Vendor management in Drata

Populate your vendor register and complete the vendor risk assessments


Vendor management is an important part of every information security and compliance program. Where you use third-party software, cloud infrastructure, and other services, you may have a critical reliance on those vendors supporting your security and compliance. You can outsource those activities, but remain responsible with your own third-party commitments and reputation on the line. Below are the two steps to complete your vendor management in Drata's Vendors section.



Your vendor management program can be tracked in Drata’s Vendors menu section. The scope of vendors you track in this section should cover the list of common vendor types below, at a minimum. For each vendor, click “Add Vendor”, populate the mandatory fields, and provide a link to the Terms of Service (not a mandatory field in Drata, but required).

If there is no publicly available terms of service, add a vendor contract or agreement to the Drata Reports and Docs section.

  • Click “Add Report”
  • Name: VendorName_Contract
  • Type: Other
  • Creation date and expiry: todays date, 1 year expiry
  • Add any notes that may be helpful for the audit, otherwise just put vendor services agreement.

Common Vendor Types

  1. Infrastructure provider(s) - Eg. AWS
  2. Code repository - Eg. Github
  3. Authentication and SSO software - Eg. Okta
  4. Identity / workspace software - Eg. Google Workspace
  5. Enterprise password manager - Eg. 1Password
  6. CRM - Eg. Hubspot
  7. Workplace communications - Eg. Slack
  8. Intranet provider - Eg. Confluence
  9. Compliance management - Eg. Drata



For any vendors where the risk rating is High, obtain their SOC 1, SOC 2, or SOC 3 reports. SOC 2 reports are the best practice, but it can be easier to obtain SOC 3 reports as they are published without requirements for non-disclosure agreements and other formal requests for access. Note that use of Drata for your compliance monitoring and management functions would also require a similar assessment that should be documented.

Click into each high risk rated vendor and complete these steps:

  • In the Compliance Report Management (under the Vendor Details section) - upload the compliance report.
  • Click “Start Review” in the SOC report review section below the upload panel
  • Populate the key details from the report; issue date, type, opinion, findings and end user controls. 
  • If the vendor does not have a SOC attestation report (unlikely for any mainstream vendors), attach other evidence of vendor assessment to address the risk of using the vendors services (eg. Security questionnaire, review of security practices, ISO 27001 certification, or vendor mitigation strategy/plan.