Overview
The vendor documents module provides centralized management for all compliance-related documents associated with your third-party vendors. Track SOC 2 reports, ISO certifications, pen test results, insurance policies, contracts, and more — all with expiry monitoring and AI-powered scanning for risk insights.Document Types
LowerPlane supports a comprehensive set of document types for vendor compliance tracking:| Type | Description |
|---|---|
| Contract | Service agreements, master agreements, and amendments |
| Certification | General compliance certifications |
| Assessment | Risk assessment reports and findings |
| SOC 2 Report | SOC 2 Type I or Type II audit reports |
| ISO 27001 | ISO 27001 certification documents |
| HIPAA | HIPAA compliance documentation |
| PCI DSS | PCI DSS compliance attestation |
| Policy | Vendor security and privacy policies |
| Insurance | Cyber insurance and liability certificates |
| Pen Testing Report | Penetration testing and vulnerability reports |
| Questionnaire | Completed security questionnaires |
| SLA | Service Level Agreements |
| DPA | Data Processing Agreements (GDPR) |
| NDA | Non-Disclosure Agreements |
| Other | Documents that do not fit other categories |
Document Statuses
Each document has a status that reflects its current validity:| Status | Description |
|---|---|
| Active | Document is current and valid |
| Expired | Document has passed its expiration date |
| Superseded | Document has been replaced by a newer version |
| Draft | Document is in draft state, not yet finalized |
| Archived | Document has been archived and is no longer active |
Uploading Documents
Navigate to Vendor Documents
Go to Vendors > Documents to access the central document repository, or open a specific vendor’s detail page to manage documents for that vendor.
Select File and Metadata
Choose the file to upload and fill in the required metadata:
- Vendor — the vendor this document belongs to
- Document Type — select from the supported types
- Expiry Date — when the document expires (optional but recommended)
- Notes — any additional context about the document
Document Statistics
The documents page displays aggregate statistics to help you monitor document health:- Total Documents — count of all vendor documents in the system
- Active — documents that are current and valid
- Expiring Soon — documents approaching their expiry date
- Expired — documents that have passed their expiry date and need renewal
AI Document Scanning
LowerPlane includes AI-powered document scanning that automatically analyzes uploaded vendor documents and extracts compliance insights.What AI Scanning Detects
Strengths
Positive compliance indicators found in the document, such as comprehensive controls, regular auditing, and strong encryption practices.
Weaknesses
Areas where the document reveals gaps or insufficient practices that may increase risk.
Risks
Specific risk factors identified in the document content, rated by severity (critical, high, medium, low).
Recommendations
Actionable recommendations based on the document analysis to improve the vendor’s compliance posture.
Compliance Flags
AI scanning also produces compliance flags that indicate how the document relates to major frameworks:| Framework | Status Options |
|---|---|
| ISO 27001 | Compliant, Partial, Non-Compliant, N/A |
| SOC 2 | Compliant, Partial, Non-Compliant, N/A |
| HIPAA | Compliant, Partial, Non-Compliant, N/A |
| GDPR | Compliant, Partial, Non-Compliant, N/A |
| PCI DSS | Compliant, Partial, Non-Compliant, N/A |
AI scanning runs automatically when a document is uploaded. Results appear on the document detail panel once processing is complete.
Filtering and Search
The documents table supports multiple filtering options:- Search — search by document name, vendor name, or notes
- Document Type — filter by specific document types (Contracts, SOC 2 Reports, Certifications, etc.)
- Status — filter by document status (Active, Expired, Draft, Archived)
- Vendor — filter documents for a specific vendor
Document Actions
| Action | Description |
|---|---|
| View | Open the document detail panel with metadata, AI scan results, and download link |
| Download | Download the original file |
| Edit | Update document metadata (type, expiry, notes) |
| Renew | Mark an expired document as renewed with a new expiry date |
| Archive | Move the document to archived status |
| Delete | Permanently remove the document |
Expiry Management
Documents with expiry dates are automatically tracked. The system provides:- Expiry notifications — configurable alerts when documents are approaching expiry (default: 60 days before)
- Dashboard indicators — the TPRM dashboard highlights expiring and expired documents
- Renewal workflow — renew expired documents with a single action, setting a new expiry date
Documents as Compliance Evidence
Vendor documents serve as evidence for your own compliance frameworks. A vendor’s SOC 2 report, for example, can satisfy evidence requirements across multiple controls in ISO 27001, SOC 2, and HIPAA. The documents module integrates with the evidence collection system to map vendor documents to applicable framework controls.Best Practices
- Standardize naming conventions for uploaded documents to make search and filtering easier
- Set expiry dates on all time-sensitive documents at upload time
- Review AI scan results to identify vendor risks you may not have noticed from the document title alone
- Archive rather than delete old documents to maintain a complete audit trail
- Request updated documents from vendors at least 30 days before the current document expires