How-to
Vendor risk: assessments, data types, and contract tracking
The four-pillar scoring model plus data-type tagging for DPA/GDPR.
For each vendor you can record one or more assessments. Each assessment scores four pillars (0–100):
- Security — SOC 2, ISO 27001, vulnerability management, encryption
- Compliance — regulatory posture (GDPR, HIPAA, PCI, etc.)
- Operational — reliability, SLAs, incident history
- Financial — viability, insurance, contractual protections
Capture findings (what's actually wrong today) and recommendations (what you want the vendor to do). Combine with the risk tier (critical / high / medium / low) to prioritise your vendor management effort.
Data-type tagging — each vendor can be tagged with the categories of data it processes: PII, payment card data, health (PHI), financial data, authentication credentials, intellectual property, or other. This is what drives automatic DPA / GDPR / HIPAA applicability; a vendor handling PII needs a documented data processing agreement, and tagging them surfaces that obligation.
Contract end dates feed into the dashboard's "Expiring & overdue" panel so renewals aren't a surprise.