Frequently Asked Questions

This page addresses the most frequently asked questions about using the Vendors module in Sprinto to manage third-party risk, compliance workflows, and documentation.

1. What are the different ways to add vendors in Sprinto?

You can add vendors using:

• Sprinto’s preloaded Vendor Library

• CSV bulk upload using a standard template

• Manual entry via the Add Vendors form

• Vendor Discovery, which detects vendor apps accessed through connected SSO providers

2. How is a vendor’s risk score calculated?

Risk scores are determined using a combination of predefined and custom factors, including:

• Type of data shared with the vendor

• Operational impact

• Level of access to company systems

• Responses to custom risk parameters (if configured)

You can override the auto-computed score if needed.

3. What qualifies a vendor as high-risk?

A vendor is typically flagged as high-risk if:

• Critical or sensitive data is shared with them

• Their services are essential to your operations

• They have broad access to infrastructure or systems High-risk vendors must complete due diligence.

4. Can I request security documents from a vendor?

Yes. You can send document requests directly to vendors via email from the Vendor documents tab. Vendors can upload files through a secure, no-login portal.

5. What is Sprinto AI and how does it help with due diligence?

Sprinto AI automatically analyses uploaded security documents (e.g., SOC 2, ISO reports) and generates responses to predefined due diligence questions. You can review, edit, or supplement AI findings before completing the process.

6. How do I send a security questionnaire to a vendor?

From the Vendor documents tab:

1. Select Send Questionnaire

2. Choose a questionnaire template

3. Enter the vendor’s email The vendor receives a secure link to respond.

7. How do I monitor vendor status and due dates?

Use the Monitoring tab to track:

• Due diligence progress

• Pending risk scoring

• Overdue document uploads

• Incomplete questionnaires

You can also apply filters for risk level, due dates, and vendor admin.

8. What happens when a vendor is archived?

Archived vendors are removed from active assessments and monitoring cycles but remain in your database. You can restore them at any time.

9. How does Sprinto track vendor breach incidents?

Sprinto scans public sources (e.g., news, regulatory filings) and flags breaches related to vendors in your system. Breaches are listed in the Breach monitoring tab and remain visible for 90 days.

10. Who receives notifications for vendor breaches?

By default, all Sprinto admins receive breach alerts via email. You can toggle this on or off from the Breach monitoring tab by clicking Manage.

11. Can employees edit a vendor after requesting it?

Yes. Employees can edit vendor details only while the vendor is in Intake.

12. Can reviewers perform risk scoring and due diligence in Intake?

Yes. All scoring, tasks, findings, and due diligence actions are available during Intake.

13. Does due diligence automatically trigger in Intake?

No. Intake does not run automated monitors for due diligence. These monitors run only after the vendor becomes Active.

14. What happens to documents uploaded during Intake?

Documents remain linked to the vendor and become visible in the global documents list only after the vendor moves to Active.