Feature availability: While the Vendors page is included on all plans, some Third Party Risk Management features are only available as an add-on. Refer to Vanta Plans and Pricing for details.
Vendor procurement is a part of Third Party Risk Management in Vanta. It brings together vendors discovered by Vanta, requested by your team using an intake form, or created via procurement integrations so you can conduct comprehensive security reviews before approving vendors for use.
Adding vendors to procurement
On the Vendors page, use the Procurement status to track vendors requiring a security review for procurement. You can add vendors to procurement in the following ways:
Manually add a vendor to your vendor list, or update the status of an existing vendor.
Review discovered vendors and move them to procurement as desired.
Set up a vendor intake form to collect procurement requests from your team.
Use a procurement integration to automatically add vendors to procurement.
Vendor discovery
On the Vendors page, click the Discovery tab. Vanta surfaces discovered vendors based on activity observed through your connected identity providers (IdP) so you can decide whether they should be added to procurement.
Discovered vendors
Discovered vendors
If you have connected any IdPs on the Integrations page, we can let you know when employees try to authenticate using an SSO login option. Filter discovered vendors by the Needs review status (also called state) and select one of the following actions:
Action | Description |
Move to managed vendor | Add the vendor to your vendor list in the Active status. |
Move to procurement | Add the vendor to your vendor list in the Procurement status. |
Ignore | Keep the vendor in the discovery tab in the Ignored status—you can undo this at any time. |
Reject | Keep the vendor in the discovery tab in the Rejected status—you can undo this at any time. |
Export list of accounts | Export a list of the users who tried to log in using an IdP connected to Vanta. |
Reappearing vendors
Reappearing vendors
When a vendor reappears in the Discovery tab, review it again and decide whether to add it to your vendor list or ignore it—this helps ensure that vendors actively used by your organization don’t go unnoticed over time.
Vendors may reappear as Needs review when:
Employees continue to authenticate to the vendor using a connected IdP
New authentication activity is detected after a period of inactivity
Additional users begin accessing the same vendor.
It’s not possible to delete a vendor from the Discovery tab. As a workaround, you could add the vendor to the Active
Vendor intake form
On the Settings page, you can set up an intake form to collect vendor procurement requests directly in Vanta. Only one intake form is supported per Vanta workspace.
Editing the intake form
Editing the intake form
You can customize the vendor intake form from Vendor settings, where you define the questions used to collect basic vendor information. The form supports standard vendor fields and any custom vendor fields configured for your organization.
To edit the vendor intake form:
Under the Vendors section of your account navigation, go to the Settings page.
Go to the Intake form tab and click Edit form.
Customize the form instructions, or leave them blank.
Customize the text for the default questions.
Click the + add icon to add new questions.
Map to vendor field: Use the drop-down menu at the top of the question to choose the standard vendor field to map to. Options: Category, auth method, vendor headquarters, contact name, contact email, security owner email, or business owner email.
Custom question: Use the drop-down menu at the top of the question to choose the field type. Options: Short text, long text, number, date, single-select, or multi-select.
At the top of the page, click the Save changes button. Once saved, you can also click the Preview form button to see how it looks.
Once you’re done, return to the Intake form tab and turn on Enable intake form.
Sharing the intake form
Sharing the intake form
At the top of the Vendors page next to the Edit intake form button, click the down arrow ▼ and select Copy link.
Any logged-in user can access the Vendor intake form in their account navigation.
Reviewing form submissions
Reviewing form submissions
When someone submits the form, a vendor record is created in your vendor list in the Procurement status.
Based on how the submitter answers the intake form questions, Vanta automatically assigns an inherent risk score to the vendor using your inherent risk rubric.
If the security owner email field was mapped, they'll get a notification about the new request.
If the business owner email field was mapped, they'll get notifications on the status of the request.
Procurement integrations
You can connect an integration in Vanta to automatically add vendors in procurement to your vendor list:
Task tracker integrations: Syncs with procurement-related tickets from tools like Jira or Asana.
Zip integration: Syncs with Zip procurement requests.