Governed vendor lifecycle
Onboard, review, re-assess, and offboard vendors through a controlled workflow, with a recurrence scheduler for ongoing due diligence.
Manage vendor assessments, lifecycle reviews, security findings, ownership, and risk decisions in one governed workflow — with a complete audit trail behind every record.
Most teams spread vendor risk across questionnaires, spreadsheets, and disconnected tools, then rebuild context at audit time. VeriGRC manages the entire vendor lifecycle — from onboarding to offboarding — in one place, where assessments, security findings, ownership, evidence, and risk decisions stay connected and every action is recorded.
A governed lifecycle for vendors — from first assessment to final risk decision and audit.
Onboard, review, re-assess, and offboard vendors through a controlled workflow, with a recurrence scheduler for ongoing due diligence.
Run VeriSAQ — VeriGRC's own vendor security assessments, available as VeriSAQ Lite and VeriSAQ Full — scored with AI-generated findings and supporting rationale your team can review and act on.
Pair assessment results with ongoing vendor security ratings and external attack surface signals for a fuller risk picture.
Assign owners, record accept or treat decisions, and track remediation — so every risk has a clear owner and a clear outcome.
Vendors submit evidence directly through the portal, and it stays attached to the assessment and to the audit trail.
Invitations, submissions, scoring, and decisions are captured in an append-only audit log behind every vendor record.
A controlled onboarding path that gives vendors access to exactly what they need — and nothing else.
An authorized user sends the vendor an invitation to the assessment or items they need to complete.
The vendor accepts the invitation and sets up their access to the vendor portal.
Vendors sign in with a local login, or with configured single sign-on.
A vendor only sees the assessments or items assigned to them — nothing else in your organization's workspace.
Every action a vendor takes is recorded, giving you a clear, reviewable history.
When it is time for an audit, you can grant external auditors secure, time-limited access to only the evidence and records they need. Access is revocable at any time, and every auditor action is logged — so external review never means handing over broad access to your platform.
Third-party risk does not live in isolation. Vendor findings flow into your vendor security ratings and external attack surface picture, link to the controls they affect, feed your risk register, and surface through the AI Assistant. Explore the full platform.
Third-party risk management is the process of identifying, assessing, monitoring, and deciding how to handle the risks that vendors, suppliers, and other external partners introduce. VeriGRC supports it with a governed workflow for vendor assessments, security findings, ownership, evidence, and risk decisions, all backed by an audit trail.
VeriSAQ is VeriGRC's own family of vendor security assessments. VeriSAQ Lite provides a faster baseline review, and VeriSAQ Full supports deeper due diligence. Assessments are scored with AI-generated findings, and a vendor only sees the items assigned to them.
Your team invites a vendor, the vendor accepts the invitation and sets up access, and then signs in to the vendor portal. Vendors only see the assessments or items assigned to them, and their activity is tracked and auditable.
Yes. Vendors can sign in with a local login or single sign-on. Where configured, VeriGRC supports single sign-on for customer organizations using SAML or OpenID Connect, and a vendor only ever sees the items assigned to them.
You can grant external auditors secure, time-limited access to only the evidence and records they need. Access is revocable at any time, and every auditor action is logged for accountability.
Because the platform shares one data model, vendor findings connect to security ratings and external attack surface signals, link to the controls they affect, feed the risk register, and are available to the AI Assistant — without manual exports.
Yes. Invitations, submissions, assessment scoring, and risk decisions are captured in an append-only audit log, so the history behind each vendor record stays reviewable over time.
Book a walkthrough and see third-party risk, compliance, and audit evidence on one platform.