Overview

The vendor intake system provides a structured way to collect information from new vendors before they are approved for use within your organization. Administrators configure a public form, share the link with vendors or employees, and review submissions through an approval workflow.
The intake form is a public page that does not require authentication. Vendors access it through a unique tokenized URL, making it easy to collect information from external parties.

How It Works

1

Configure the Form

Navigate to Vendors > Settings > Vendor Intake to enable the intake form. Customize the welcome title, description, and add custom fields specific to your organization’s requirements.
2

Share the Link

Copy the generated public URL from the settings page. Share this link with vendors, include it in your procurement process, or distribute it internally to employees who want to request a new vendor.
3

Vendor Fills the Form

The vendor or employee fills in company details, data handling practices, and any custom fields. They can also upload supporting documents (contracts, certifications, policies) directly through the form.
4

Review Submission

Submissions appear in the Vendor Intake Submissions queue. Reviewers can inspect all submitted data, check the auto-calculated risk score, and approve or reject the request.
5

Vendor Created on Approval

When a submission is approved, a new vendor record is automatically created in your managed vendors directory with all the submitted information pre-populated.

Submission Types

The intake form supports two types of submissions:
External submissions come from the vendor themselves. A vendor representative fills in their company details, compliance posture, and data handling practices. This is the most common use case for the public intake form.External submissions include:
  • Company name, website, and category
  • Primary contact details (name, email, phone)
  • Data handling declarations (PII, PHI, PCI, confidential, financial)
  • Supporting documents
  • Custom field responses

Submission Statuses

Each intake submission moves through a defined workflow:
StatusDescription
SubmittedThe form has been completed and is awaiting review
Under ReviewA reviewer has opened the submission and is evaluating it
ApprovedThe submission is accepted and a vendor record has been created
RejectedThe submission is declined with review notes explaining why

Form Fields

Standard Fields

Every intake form collects these standard fields:
FieldRequiredDescription
Vendor NameYesLegal or trade name of the vendor
CategoryYesBusiness category (Cloud, Security, HR, etc.)
DescriptionNoBrief description of the vendor’s services
WebsiteNoVendor’s primary website URL
Primary Contact NameNoName of the vendor’s primary contact
Primary Contact EmailNoEmail address for the primary contact
Primary Contact PhoneNoPhone number for the primary contact
RTONoRecovery Time Objective
Business Impact CostNoEstimated cost of vendor downtime
Contract ValueNoAnnual contract value

Data Handling Declarations

The form includes boolean toggles for data handling categories that feed directly into risk scoring:
  • Data Processor — processes data on your behalf
  • Data Controller — controls how data is used
  • Handles PHI — Protected Health Information (HIPAA)
  • Handles PCI — Payment Card Data (PCI-DSS)
  • Handles PII — Personally Identifiable Information
  • Handles Confidential — confidential or sensitive data
  • Handles Financial — financial records
  • VPN Required — requires VPN connection for access

Custom Fields

Administrators can define additional custom fields in Vendor Settings > Custom Fields. Custom fields support multiple types:
  • Text — free-form text input
  • Number — numeric input
  • Boolean — yes/no toggle
  • Select — dropdown with predefined options
  • Multi-select — multiple selection from predefined options
  • Date — date picker
Boolean custom fields can be included in the risk scoring formula. Add a custom boolean field like “Has SOC 2 Report” and assign it a negative weight to reduce the risk score for vendors that have one.

Document Uploads

Vendors can upload documents directly through the intake form. Supported document types include:
  • Contracts and service agreements
  • SOC 2 reports and ISO certifications
  • Pen testing reports
  • Insurance certificates
  • Data Processing Agreements (DPA)
  • NDAs
  • Policies and other compliance documents
Documents uploaded during intake are automatically attached to the vendor record when the submission is approved.

Risk Scoring on Submission

When risk scoring is enabled in Vendor Settings > Risk Scoring, each intake submission receives an automatic risk score based on the data handling declarations and custom boolean fields. The score and corresponding risk level (critical, high, medium, or low) are displayed to reviewers alongside the submission details. See Vendor Scoring for details on configuring the scoring formula.

Notifications

Configure notification recipients in Vendor Settings > Vendor Intake. When a new submission arrives, notification emails are sent to all configured addresses, ensuring timely review.
If no notification emails are configured, new submissions will only appear in the intake queue. Make sure at least one reviewer email is set up to avoid submissions going unnoticed.

Managing the Intake Form URL

The intake form URL contains a unique token for your organization. You can:
  • Copy the URL — click the copy button in settings to share the link
  • Regenerate the token — create a new URL and invalidate the old one (useful if the link was shared with the wrong audience)
Regenerating the token permanently invalidates the previous URL. Any bookmarks or links using the old token will show an error page.