Feature availability: While the Vendors page is included on all plans, some Third Party Risk Management features are only available as an add-on. Refer to Vanta Plans and Pricing for details.
Vendor security assessments are a core assessment type in Vanta’s Third Party Risk Management product, enabling you to evaluate and manage the security posture of your vendors and proactively mitigate risk.
With security assessments, you can assess vendor risk, collaborate with vendors to collect and review evidence, and document final decisions with recommendations and residual risk—all in one place.
In addition to security assessments, Vanta supports other assessment types, such as privacy, AI, finance, legal, and custom assessments. Each assessment type can be configured with its own frequency, questionnaire, evidence requirements, and automation settings based on vendor risk.
Getting started
To conduct a security assessment:
Start a security assessment: Create a new assessment for a vendor, either manually or based on your configured assessment workflows.
Request evidence: Send a security questionnaire and request supporting documents (such as SOC 2 reports, policies, or architecture diagrams) to evaluate the vendor’s security practices.
Collaborate in Vanta Exchange: Work with vendors in a centralized portal where they can complete questionnaires and upload evidence.
Review answers and findings: As responses come in, use Vanta AI to help analyze answers, review evidence, and identify potential risks or gaps to inform your assessment.
Make an assessment recommendation: Finalize the assessment with a recommendation and residual risk to document your decision and maintain an audit-ready record.
Starting a security assessment
Security assessments can be started manually or triggered automatically as part of a recurring assessment, depending on your assessment rules for security assessments. For recurring assessments, Vanta can automatically request evidence based on the rules you’ve configured.
For individual vendors and assessment, you can manage assessment settings to control how the vendor is engaged during the assessment, such as whether Vanta AI answers are shown to the vendor, whether the vendor’s point of contact is automatically asked for evidence, and whether reminder emails are sent.
Requesting evidence
Once a security assessment is in progress, you can customize exactly what evidence you want to collect from the vendor. In Vanta, requesting evidence means sending a security questionnaire along with any supporting documents or resources (such as SOC 2 reports, policies, or architecture diagrams) needed to evaluate the vendor’s security posture. The questionnaire gathers structured information about the vendor’s controls, while supporting resources provide additional context to validate their responses.
Before requesting evidence, make sure you have a questionnaire ready to add to the security assessment. You can edit the evidence list to add the questionnaire and request any additional resources you need. This defines what the vendor is expected to provide and ensures you collect the right information for the assessment.
Adding a questionnaire
Adding a questionnaire
Open the security review and navigate to the Evidence section:
To add a questionnaire: Click Edit list and select a questionnaire—the options available pull from your questionnaire list.
To change the questionnaire being used: Click the ••• more menu next to the questionnaire in the evidence list and use the dropdown menu to select another one. The chosen questionnaire will now replace the old one in the vendor security assessment. Vendors will only see and respond to the updated questionnaire.
Adding resource types
Adding resource types
Open the security assessment and navigate to the Evidence section:
Click Edit list to add resources you want the vendor to provide. We provide a pre-selected list of resource types for you to choose from, such as: Contract, SOC 2 report, ISO 27001 report, Data Processing Agreement, and more.
You can create a new resource type to add to the list—just type in the name of the resource you want to add and, if you don’t see it in the list, click + Create new resource. To manage the list of custom resource types available, go to your assessment rules.
If you receive a resource you’d like to add under Evidence, click Add to upload the file or paste the link to the resource.
Adding trust center resources
Adding trust center resources
When you start a security assessment for a vendor that has a Vanta Trust Center (or a trust center hosted on another platform Vanta can detect), you may see an Add from Trust Center option.
From here, you can choose which available public documents to import directly into the security assessment (so you don’t need to manually download and re-upload files).
Imported documents are saved to your assessment as a point-in-time copy. If the vendor later updates a document on their trust center, you can import the new version again to update what’s attached to your assessment.
If a vendor’s documents are private, you’ll need to visit their trust center to request access.
Collaborating in Vanta Exchange
When you’re ready to contact your vendor, you’ll share access to the Vanta Exchange portal, the workspace where vendors upload requested evidence and complete your security questionnaire. If you started multiple assessments with the same vendor, they will show up in the same Exchange portal for each vendor. This unified experience keeps all communication, documents, and responses in one place, helping streamline evidence collection and support faster, more confident assessment decisions.
Previewing Vanta Exchange
Previewing Vanta Exchange
You can view the Vanta Exchange portal at any time—even if you haven’t shared it with the vendor yet.
To view the portal:
In the security assessment, click the down arrow ▼ next to the Request evidence button.
Select View Vanta Exchange to open the portal.
Select Copy link to share the link—only Admins, View-only admins, and Editors in your Vanta workspace or email domains added to your access list will be able to log in to view the portal.
Sharing access with vendors
Sharing access with vendors
Anyone with an email at the domain can access. When you invite collaborators, access is granted to all users on that domain. Treat the exchange link as sensitive—anyone with access can upload files to the security assessment and answer the questionnaire, so only share it with the intended vendor.
For security assessments created before September 11, 2025, the exchange is accessible to any email address that completes the login process. For assessments created after that date, access must be explicitly granted to a specific email domain.
To share access with a vendor:
In the security assessments, click the Request evidence button.
Enter an email address to send an invitation to.
Enter a message to include in our standard email invitation, if desired.
Once you click Send, the recipient receives an email with a link to a login page. They’ll enter their email address, and if it matches an allowed domain, Vanta sends a secure magic link that opens the portal.
Using Vanta Exchange
Using Vanta Exchange
Vendors use Vanta Exchange to upload the specific evidence or document you’ve requested for that security assessment and complete the questionnaire you’ve chosen to share with them. Vendors can upload evidence and submit or update questionnaire responses over time, allowing you to review progress as information becomes available.
Vendors can upload requested documents and complete the questionnaire in a single portal. If a requested document isn’t available, they can mark it as I don’t have this and update that status later if needed.
Once a document is uploaded, the vendor can’t remove it themselves. However, they can click the Add additional button to upload the correct document, and you can then remove the previously uploaded document from the evidence list.
If Vendor AI Answers is enabled in the assessment settings, Vanta AI can pre-fill suggested questionnaire responses based on available evidence. Vendors can review, edit, or replace these suggestions before submitting.
Vendors can invite teammates from the portal. This shares the portal link, but teammates must still meet the access rules.
After a security assessment is completed, vendors can still access the portal in read-only mode using a valid magic link.
Logins, uploads, and key actions are recorded in the security assessment Activity tab for auditing and record-keeping.
Reviewing answers and findings
As evidence and questionnaire responses come in, you review the vendor’s answers to understand their security practices and identify any potential gaps or risks. This includes evaluating vendor responses, using Vanta AI suggestions where available to speed up assessment, and confirming answers for audit consistency. As part of this process, you can flag notable issues as findings to track follow-up or remediation before making a final recommendation.
Reviewing answers
Reviewing answers
Vendor responses become visible in Vanta as the vendor submits answers. Filter questions by Needs review to review answers as information comes in.
Vanta AI will attempt to answer questions from your security questionnaires by reviewing the evidence provided to you by the vendor (if Vanta AI is enabled in your account).
For each question, you can view the vendor’s response alongside a Vanta suggested answer, helping you evaluate the response in context.
You select a primary answer to represent the confirmed response for the question. This establishes a single, authoritative answer for review and audit purposes.
Marking a question as reviewed locks in the selected primary answer, ensuring audit consistency even if the vendor later updates their response or Vanta AI regenerates suggestions. All responses remain timestamped so changes are easy to identify.
If a response is unclear or raises concerns, you can flag it as a finding so it can be tracked and addressed separately.
Reviewed questions can be unlocked later by marking them as unreviewed, allowing you to reassess the latest vendor and AI responses and select a new primary answer if needed.
Flagging findings
Flagging findings
Once you have your evidence for the security assessment from the vendor, you can start adding findings. Findings are used to track notable gaps, risks, or concerns identified during a vendor security assessment, typically while reviewing questionnaire answers and supporting evidence.
A finding can be created from a specific questionnaire question when a response is unclear, incomplete, or indicates a potential risk.
When a finding is created from a question, relevant context is pre-filled and can be edited before saving. Each finding includes a recommended treatment plan along with any supporting details or planned next steps.
Accept risk: decide to live with the risk and take no further actions
Mitigate risk: identify a resolution plan to mitigate the finding
Not applicable: save this as a notable finding, but do nothing
Once saved, the finding is tracked in the Findings tab of the security assessment. A single question or answer can be associated with only one finding to avoid duplication.
If Vanta AI highlights a response as notable, it appears under Flagged by Vanta and you can choose to turn into a finding or ignore it.
Findings can also be added manually when an issue isn’t tied to a specific questionnaire question, allowing you to document risks identified through other evidence or context.
Activity log
Activity log
The Activity tab of the security assessment will keep a log of actions taken related to the security assessment:
Accessed Vanta Exchange
Completed assessment
Granted access to domains
Marked a recommendation
Reminder sent
Removed domains from access
Resource marked unavailable
Resource requested
Resource uploaded
Started assessment
Submitted questionnaire through Vanta Exchange
Updated automated evidence request reminder setting
Updated automated evidence request setting
Updated setting for sharing questionnaires with vendors
Making an assessment recommendation
When you’re ready to finalize your security assessment, open the security assessment and click the Make recommendation button.
You’ll choose from one of the following recommendation options, as well as provide the residual risk score:
Recommendation | Description |
Approved | The vendor has successfully met all security, compliance, and business requirements. No additional action is needed. |
Conditionally approved | The vendor can be used from a security standpoint, but certain risks or gaps were identified that require remediation or ongoing monitoring. Approval is granted with conditions, such as implementing specific controls, providing additional evidence, or completing remediation within a set timeframe. |
Not approved | The vendor did not meet the organization’s security, compliance, or business standards, and the risks are deemed too high to move forward. The vendor shouldn’t be used unless significant changes are made and a new security assessment is completed. |
Once you submit a recommendation, the security assessment is finalized and becomes read-only for audit and record-keeping purposes. AI answers and summaries stop regenerating, and no further edits can be made to the review.
Making a vendor decision
Each assessment (such as Security, Privacy, or Legal) has its own recommendation. These recommendations reflect the evaluation for that specific risk area and should contribute to the overall vendor decision.
After completing one or more assessments for a vendor, you can make a final decision at the vendor level.
Learn more: Managing Vendor Assessments