The vendor risk level is determined by your organization and can be marked by low-risk, medium-risk, and high-risk. Secureframe will recommend a risk level for each vendor after you fill out their vendor assessment information. 

Here are additional guidelines for determining those risk levels:

• High: High-risk vendors are those that can have a serious impact on your business such as cloud infrastructure services, databases as a service, version control, and email service. In addition, any service that stores sensitive customer data, beyond just the customer name or basic information, should be designated as high-risk.

• Medium: Medium-risk vendors are those that may store your own employee PII and knowledge tools such as Lever, Gusto, Trinet, or Notion to store confidential information.

• Low: Low-risk vendors are those that don’t store sensitive information. Examples of low-risk vendors are design or video tools such as Figma, Zapier, Zoom, etc.