SOC 2 requires an organization to manage risks associated with vendors and review security reports for high-risk vendors on an annual basis. An organization should add any vendor that has access to process, store, transmit sensitive information, or hinder the ability to conduct business if you lose access to that vendor.

We recommend adding all vendors your organization uses to have a master list of vendors stored and can be easily exported from Data Room.