Vendor Security Review
Conduct AI-powered vendor security assessments by uploading vendor documentation and evaluating it against your configured security requirements.
Overview
The Vendor Security Review feature allows your organization to:
- Upload SOC 2 reports, penetration test results, and other vendor security documents
- Evaluate uploaded documentation against your configured vendor security requirements
- Receive an AI-generated overall summary, per-requirement findings, and a recommendation
- Send follow-up questions to vendors and re-analyze based on their responses
- Track vendor approval status through a full lifecycle
Vendor Lifecycle Statuses
| Status | Description |
|---|---|
| Pending Analysis | Documents uploaded; AI analysis in progress |
| Pending | Analysis complete; questions may be outstanding |
| Pending Response | Questions sent; awaiting vendor answers |
| Approved | Vendor meets your security requirements |
| Denied | Vendor does not meet requirements |
| Conditionally Approved | Vendor meets requirements with conditions |
| No Longer in Use | Vendor relationship ended |
Starting a Vendor Review
- Navigate to Vendors in the main menu
- Click Add Vendor and enter the vendor name and details
- Open the vendor and click Start New Review
- Set the data sensitivity level for this engagement
- Upload one or more vendor security documents (PDF, DOCX, TXT, etc.)
- Click Start Analysis — the AI begins evaluating the documents against your requirements
Analysis typically takes 1–3 minutes depending on document size.
Reading Review Results
After analysis completes, the review page shows:
Recommendation Banner
The top of the page displays the overall AI recommendation:
- Approve — All deal-breaker requirements are met
- Conditionally Approve — Most requirements met with minor gaps
- Pending Further Information — More documentation or vendor answers needed
- Deny — Critical requirements are not met
The banner also shows the AI's rationale, formatted with Markdown for clarity.
Findings
Each configured vendor security requirement is assessed individually with a status:
- Meets — Requirement is satisfied by the uploaded documents
- Does Not Meet — Requirement is not satisfied
- Partially Meets — Evidence is incomplete or conditional
- Pending Vendor Response — Needs a direct answer from the vendor
- Fails Requirement - Risk Accepted — Requirement is not met, but the risk has been formally accepted (human-only; the AI never sets this status)
Each finding links to the source document citation that supports the conclusion.
Editing Finding Status
Any authenticated org member can manually override the status of any finding directly in the UI:
- Open the vendor review page and scroll to the Findings card
- Click the status dropdown in the Status column for any finding
- Select the desired status — the change saves automatically
- A brief "Saved" indicator confirms the update
The "Fails Requirement - Risk Accepted" option is available to all members and is never set by the AI. Use it when your organization decides to proceed despite a known gap.
AI Summary
A markdown-formatted overall summary of the vendor's security posture based on all uploaded documents.
Document Downloads
All documents uploaded for a review are listed in the Documents card. Click Download next to any document to open a time-limited secure link to the file.
Cited document names in the Findings section are also clickable — clicking a citation opens the corresponding source document.
Follow-Up Questions
If the AI determines that additional information is needed, it generates follow-up questions for the vendor.
Copying and Sending Questions
In the Questions card:
- Click Copy All Questions to copy the full list to your clipboard, formatted as a numbered list ready to paste into an email
- After sending, click Mark All as Sent to update the question status
Recording Vendor Responses
Each question row has a two-column layout:
- Left column: The question text
- Right column: A text area to record the vendor's response
Each response field auto-saves as you type. Changes are saved automatically after a short pause; a brief "Saved" indicator confirms the update. No manual Save button click is required, though a Save button is still available if you prefer.
Submitting for Re-Analysis
Once responses are recorded:
- Click Submit All Responses in the questions card
- The AI re-evaluates the relevant requirements based on the recorded answers
- A new review round is created with updated findings
If any response failed to save (shown in red), submission is blocked until those fields are successfully saved. Retry by clicking the Save button on the failed field again.
Audit Log
Every change to a vendor review — including finding status updates, question text edits, and vendor response edits — is captured in the Audit Log displayed at the bottom of the review page.
What the Audit Log Shows
| Column | Description |
|---|---|
| Timestamp | When the change was made |
| Actor | Who or what made the change: a specific user name, or "AI" for AI-generated changes |
| Field | Which field was changed (status, question_text, or vendor_response) |
| Old Value | The value before the change |
| New Value | The value after the change |
Who Can See the Audit Log
All authenticated members of your organization can view the audit log. Admin access is not required to read it.
Vendor AI Instructions
You can provide organization-specific context to guide AI analysis for all vendor reviews. This is configured in Settings → Vendor AI Instructions.
Examples of useful context:
- Your organization's risk tolerance or compliance framework (SOC 2, ISO 27001, HIPAA)
- Vendor categories that require stricter scrutiny
- Specific clauses or certifications your procurement policy requires
See Organization Settings for configuration steps.
Vendor Security Requirements
The AI evaluates documents against requirements you configure in Settings → Vendor Security Requirements. Each requirement has a severity level:
- Deal Breaker — Must be met for approval
- Highly Desired — Important but not blocking
- Preferred — Nice to have
- Optional — Informational only
See Organization Settings for how to add, edit, and import requirements.
Troubleshooting
Analysis Stuck at "Analysis in Progress"
If the review stays at "Analysis in progress" for more than 5 minutes:
- Check that your Anthropic API key is configured in Settings (BYOK or platform key)
- Contact Support if the issue persists
All Documents Failed Extraction
If you see "All documents failed text extraction":
- Ensure documents are not encrypted or password-protected
- Try re-uploading the document in a different format (e.g., PDF → DOCX)
- Check that the document contains selectable text (not a scanned image without OCR)
Auto-Save Failed
If a "Save failed" indicator appears on a response field or status dropdown:
- Check your network connection
- Make another edit to the field to trigger a retry, or click the Save button if visible
- The indicator will clear once the save succeeds
Related
- Organization Settings — Configure vendor AI instructions and security requirements
- Team Management — Grant admin access for vendor review management