# How it Works Sprinto’s **Vendors** module enables you to track and manage the risks associated with third-party vendors. It streamlines the entire vendor lifecycle—from discovery to ongoing assessment—helping you stay compliant with frameworks like SOC 2, ISO 27001, HIPAA, and GDPR. Here’s how it works: #### Step 1: Discover vendors used across your organisation Connect your SSO provider (Google Workspace, Okta, or Office 365) to automatically identify third-party applications accessed by your team. * View discovered vendors under the **Vendor discovery** tab. * Choose to **Add**, **Dismiss**, or **Validate** each vendor. * Manage connected domains from the **Manage Vendor Discovery** panel. *** #### Step 2: Add vendors to Sprinto Add vendors using one of the following options: * **Vendor Library** – Select from Sprinto’s curated list of vendors. * **Bulk Upload** – Use the CSV template to add multiple vendors at once. * **Manual Entry** – Enter vendor details directly in the UI. All added vendors appear under the **All vendors** tab. *** #### Step 3: Configure and apply vendor risk scoring Sprinto auto-scores vendors based on: * Type of data shared (e.g., credentials, cardholder data) * Operational impact * Access to company systems You can override scores, add custom risk factors, or edit responses under the **Configuration** tab. *** #### Step 4: Assign vendor admins Each vendor is assigned a Sprinto admin responsible for completing risk checks and due diligence. Vendor admins are notified via email and tracked under the **All vendors** section. *** #### Step 5: Complete due diligence Evaluate vendor security posture by: * Uploading documents manually * Requesting documents via email * Using Sprinto AI to analyse reports and generate findings Track progress under the **Due diligence** tab for each vendor. *** #### Step 6: Send and review security questionnaires Create or upload a custom security questionnaire and send it to vendors. Vendors respond via a secure link. You can review, download, and export their responses from the **Vendor security questionnaire** tab. *** #### Step 7: Monitor breaches and incidents View vendor-related breach alerts under the **Breach monitoring** tab. Each entry includes: * Impacted vendor * Reported date * Source of breach * Actions taken (manually added) You can also enable breach notifications for your team. *** #### Step 8: Perform periodic vendor risk assessments Use the **Vendor risk assessment** tab to: * Review all active vendors * Exclude vendors from a cycle * Track due diligence status * Complete and submit assessments for review