Request and Review Vendors

This article explains how vendor intake requests are raised and reviewed in Sprinto. It covers:

• How employees request new vendors

• How reviewers (Vendor Admins) are notified

• How reviewers evaluate an intake vendor

• How to update the vendor’s lifecycle stage (Intake, Active, Archived)

• What happens after a vendor is approved or archived

Vendor requests support organisations that evaluate tools before onboarding them. Intake requests help GRC, Security, Legal, and Finance teams assess vendors before marking them as Active.

Roles

Employee / Business Owner

• Can request a vendor from the Employee Portal

• Can view and edit intake requests (until decisioned)

• Receives notifications when the request is submitted and when a reviewer acts on it

Vendor Admin / Reviewer

• Reviews all vendors in the Intake stage

• Can update vendor details, scoring, due diligence, and documents

• Decides whether the vendor should become Active or move to Archived

• Receives notifications when a vendor is added to Intake

Part 1: Request a Vendor (Employee Portal)

Step 1: Navigate to Vendors

1. Log in to the Sprinto Employee Portal.

2. Navigate to Vendors.

Step 2: Enter vendor details

1. Select Request vendor to open the Add vendor drawer.

2. Employees can enter:

   • Vendor name (required)

   • Description

   • Category (required)

   • Company logo

   • Intake request reason (required)

   • Internal business contact

   • Vendor contact (name and email)

   • Any custom fields defined by your organisation

1. Select Save.

Step 3: View your vendor requests

After saving:

• The vendor appears in the employee’s Intake requests list.

• Employees can:

  • View details

  • Edit the request while it is still in Intake

  • Track whether the reviewer has decisioned it

Notifications

After a vendor request is submitted, Sprinto notifies:

• The requestor (employee)

• The Internal Business Owner (if defined)

• The Vendor Admin (default is the InfoSec Officer, unless configured otherwise)

Each notification includes a link to the vendor details page.

Part 2: Review Vendor Requests (Admin Portal)

Step 1: Reviewer receives a notification

1. When a vendor is added to Intake, the Vendor Admin is notified.

2. The notification links directly to Data Library → Vendors → All vendors (Stage = Intake).

3. This list shows all vendors pending review.

Step 2: Open the intake vendor

1. In the Admin Portal, go to Data Library > Vendors.

2. Use the View dropdown to select Intake.

3. Select a vendor to open its vendor details drawer.

You will see:

• Details

• Risk score

• Due diligence

• Documents

• Findings

• Tasks

These tabs function similarly to those for Active vendors.

Step 3: Review intake-specific monitor

Intake vendors display a single task-based monitor:

Vendor intake request should be decisioned

• Assigned to the Vendor Admin

• Default SLA: 30 days

• Status: Failing or Pending until decisioned

Select Fix issue to begin the decision process.

Part 3: Update the Vendor Stage

Selecting Fix issue opens the Update stage modal.

The modal displays:

• Intake

• Active

• Archived

The current stage is marked with a Current badge.

Option 1: Approve the vendor (move to Active)

1. Select Active.

2. Select Save.

What happens next

• The intake monitor switches to Passing.

• Two new monitors are added:

  • Vendor risk should be scored

  • Periodic review of access-critical systems

• Any risk scoring or due diligence begun during Intake is retained.

• The requestor, Internal Business Owner, and Vendor Admin receive notifications.

• The vendor becomes read-only for the employee; the “request reason” field is hidden.

Option 2: Archive the vendor (move to Inactive)

1. Select Archived.

2. Enter a reason (if prompted).

3. Select Save.

What happens next

• The vendor moves to the Inactive stage.

• Employees can no longer edit the request.

• Reviewers can later restore the vendor to:

  • Intake

  • Active

Option 3: Keep the vendor in Intake

If the reviewer needs more information, they can:

• Edit vendor fields under Details

• Request documents

• Add findings or tasks

• Begin due diligence or risk scoring

• Leave the vendor in Intake until ready to decide

Part 4: Change Stage Manually (Any Time)

Reviewers do not need to use the monitor to change stages. They can:

1. Open a vendor.

2. Select Update stage (top-right).

3. Choose Intake, Active, or Archived.

This allows:

• Re-evaluating Active vendors (Active → Intake)

• Restoring Archived vendors

• Archiving Active vendors when offboarded

Notifications After Decision

Sprinto sends notifications whenever:

• A vendor request is approved (moved to Active)

• A vendor request is rejected or archived

• A reviewer updates the vendor’s stage

Notifications go to:

• Requestor (employee)

• Internal Business Owner

• Vendor Admin

FAQs

Can employees edit a vendor after requesting it?

Yes. Employees can edit vendor details only while the vendor is in Intake.

Can reviewers perform risk scoring and due diligence in Intake?

Yes. All scoring, tasks, findings, and due diligence actions are available during Intake.

Does due diligence automatically trigger in Intake?

No. Intake does not run automated monitors for due diligence. These monitors run only after the vendor becomes Active.

What happens to documents uploaded during Intake?

Documents remain linked to the vendor and become visible in the global documents list only after the vendor moves to Active.