Feature availability: While the Vendors page is included on all plans, some Third Party Risk Management features are only available as an add-on. Refer to Vanta Plans and Pricing for details.
Vendor security reviews are a part of Third Party Risk Management in Vanta, allowing you to conduct comprehensive security reviews of your vendors to proactively mitigate any risks associated with them.
You begin by requesting evidence from a vendor, including sending a security questionnaire and asking for specific documents or resources (like SOC 2 reports, policies, or architecture diagrams) related to their security practices. Vendors respond through the Vanta Exchange portal, which provides a single, streamlined place to complete questionnaires and upload evidence.
As responses come in, Vanta AI helps you review answers, surface insights from the provided evidence, and identify potential findings so you can make an informed recommendation and document the outcome of the review.
Starting a security review
Security reviews can be started manually or triggered automatically as part of a recurring review, depending on your security review rules. For recurring reviews, Vanta can automatically request evidence based on the rules you’ve configured.
Within an individual security review, you can manage security review settings to control how the vendor is engaged during the review, such as whether Vanta AI answers are shown to the vendor, whether the vendor’s point of contact is automatically asked for evidence, and whether reminder emails are sent.
Requesting evidence
Once a security review is in progress, you can customize exactly what evidence you want to collect from the vendor. In Vanta, requesting evidence means sending a security questionnaire along with any supporting documents or resources (such as SOC 2 reports, policies, or architecture diagrams) needed to evaluate the vendor’s security posture. The questionnaire gathers structured information about the vendor’s controls, while supporting resources provide additional context to validate their responses.
Before requesting evidence, make sure you have a questionnaire ready to add to the security review. You can edit the evidence list to add the questionnaire and request any additional resources you need. This defines what the vendor is expected to provide and ensures you collect the right information for the review.
Adding a questionnaire
Adding a questionnaire
Open the security review and navigate to the Evidence section:
To add a questionnaire: Click Edit list and select a questionnaire—the options available pull from your questionnaire list.
To change the questionnaire being used: Click the ••• more menu next to the questionnaire in the evidence list and use the dropdown menu to select another one. The chosen questionnaire will now replace the old one in the vendor security review. Vendors will only see and respond to the updated questionnaire.
Adding resource types
Adding resource types
Open the security review and navigate to the Evidence section:
Click Edit list to add resources you want the vendor to provide. We provide a pre-selected list of resource types for you to choose from, such as: Contract, SOC 2 report, ISO 27001 report, Data Processing Agreement, and more.
You can create a new resource type to add to the list—just type in the name of the resource you want to add and, if you don’t see it in the list, click + Create new resource. To manage the list of custom resource types available, go to your security review rules.
If you receive a resource you’d like to add under Evidence, click Add to upload the file or paste the link to the resource.
Adding trust center resources
Adding trust center resources
When you start a security review for a vendor that has a Vanta Trust Center (or a trust center hosted on another platform Vanta can detect), you may see an Add from Trust Center option.
From here, you can choose which available public documents to import directly into the security review (so you don’t need to manually download and re-upload files).
Imported documents are saved to your review as a point-in-time copy. If the vendor later updates a document on their trust center, you can import the new version again to update what’s attached to your review.
If a vendor’s documents are private, you’ll need to visit their trust center to request access.
Collaborating in Vanta Exchange
When you’re ready to contact your vendor, you’ll share access to the Vanta Exchange portal, the workspace where vendors upload requested evidence and complete your security questionnaire. This unified experience keeps all communication, documents, and responses in one place, helping streamline evidence collection and support faster, more confident review decisions.
Previewing Vanta Exchange
Previewing Vanta Exchange
You can view the Vanta Exchange portal at any time—even if you haven’t shared it with the vendor yet.
To view the portal:
In the security review, click the down arrow ▼ next to the Request evidence button.
Select View Vanta Exchange to open the portal.
Select Copy link to share the link—only Admins, View-only admins, and Editors in your Vanta workspace or email domains added to your access list will be able to log in to view the portal.
Sharing access with vendors
Sharing access with vendors
Anyone with an email at the domain can access. When you invite collaborators, access is granted to all users on that domain. Treat the exchange link as sensitive—anyone with access can upload files to the security review and answer the questionnaire, so only share it with the intended vendor.
For security reviews created before September 11, 2025, the exchange is accessible to any email address that completes the login process. For reviews created after that date, access must be explicitly granted to a specific email domain.
To share access with a vendor:
In the security review, click the Request evidence button.
Enter an email address to send an invitation to.
Enter a message to include in our standard email invitation, if desired.
Once you click Send, the recipient receives an email with a link to a login page. They’ll enter their email address, and if it matches an allowed domain, Vanta sends a secure magic link that opens the portal.
Using Vanta Exchange
Using Vanta Exchange
Vendors use Vanta Exchange to upload the specific evidence or document you’ve requested for that security review and complete the questionnaire you’ve chosen to share with them. Vendors can upload evidence and submit or update questionnaire responses over time, allowing you to review progress as information becomes available.
Vendors can upload requested documents and complete the questionnaire in a single portal. If a requested document isn’t available, they can mark it as I don’t have this and update that status later if needed.
Once a document is uploaded, the vendor can’t remove it themselves. However, they can click the Add additional button to upload the correct document, and you can then remove the previously uploaded document from the evidence list.
If Vendor AI Answers is enabled in the security review settings, Vanta AI can pre-fill suggested questionnaire responses based on available evidence. Vendors can review, edit, or replace these suggestions before submitting.
Vendors can invite teammates from the portal. This shares the portal link, but teammates must still meet the access rules.
After a security review is completed, vendors can still access the portal in read-only mode using a valid magic link.
Logins, uploads, and key actions are recorded in the security review Activity tab for auditing and record-keeping.
Reviewing answers and findings
As evidence and questionnaire responses come in, you review the vendor’s answers to understand their security practices and identify any potential gaps or risks. This includes evaluating vendor responses, using Vanta AI suggestions where available to speed up review, and confirming answers for audit consistency. As part of this process, you can flag notable issues as findings to track follow-up or remediation before making a final recommendation.
Reviewing answers
Reviewing answers
Vendor responses become visible in Vanta as the vendor submits answers. Filter questions by Needs review to review answers as information comes in.
Vanta AI will attempt to answer questions from your security questionnaires by reviewing the evidence provided to you by the vendor (if Vanta AI is enabled in your account).
For each question, you can view the vendor’s response alongside a Vanta suggested answer, helping you evaluate the response in context.
You select a primary answer to represent the confirmed response for the question. This establishes a single, authoritative answer for review and audit purposes.
Marking a question as reviewed locks in the selected primary answer, ensuring audit consistency even if the vendor later updates their response or Vanta AI regenerates suggestions. All responses remain timestamped so changes are easy to identify.
If a response is unclear or raises concerns, you can flag it as a finding so it can be tracked and addressed separately.
Reviewed questions can be unlocked later by marking them as unreviewed, allowing you to reassess the latest vendor and AI responses and select a new primary answer if needed.
Flagging findings
Flagging findings
Once you have your evidence for the security review from the vendor, you can start adding findings. Findings are used to track notable gaps, risks, or concerns identified during a vendor security review, typically while reviewing questionnaire answers and supporting evidence.
A finding can be created from a specific questionnaire question when a response is unclear, incomplete, or indicates a potential risk.
When a finding is created from a question, relevant context is pre-filled and can be edited before saving. Each finding includes a recommended treatment plan along with any supporting details or planned next steps.
Accept risk: decide to live with the risk and take no further actions
Mitigate risk: identify a resolution plan to mitigate the finding
Not applicable: save this as a notable finding, but do nothing
Once saved, the finding is tracked in the Findings tab of the security review. A single question or answer can be associated with only one finding to avoid duplication.
If Vanta AI highlights a response as notable, it appears under Flagged by Vanta and you can choose to turn into a finding or ignore it.
Findings can also be added manually when an issue isn’t tied to a specific questionnaire question, allowing you to document risks identified through other evidence or context.
Activity log
Activity log
The Activity tab of the security review will keep a log of actions taken related to the security review:
Accessed Vanta Exchange
Completed review
Draft security review created
Granted access to domains
Marked a decision
Reminder sent
Removed domains from access
Resource marked unavailable
Resource requested
Resource uploaded
Started security review
Submitted questionnaire through Vanta Exchange
Updated automated evidence request reminder setting
Updated automated evidence request setting
Updated setting for sharing questionnaires with vendors
Making a recommendation
When you’re ready to finalize your security review, open the security review and click the Make recommendation button.
You’ll choose from one of the following recommendation options, as well as provide the residual risk score:
Recommendation | Description |
Approved | The vendor has successfully met all security, compliance, and business requirements. No additional action is needed, and the vendor is authorized for use within the organization. |
Conditionally approved | The vendor can be used, but certain risks or gaps were identified that require remediation or ongoing monitoring. Approval is granted with conditions, such as implementing specific controls, providing additional evidence, or completing remediation within a set timeframe. |
Not approved | The vendor did not meet the organization’s security, compliance, or business standards, and the risks are deemed too high to move forward. The vendor shouldn’t be used unless significant changes are made and a new security review is completed. |
Once you submit a recommendation, the security review is finalized and becomes read-only for audit and record-keeping purposes. AI answers and summaries stop regenerating, and no further edits can be made to the review.