Overview

LowerPlane provides a comprehensive Third-Party Risk Management (TPRM) program that gives you full visibility into your vendor ecosystem. Every vendor relationship follows a structured lifecycle, ensuring that no third-party risk goes untracked.

Managed Vendors

Central directory of all approved vendors with status tracking, risk levels, and compliance metadata.

Vendor Intake

Public intake forms that let vendors or employees submit onboarding requests for review and approval.

Risk Assessments

Questionnaire-based assessments with domain-weighted scoring and multi-level risk classification.

Documents

Upload, categorize, and track vendor compliance documents with expiry monitoring and AI scanning.

Subprocessors

Track third-party subprocessors that your vendors rely on, including data categories and hosting locations.

Vendor Scoring

Configurable risk scoring formula based on boolean risk factors, custom weights, and threshold levels.

Vendor Lifecycle

The TPRM program follows a six-stage lifecycle. Each stage maps to features within the platform.
1

Discovery

New vendors are identified through auto-discovery from expenses and integrations, or manually added by your team. Enable auto-discovery in Vendor Settings > General to scan on a configurable schedule (hourly, daily, or weekly).
2

Intake

Vendors or internal employees submit onboarding requests through a public intake form. Each submission captures company details, data handling practices, and custom fields defined by your organization.
3

Onboarding

Submitted vendors go through an approval workflow. Reviewers assess the intake submission, check the auto-calculated risk score, and approve or reject the request. Approved vendors are added to the managed vendor directory.
4

Risk Assessment

Approved vendors undergo a formal risk assessment using questionnaire templates. Assessments cover multiple domains (security, privacy, compliance, business continuity) with weighted scoring. Vendors can self-serve the questionnaire through a shareable link.
5

Monitoring

Active vendors are continuously monitored for risk signals, document expirations, and compliance drift. The overview dashboard surfaces key metrics including vendors by risk level, expiring documents, and overdue assessments.
6

Offboarding

When a vendor relationship ends, the offboarding process ensures data return or destruction is confirmed, access is revoked, and the vendor record is archived with a full audit trail.

TPRM Dashboard

The vendor overview dashboard provides a real-time snapshot of your third-party risk posture. Key metrics include:
  • Total Vendors — count of all managed vendors with trend indicators
  • Risk Distribution — breakdown of vendors by risk level (critical, high, medium, low)
  • Assessment Coverage — percentage of vendors with completed risk assessments
  • Document Health — expiring and expired compliance documents requiring attention
  • Risk Signals — real-time monitoring alerts from integrated security tools
Use the TPRM dashboard as your daily starting point. It highlights the vendors and documents that need immediate attention, so you can prioritize your review queue effectively.

Vendor Categories

Vendors are organized into categories for filtering and reporting:
CategoryDescription
AI & Machine LearningAI/ML platforms and services
Analytics & MonitoringObservability and analytics tools
Cloud & InfrastructureIaaS, PaaS, and hosting providers
Collaboration & ProductivityCommunication and project tools
Customer SupportHelp desk and support platforms
Data StorageDatabase and storage services
Development ToolsIDEs, CI/CD, and developer platforms
Identity & Access ManagementSSO, MFA, and directory services
IT ManagementITSM and device management
Payment ProcessingPayment gateways and billing
Privacy & ComplianceGRC and privacy management tools
SecuritySecurity scanning and SIEM tools
HR & People OpsHRIS and people management
OtherUncategorized vendors

Risk Levels

Every vendor is assigned a risk level based on their assessment score and intake risk factors:
LevelColorMeaning
CriticalRedHighest risk — immediate attention required
HighOrangeSignificant risk — prioritize remediation
MediumYellowModerate risk — monitor and review regularly
LowGreenMinimal risk — standard monitoring
Vendors classified as Critical or High risk should have a completed risk assessment and up-to-date compliance documents before being approved for production use.

Integration with Compliance

Vendor management feeds directly into your compliance program:
  • Evidence collection — vendor documents (SOC 2 reports, ISO certificates, pen test reports) serve as evidence for your own framework controls
  • Control mapping — vendor risk assessments map to specific controls across 50+ compliance frameworks
  • GDPR compliance — subprocessor tracking supports Records of Processing Activities (ROPA) and Data Processing Agreements (DPA)
  • Audit readiness — the complete vendor inventory with risk scores and assessment history provides auditors with the documentation they need

Next Steps

Vendor Intake

Set up public intake forms for vendor onboarding requests.

Risk Assessments

Create and manage questionnaire-based vendor assessments.

Vendor Scoring

Configure your organization’s risk scoring formula.

Vendor Settings

Configure discovery, notifications, and approval workflows.