Auto-Requesting Evidence from Vendors

  • Updated

Vanta now automatically sends requests for evidence 30 days before a security review is due, and follows up with automated reminders every 5 days until the evidence is submitted or the review is closed. This feature is designed to help you save time by automating repetitive tasks, ensuring that evidence is gathered promptly for security reviews.

  • Automatic Request: Vanta will send an evidence request email to vendors 30 days before a security review is due.
  • Follow-Up Reminders: If the evidence is not submitted, Vanta will send follow-up reminders every 5 days until the evidence is provided or the review is closed.
  • Visibility: You can see the status of the evidence request in the security review table, including:
    • If the automation is off.
    • The scheduled date for the request.
    • If the request has been sent.
    • If the request is blocked due to missing vendor contact information.

Evidence Request Email Status

New Draft State

The draft state is introduced 60 days before a security review is due. It allows evidence-gathering to start without affecting review metrics. This ensures that time-to-completion metrics are not artificially inflated, as the review is not officially opened until you are ready to start analyzing.

  • What can you do in the Draft State?:
    • Edit which evidence you want to request.
    • Manually send a request for evidence.
    • Turn off or on the automated request for evidence.

Security Review Draft State

Please Note

  • Opting Out: You can opt out of the automation at both the inherent risk level and the security review level.
  • Follow-Up Reminders: You can opt out of automated reminder emails at the security review level if needed.
  • Blocked Requests: If there is no vendor contact information, the evidence request will be blocked. You will see a status update in the security review table.

Turning off Automated Evidence Requests

To disable the automatic evidence request feature in Vanta, follow these steps:

  • Navigate to Security Review Settings:
    • Go to the Settings section in the Vanta platform.
    • Select Security Review Rules.
  • Disable Automation at the Inherent Risk Level:
    • Under Preferred Evidence Defaults, you can opt out of automated evidence requests by adjusting the settings at the inherent risk level.
  • Disable Automation at the Security Review Level:
    • Navigate to the Security Review Detail Page for the review you want to modify.
    • In the Header section, locate the Evidence Request Automation option.
    • Switch off the automation for that individual security review.
  • Confirm the Automation is Off:
    • Go to the Security Review Table.
    • Look at the "evidence request email" status column. If the automation is off, the status will reflect this.

Customizing Settings

By default, SOC 2 is included in the "preferred evidence list" for Critical, High, and Medium risk vendors. For Low risk and Unscored vendors, no evidence is requested by default. However, customers can customize these settings to fit their specific needs.

  • Global Preferences: When you change the defaults, the new settings apply to all vendors at once as a global preference.
  • Vendor-Specific Overrides: You can override these global preferences for individual vendors. For example, you may want all vendors to provide a SOC 2 report by default, but if a vendor has an ISO 27001 report instead, you can accept that for a specific review.

Modifying Evidence Settings for a Specific Vendor

  • Open the Security Review Detail Page for the vendor you want to adjust.
    • In the gear icon within the security review, modify the evidence request settings based on what’s needed for that particular vendor, even if it differs from the global preferences.

FAQ

When will the requests for evidence be sent out?

  • Requests will be sent automatically 30 days before the security review is due.

Can I customize when the request for evidence is sent?

  • Not at this time. 

Will this automatically open security reviews?

  • No, security reviews will not be automatically opened. A draft state will be created 60 days before the review is due, allowing you to review and make any changes before starting the actual review.

What if I don’t want to automatically send a request for evidence?

  • You can disable the feature at the inherent risk or individual security review levels.

How will I know if the request was sent?

  • The security review table will display the status of the evidence request, including whether it was sent, scheduled, or blocked.

New Status for Evidence Request Email