Overview
The vendor settings page provides centralized configuration for your entire TPRM program. Settings are organized into five tabs, each controlling a different aspect of vendor management.
Navigate to Vendors > Settings to access these configuration options.
Settings Tabs
General
Vendor Intake
Risk Scoring
Custom Fields
Approval Workflow
The General tab controls vendor discovery, security review requirements, and notification preferences.Auto Discovery
Automatically detect new vendor relationships from expenses and integrations.| Setting | Description | Default |
|---|
| Enable Auto Discovery | Toggle automatic vendor detection on or off | Enabled |
| Discovery Scan Frequency | How often the system scans for new vendors | Daily |
- Every Hour — most frequent, best for high-volume environments
- Daily — standard for most organizations
- Weekly — lower frequency for stable vendor ecosystems
Security Reviews
Configure mandatory security assessment requirements for all vendors.| Setting | Description | Default |
|---|
| Require Security Reviews | All vendors must undergo periodic security assessments | Enabled |
| Review Frequency | How often vendors must be reassessed | Annually |
- Every 90 Days — quarterly reviews for high-risk environments
- Every 180 Days — semi-annual reviews
- Annually — standard review cadence
Notifications
Control which vendor-related events trigger email notifications.| Setting | Description | Default |
|---|
| New Vendor Notifications | Get notified when new vendors are discovered | Enabled |
| Contract Expiry Notifications | Alerts when vendor contracts are approaching expiry | Enabled |
| Expiry Notice Period | Days before expiry to send notification | 60 days |
The Vendor Intake tab configures the public intake form that vendors and employees use to submit onboarding requests.Toggle the intake form on or off. When disabled, the public URL returns an error page and no new submissions can be created.Public URL
The system generates a unique tokenized URL for your intake form. Use the Copy button to copy the URL to your clipboard for sharing.If you regenerate the token, the previous URL is permanently invalidated. Update all references to the intake form URL after regeneration.
Welcome Text
Customize what vendors see when they open the intake form:| Setting | Description |
|---|
| Welcome Title | Heading displayed at the top of the form |
| Welcome Description | Introductory paragraph explaining the form’s purpose |
Approval Settings
| Setting | Description | Default |
|---|
| Require Approval | Submissions must be reviewed before a vendor is created | Enabled |
Notification Emails
Add email addresses of team members who should be notified when a new intake submission is received. Multiple email addresses are supported.Add your security team lead and procurement manager to the notification list so both teams are aware of new vendor requests immediately.
The Risk Scoring tab configures the automatic risk scoring formula applied to vendor intake submissions. See Vendor Scoring for a detailed explanation of the scoring model.Enable Risk Scoring
Toggle automatic risk scoring on or off. When disabled, intake submissions do not receive an automatic risk score.Factor Weights
Assign numeric weights to each boolean risk factor. The list includes both built-in fields and any boolean custom fields you have defined.Built-in factors:
- Data Processor
- Data Controller
- Handles PHI
- Handles PCI
- Handles PII
- Handles Confidential
- Handles Financial
- VPN Required
- Access to Sensitive Data
Risk Thresholds
Define the score ranges that map to each risk level:| Risk Level | Default Lower Bound |
|---|
| Low | 0 |
| Medium | 7 |
| High | 16 |
| Critical | 21 |
The Custom Fields tab allows you to define additional fields that extend the vendor data model and assessment questionnaires.Vendor Custom Fields
Custom fields added to the vendor entity appear on vendor detail pages, intake forms, and can be used in filtering and reporting.Assessment Custom Fields
Custom fields added to assessments appear in the risk assessment questionnaire alongside standard questions.Supported Field Types
| Type | Description |
|---|
| Text | Free-form text input |
| Number | Numeric input |
| Boolean | Yes/No toggle |
| Select | Single-selection dropdown |
| Multi-select | Multiple-selection dropdown |
| Date | Date picker |
Managing Custom Fields
Add a Field
Click Add Field and provide a label, field type, and optional description. For select and multi-select fields, define the available options.
Set Required Status
Toggle whether the field is required. Required fields must be filled on intake forms and vendor detail pages.
Activate or Deactivate
Fields can be deactivated without deleting them. Deactivated fields are hidden from forms but their data is preserved.
Boolean custom fields automatically become available as risk scoring factors in the Risk Scoring tab. This makes it easy to incorporate organization-specific criteria into the scoring formula.
The Approval Workflow tab configures how vendor onboarding requests are reviewed and approved.Approval Requirements
| Setting | Description | Default |
|---|
| Require Approval | New vendors must be approved before being added to the directory | Enabled |
| Approval Threshold | Minimum contract value that triggers the approval requirement | $1,000 |
| Spend Threshold | Annual spend threshold for vendor classification | $5,000 |
How the Workflow Operates
When approval is required:
- A new intake submission or manually added vendor enters the review queue
- Designated reviewers receive email notifications
- A reviewer examines the submission details, risk score, and supporting documents
- The reviewer approves or rejects the request with notes
- If approved, the vendor record is created in the managed vendor directory
- If rejected, the submitter receives notification with the rejection reason
Set the approval threshold to match your organization’s procurement policy. Vendors below the threshold can be auto-approved to reduce administrative overhead while maintaining oversight for significant relationships.
Saving Settings
Each tab has its own save action. Changes are not automatically saved when switching between tabs. Always click the Save button within the active tab before navigating away.
Unsaved changes are lost when switching tabs. Save your changes within each tab before moving to another one.
Permissions
Vendor settings are typically restricted to users with administrative or GRC manager roles. Check your organization’s role configuration in Settings > Users & Roles to ensure the appropriate team members have access to modify vendor settings.
