A vendor is one or more persons outside your own enterprise who provide or manage goods (entities) or provide a service to which you want to apply and monitor control compliance and calculate risk.
Vendor information is accessed, managed, and stored in the following manner:
- Vendor entity: An object to which you can assign controls and risks in an assessment.
- Vendor contact: Each vendor can have multiple accounts, each of which is referred to as a vendor contact. There will be one Primary Vendor Contact and 0 or more regular vendor contacts.
- Vendor account: A group of external users, managed by the vendor administrator, that can respond to questionnaires.
- Vendor administrator: The vendor administrator manages the account, including questionnaires, and delegates questionnaires and questions to vendor users.
- Vendor engagement (Vendor Service): When users create a new vendor within the Vendor Risk Manager Application, an engagement or service is automatically created and associated with that vendor by default.
Other than the Primary Vendor Contact, who can see responses to questions delegated to regular vendor users (i.e. contacts), regular vendor users for the same vendor cannot see each other's questionnaire responses. Under no circumstances can vendor contacts from one vendor be able to see submissions of another vendor. Vendor contacts, even for the same vendor, cannot see each other's questionnaires or responses, including evidence.