Vendor Risk
Track your third-party vendors, automatically score their risk level based on data access and certifications, and ensure CRITICAL vendors are represented in your risk register.
Overview
Third-party vendor risk management (TPRM) is a requirement in nearly every major compliance framework. SOC 2 requires you to assess the risk posed by subservice organisations; GDPR mandates data processing agreements with all data processors; ISO 27001 requires supplier relationships to be managed and monitored.
zGovern's Vendor Risk module lets you maintain a centralised vendor inventory with automatic risk scoring. Vendors are assessed based on the types of data they access, their security certifications, and contract renewal proximity.
Vendor Fields
| Field | Type | Description |
|---|---|---|
name |
string | Vendor company name (e.g., "Stripe", "Salesforce") |
website |
URL | Vendor's primary website URL |
category |
string | Type of service provided (e.g., "Payment Processing", "CRM", "Cloud Infrastructure") |
dataAccess |
string[] | Types of data the vendor can access. Values: PII, PHI, FINANCIAL, CREDENTIALS, SOURCE_CODE, NONE |
certifications |
string[] | Security certifications held by the vendor. Values: SOC2, ISO27001, GDPR, HIPAA, PCI_DSS |
contractRenewalDate |
datetime | When the vendor contract expires. Used to trigger re-assessment reminders. |
riskScore |
LOW / MEDIUM / HIGH / CRITICAL | Automatically calculated risk score. Recalculated on each save. |
notes |
string (nullable) | Free-text notes (DPA status, contact name, last review date, etc.) |
Automatic Risk Scoring
zGovern automatically calculates a risk score for each vendor when it is created or updated. The formula evaluates three dimensions:
1. Data Access Factor
The types of data the vendor can access contribute a base risk level:
| Data Access Type | Risk Contribution | Reason |
|---|---|---|
PHI (Protected Health Information) |
+3 points | HIPAA-regulated; highest sensitivity |
FINANCIAL |
+3 points | PCI-DSS scope; high fraud risk |
PII (Personal Identifiable Information) |
+2 points | GDPR/DPDP regulated; breach notification required |
CREDENTIALS |
+2 points | Access to passwords, API keys, or tokens |
SOURCE_CODE |
+1 point | IP exposure risk |
NONE |
0 points | No sensitive data access |
2. Certification Factor
Missing security certifications add risk points based on how critical the certification is for the vendor's category:
| Missing Certification | Risk Addition |
|---|---|
No SOC2 certification |
+2 points |
No ISO27001 certification |
+1 point |
No GDPR compliance attestation (for EU data processors) |
+2 points |
3. Contract Renewal Proximity
| Renewal Date | Risk Addition |
|---|---|
| Expires within 30 days | +2 points |
| Expires within 90 days | +1 point |
| Contract already expired | +3 points |
| More than 90 days remaining | 0 points |
Score Thresholds
| Total Score | Risk Level | Action |
|---|---|---|
| 0–2 | LOW | Annual review sufficient |
| 3–5 | MEDIUM | Semi-annual review; ensure DPA is in place |
| 6–8 | HIGH | Quarterly review; obtain SOC 2 report; verify certifications |
| 9+ | CRITICAL | Auto-creates a Risk Register entry; immediate review required |
Vendor List View
The Vendor Risk page displays all vendors in a sortable table with:
- Vendor name and category
- Data access icons (
PII,PHI,FINANCIAL, etc.) - Certification badges (SOC2 ✓, ISO27001 ✓, etc.)
- Contract renewal date (highlighted red if within 30 days)
- Risk score badge (LOW, MEDIUM, HIGH, CRITICAL)
- Edit and delete actions
Example Vendor Record
{
"name": "Stripe",
"website": "https://stripe.com",
"category": "Payment Processing",
"dataAccess": ["FINANCIAL", "PII"],
"certifications": ["SOC2", "PCI_DSS", "ISO27001"],
"contractRenewalDate": "2027-01-15T00:00:00.000Z",
"notes": "DPA signed 2025-01-15. Annual review complete. SOC 2 Type II report received."
}{
"success": true,
"data": {
"id": "clxv9p2qr0001lg8a",
"name": "Stripe",
"riskScore": "MEDIUM",
"scoreBreakdown": {
"dataAccessPoints": 5,
"missingCertPoints": 0,
"contractPoints": 0,
"total": 5
}
}
}