level if you do not have a TPRM plan.

  3. For those on the TPRM plan, in the next step, you can select the applicable options to determine the impact level.

    • An automated impact assessment evaluates potential impacts based on data accessed, operational impact, and environment access. More information is available on the Vendor Automated Impact Assessment page.

  4. After adding vendor information, determine the review scope and add relevant details, such as files (SOC2), questionnaires through Drata, or manually uploaded responses.

Complete security review

  1. After adding a prospective vendor, you'll be taken to a security review page to document observations about the vendor's security posture.

  2. View and annotate questionnaires sent and received through Drata. If enabled, view AI summaries of uploaded questionnaires.

  3. After documenting observations, finalize the review with a security decision (Approve, Approve with Exceptions, or Reject) and include a note.

  4. Once the security review is marked complete, you'll be directed to an overview page summarizing the review. You can download this summary to share with colleagues. If necessary, re-open the review for further updates.

Learn more about reviewing your vendors at Start a review for your vendors.

To continue working with the vendor, mark them as active.

Mark prospective vendor as active

Mark the vendor as active and follow the three-step activation flow. Determine the risk level and, for those on the TPRM plan, convert observations into risks.

  1. After completing your security review, select Mark as active from the banner that indicates the review is complete.

  2. Determine the risk level and, for those on the TPRM plan, convert observations into risks.

  3. Establish a recurring review schedule, creating a task within Drata. Vendors nearing the review deadline will be tagged Due Soon and Overdue if the deadline passes.

  4. After activation, review the risk level, added risks, and the next review deadline.

Did this answer your question?