Vendor Risk Management

Search

FAQs: Vendor risk management: assessments, workflows, and evidence

This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Third parties and subprocessors

For Vendor Risk Management (VRM), how does the VRM get subprocessor vendor details?

  • VRM does not automatically pull subprocessor vendor information. Any vendor details you want to display in the [Trust Center Subprocessors section](https://support.secureframe.com/hc/en-us/articles/19544760631315-Trust-Center-Site-Designer) must be manually added in Site Designer under the Subprocessors menu.

How does Secureframe improve third-party vendor management?

  • Secureframe automates vendor onboarding, assigns ownership, enables risk assessments, allows security questionnaires, and uses AI to streamline vendor assessments.

What is third-party vendor management?

  • It ensures that vendors meet security requirements and protect sensitive data.

Vendor risk workflows and evidence

Do GDPR, CCPA/CPRA, and SOC 2 require companies to disclose the specific tools and sub-processors used to process personal data?

  • It depends on the framework:
    GDPR has the strongest requirements. Articles 13 and 14 require transparency about how personal data is processed, including categories of recipients and often specific vendors. Article 28 requires controllers to have contracts with processors and authorize any sub-processors, which is why most vendors maintain a sub-processor list. This applies even if the personal data in question is publicly available — if it's personal data, it's in scope.
    CCPA/CPRA requires disclosure of the categories of personal information collected, the sources, purposes, and categories of third parties the data is shared with (Cal. Civ. Code §1798.110, §1798.115, §1798.130). This must be kept current in the privacy policy. Contracts with service providers are also required under §1798.100(d) and §1798.140. However, there is no explicit requirement to list individual vendors by name — only the categories of third parties.
    SOC 2 has no explicit requirement to publish a sub-processor list. That said, vendor management and maintaining a clear inventory of third parties that handle PII is a core auditor expectation under the framework.

How many questions should I answer from the default vendor review template?

  • 3-4 is a good amount. Best practice is to answer all 25 if they obtain SOC 2/ISO certification. The first two questions are most important: 1) Which IT operational, security, privacy-related standards, certifications, and/or regulations does the vendor comply with? 2) Describe the customer data the vendor requires to provide its service: personal information, financial data, confidential/sensitive data, government data.

I have “Secureframe Agent” listed as a vendor in my vendor due diligence process. What should I enter for the “Website” and “Trust Center/Security URL” fields?

  • The Secureframe Agent is part of the overall Secureframe platform and covered by the same organization, SOC 2 report, and security controls as Secureframe.

    Website: Use https://secureframe.com

    Trust Center/Security URL: Use https://secureframe.com/security

    Note:

    You do not need to list the Secureframe Agent as a separate vendor unless you want to go above and beyond. Listing Secureframe alone is generally sufficient.

    If you do include the Agent as its own vendor, mirror the same website and security URL information used for Secureframe.

In vendor management, how can one view an uploaded document's description and comments after a review is completed?

  • You can view an uploaded document’s description, comments, and other related details by navigating to the Vendor module and clicking on the vendor’s name. From there, select the relevant tab such as Documentation, Summary, or Internal Review.

     

    All notes, tasks, and documents remain accessible even after the review is completed, so you can easily revisit past information as needed.

What is the definition of "categories" and "Departments" in the vendor risk management add new vendor page?

  • Categories – Select applicable risk/compliance categories, which are high-level classifications that describe the type of risk, security area, or operational function associated with a vendor. They help organize vendors by the kind of potential impact they could have on your organization.

    Departments – Select internal departments that use this vendor. Departments identify which internal teams in your organization rely on or use the vendor’s products or services. This ensures you can quickly see which parts of the business would be impacted if there’s an issue with that vendor.

What’s the difference between an Owner and an Assignee in vendor reviews?

  • Owner: This is the person responsible for ensuring the entire review group (e.g., quarterly vendor reviews) is completed on time.

    Assignee: This is the person responsible for reviewing a specific vendor within that group.

    Think of the Owner as the project lead for the overall review cycle, while Assignees handle the individual vendor items.

Why can't I see vendor reviews on the vendor page?

  • There are two ways to access vendor reviews:

     

    To view all vendor reviews:

     

    Go to the Vendors module

     

    Click "Configure Reviews" in the top right corner

     

    This opens tabs for Pipeline (in-progress/upcoming reviews) and Completed Reviews

     

    To view reviews for a specific vendor:

     

    Click on the vendor's name

     

    Navigate to the Security Reviews tab

     

    If you don’t see the vendor review options, it could be due to access permissions or configuration settings. In that case, please contact support for assistance.

Additional customer questions

How does Secureframe manage third-party risk?

  • Secureframe enables vendor assessments, tracks due diligence, and automates security questionnaire responses.

How does the vendor access page automatically recognize vendors?

On the [Access page](https://support.secureframe.com/hc/en-us/articles/41848043012243-How-to-Review-and-Manage-Account-User-Access-in-Secureframe), what you see is actually a list of personnel and the applications (vendors) they have access to, along with details like in-scope status, account status, and MFA. This list updates automatically based on your connected integrations. As you integrate more applications from our supported integration list — or set up custom integrations — additional accounts and access details will appear in real time or during the next scheduled sync for that integration.

How often is the vendor access list updated?

On the [Access page](https://support.secureframe.com/hc/en-us/articles/41848043012243-How-to-Review-and-Manage-Account-User-Access-in-Secureframe), what you see is actually a list of personnel and the applications (vendors) they have access to, along with details like in-scope status, account status, and MFA. This list updates automatically based on your connected integrations. As you integrate more applications from our supported integration list — or set up custom integrations — additional accounts and access details will appear in real time or during the next scheduled sync for that integration.

Can a deleted vendor be restored?

It depends.

In some cases we are able to restore via database snapshots, but it depends on how soon we are notified since we do not keep snapshots for extended periods of time.

Contact support@secureframe.com or if you are in chat right now, please "speak to a human" or "agent" to transfer to a live rep who can assist.

How do organizations manage vendor compliance without Secureframe?

They track vendor details, contracts, and risk levels manually using spreadsheets and conduct due diligence and periodic risk reviews manually.

I am not sure how to rate my vendors, can you give me more context around that?

Organizations must implement a process to periodically review vendors' security posture. Secureframe provides details in the "Vendors" section, showing risk levels, data types, security documents, etc., for each vendor. High-risk vendors may need additional due diligence.

Is it acceptable for vendors to publish before the Type 2 observation period?

Yes, vendor SOC 2 reports (or equivalent documentation) can be published before your Type 2 observation period as long as they fall within the 12 months prior to the end of your audit window.

Here’s what that means:
If your Type 2 observation period is April 1 – June 30, 2025, then vendor reports issued as early as July 1, 2024 are still valid — even if they were published before the observation window began.

Secureframe treats vendor risk assessments as annual tests, which means:

Evidence only needs to be collected once per year

It remains valid for up to 12 months

You do not need to refresh vendor documentation just because you're moving from a Type 1 to a short Type 2 (e.g., 3–6 months)

Is there a maximum limit to the number of vendors that can be tracked within Secureframe for Risk Assessments?

No. There is no limit to the number of vendors you can add and track in Secureframe for Risk Assessments.

How do I use the Archive a Third Party Risk Management Vendor. endpoint (PUT /tprm/vendors/{id}/archive) in the Secureframe API?

  • Endpoint: PUT /tprm/vendors/{id}/archive
    Summary: Archive a Third Party Risk Management Vendor.
    Description: Archives a Vendor by ID.
    Category: Third Party Risk Management Vendor
    Parameters:
    - id (path, string, required): Scope response to id
    Responses:
    - default:
    - 404: Resource not found
    - 403: Forbidden
    - 401: Unauthorized
    - 400: Bad Request
    Authentication: header_authorization

How do I use the Get a Third Party Risk Management Vendor. endpoint (GET /tprm/vendors/{id}) in the Secureframe API?

  • Endpoint: GET /tprm/vendors/{id}
    Summary: Get a Third Party Risk Management Vendor.
    Description: Returns a single Vendor by ID
    Category: Third Party Risk Management Vendor
    Parameters:
    - id (path, string, required): Scope response to id
    Responses:
    - default:
    - 404: Resource not found
    - 403: Forbidden
    - 401: Unauthorized
    - 400: Bad Request
    Authentication: header_authorization

How do I use the List Third Party Risk Management Vendors endpoint (GET /tprm/vendors) in the Secureframe API?

  • Endpoint: GET /tprm/vendors
    Summary: List Third Party Risk Management Vendors
    Description: Returns a list of Third Party Risk Management Vendors.
    ### Search parameters

    | Filter | Description |
    | :-- | :-- |
    | `archived` | Flag to indicate if this Vendor is archived |
    | `id` | The ID of the Vendor |
    | `name` | The name of the Vendor |
    | `owner_name` | The name of the User that is the owner for this Vendor |
    | `risk_level` | The risk level for this Vendor |
    | `updated_at` | The date this Vendor was last updated |
    | `created_at` | The date this Vendor was created |

    Category: Third Party Risk Management Vendor
    Parameters:
    - include (query, string, optional): Comma delimited string of relationships to include. Available relationships: vendor_risk_subassessment_responses
    - page (query, integer, optional): Used for pagination of response data (default: page 1). Specifies the offset of the next block of data to receive.
    - per_page (query, integer, optional): Used for pagination of response data (default: 100 items per response). Specifies the number of results for a given page.
    - q (query, string, optional): Search and filter the Vendor data using Lucene syntax.
    - relationships (query, boolean, optional): Set to true to return the associated relationships data within the response. (default: false)
    Responses:
    - default:
    - 403: Forbidden
    - 401: Unauthorized
    - 400: Bad Request
    Authentication: header_authorization

What Third Party Risk Management Vendor endpoints are available in the Secureframe API?

  • The Secureframe API provides the following Third Party Risk Management Vendor endpoints:
    This document describes the API for reading and archiving Vendors for companies using the Third Party Risk Management.

    - GET /tprm/vendors - List Third Party Risk Management Vendors
    - GET /tprm/vendors/{id} - Get a Third Party Risk Management Vendor.
    - PUT /tprm/vendors/{id}/archive - Archive a Third Party Risk Management Vendor.

Have you conducted due diligence on your subcontractors to ensure they comply with data protection laws and regulations?

  • Yes, as part of our vendor management policy, we ensure that our subprocessors comply with data protection laws in line with SOC 2 and ISO 27001 requirements.

Related to

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.