For more information about plan types and capabilities, see Vanta's pricing page
With the Vendor Risk Management feature, you can assess and manage Vendors' risks in one centralized location. We recommend setting up your settings before proceeding with the Vendor review process.
Overview
From the Vendors page, the Overview tab will give you a visual summary of
Security reviews progress
Vendors managed
Vendor discovery
Discovery
The Vendor discovery page details which vendors are being utilized within your organization and the associated risk level. Vendors are discovered by linking to your organization's identity provider (IDP), which surfaces vendors by monitoring actions like employee logins. For example, vendors accessed using options like 'Sign in with Office' are captured through the IDP and displayed in Discovery.
You can add, reject, or ignore vendors from the Needs Review tab to your Managed Vendors list. Vendors might reappear in the Discovery list if they are accessed again by users or if a new app from the same vendor is detected.
Discovered Vendors: Vendors discovered by Vanta that are awaiting action (add, ignore, reject)
Ignored Vendors: Vendors you are not leveraging in your tech stack right now; when ignoring a Vendor, you can provide a reason
Unexpected Vendors: Internal tools or applications integrated with platforms like Google may also appear in Discovery due to integration data.
Uninstalled Applications: Removed applications will no longer appear in subsequent scans unless marked as ignored or rejected.
Rejected Vendors: Vendors you have fully decided not use in your tech stack
Select the three-dot menu on the right-hand side of the vendor, and select Reject if applications previously used are uninstalled, they will not reappear in Discovery unless a new related app is detected or they are accessed again by a user.
Bulk Adding or Ignoring Vendors
Select the vendor(s) you would like to review, and choose Add or Ignore
Vendors added will be visible from the Managed vendors tab
Additionally, add or ignore individual Vendors by hovering over the Vendor line and selecting the appropriate option
Procurement
Vendor procurement and security reviews provide a critical safeguard by ensuring that potential partners are vetted not only for their business value but also for their ability to meet security, compliance, and privacy standards. This proactive approach minimizes supply chain vulnerabilities, builds customer trust, and supports long-term resilience in an evolving threat landscape.
Procurement requests for new vendors can be managed from the Procurement tab.
To add a procurement request, select +Add procurement request
Provide a vendor name, category, and assign an owner
Complete the Additional details section
Select Add Procurement request.
Complete the required information, and select Add request
Leverage the auto-risk scoring functionality or manually input Risk attributes.
Managed Vendors
Managed vendors are third-party partners that an organization actively oversees and monitors to ensure ongoing compliance with security, privacy, and contractual obligations. Unlike one-time or low-risk suppliers, managed vendors often have deeper access to systems, sensitive data, or critical business processes, making continuous oversight essential.
Vendor Information
From the Managed Vendors tab, you can view risk scores, security review status, security review progress, and also create custom filters.
To add vendor information, or complete a view, click directly into the vendor.
To manually add a vendor, select Add Vendor
Complete the information, and select Save.
Please note: All vendors under the scope of your audit should be listed on the managed vendors page. If a vendor is not automatically populated here due to an integration, you will want to manually add the vendor.
Vendor Information
Once you have opened a Vendor from the Managed vendors page, there will be multiple tabs of information.
Overview: Previous security reviews and findings
About: General vendor information, notes, and custom fields
Security reviews: Previous views, and current security reviews
Evidence: Evidence collected to determine the security posture of the vendor
Findings: Anything noteworthy or potentially work flagging as a security risk
Linked apps: Additional linked discover applications
Subprocessors: Subprocessors used by the Vendors
Security Reviews
Vendor security reviews are structured evaluations that organizations perform to assess the security practices of their third-party vendors and service providers. These reviews help ensure that external partners handle sensitive data responsibly, comply with regulatory requirements, and maintain security standards that align with the organization’s own policies. By examining factors such as data protection, access controls, incident response, and compliance certifications, vendor security reviews reduce risk exposure, strengthen trust, and safeguard the business from potential vulnerabilities in its supply chain.
Begin the Security Review
From the Security review tab click on the vendor you would like to start the security review for.
Edit the evidence list, or add additional evidence requests by selecting Edit list or Add
Select a due date
Review settings
Share AI answers with the vendor based on available evidence
Automatically ask the point of contact for evidence 30 days the review date
Send reminder emails
Select Start review
Request Evidence
Select request evidence when you are ready to begin requesting documentation from the vendor.
Add an email address, or copy the link to send directly to your point of contact.
The link will provide the vendor with a dedicated page to upload evidence, and complete security questionnaires. This portal page is called The Vanta Exchange.
Questionnaires
Vanta AI will attempt to answer questions from your security questionnaires by reviewing the evidence provided to you by the vendor.
Vanta will provided a suggested answer, and wait for your review.
If you are comfortable with the suggestion, you can select the check box. If this is something notable, or potentially concerning from a security standpoint, you can select the flag to mark it as a finding.
Add Findings Manually
Once you have your evidence for the security review from the vendor, you can start adding findings. Findings help you document any potential security gaps with the vendor or note any other relevant information.
From the findings tab select Add.
Add any notable findings, and detail your recommended treatment plan
Accept risk: decide to live with the risk and take no further actions
Mitigate risk: identify a resolution plan to mitigate the finding
Not applicable: save this as a notable finding, but do nothing
Add Findings through Vanta AI
Vanta can use questionnaires to identify any potential security gaps based on the evidence given to you by the Vendor. These will be marked as Flagged by Vanta, and can be added as a finding.
Activity Tab
The Activity tab will detail who
Accessed Vanta Exchange
Completed review
Draft security review created
Granted access to domains
Marked a decision
Reminder sent
Removed domains from access
Resource marked unavailable
Resource requested
Resource uploaded
Started security review
Submitted questionnaire through Vanta Exchange
Updated automated evidence request reminder setting
Updated automated evidence request setting
Updated setting for sharing questionnaires with vendors
Communicate the Decision
When a vendor security review is completed, the reviewing team (often security, compliance, or procurement) reaches a decision about whether the vendor is approved, conditionally approved, or not approved for use.
Select Make a recommendation
Approved: The vendor has successfully met all security, compliance, and business requirements. No additional action is needed, and the vendor is authorized for use within the organization.
Conditionally approved: The vendor can be used, but certain risks or gaps were identified that require remediation or ongoing monitoring. Approval is granted with conditions, such as implementing specific controls, providing additional evidence, or completing remediation within a set timeframe.
Not approved: The vendor did not meet the organization’s security, compliance, or business standards, and the risks are deemed too high to move forward. The vendor cannot be used unless significant changes are made and a new review is conducted.
Select the next security review date
Mark the Review as complete