Table of Contents
Summary
From gathering questionnaires to storing documents and launching reviews - the Vendor Details page is where you work in Whistic.
🗂️ Overview
This is an overview of where and what tools are available.
Let's start with the menu options and a brief summary of the tools available on each.
-
Vendor Information header. On the Overview page, you have an expanded view of the header. As you move to other areas, the header gets condensed. Here are the key fields:
- Vendor name
- Product / Service
- Vendor Status (Active, Inactive, Prospect)
- Assessment Status
- Description
- Criticality
- Inherent / Residual Risk
- Score Summaries - CrowdConfidence, RiskRecon
-
Vendor Actions. Access these options from the triple dot menu, upper right.
-
Edit Overview
- Adjust any of the fields in the header
-
Export Vendor Details
- Export the vendor field values into a spreadsheet
-
Archive Vendor
- Remove the vendor from your records. Learn more here. To unarchive, contact support@whistic.com.
-
Merge Vendor
- Combine two vendor records - learn more here.
-
Edit Overview
-
Assessments
- Named assessment packages to help keep things organized
- Begin assessments by requesting sources (documents, questionnaires, etc) from a vendor.
- Track outstanding requests.
- Begin reviews of available sources.
- Learn more here.
🤖 Vendor Summary (conditional)
- An AI-powered feature that will quickly identify and review a vendor's compliance or non-compliance with various security controls, using all available sources of evidence provided by the vendor.
- This is a CONDITIONAL menu option. It will be available if:
- You have agreed to AI features
-
Smart Search has been Enabled
- Learn more about Vendor Summary here.
- Learn more about Smart Search here.
📁 Document Repository
- A central location for all your vendor's documents
- Documents are added to this repository through:
- Direct upload
- Attaching documents to a questionnaire
- Accepts the following file types:
- pdf, csv, xls, xlsx, doc, docx, zip, and images
- Complete these additional actions here:
- Assess - Create a new assessment based on this document. Learn more here.
- View - View the document in browser.
- Download - Download the document.
- Delete - Remove the document. Note: If the original file location is elsewhere (ie. a Questionnaire), it must first be deleted there.
-
Generate a SOC Summary - Summarize the SOC document. Learn more here.
Bulk Actions
To save time when managing multiple sources in a vendor document repository at once, you can select several items and apply an action to all of them simultaneously:
- Check the box next to each source you want to include, or use the "select all" checkbox to choose every item in the list
- Once selected, a bulk actions toolbar will appear with the following options:
- Download – Save all selected sources to your device at once
- Delete – Remove the selected sources from the review list
Note: If you do not see the delete option this typically means that the source was provided by the vendor directly in the platform or through an assessment request. Only internal upload files can be removed at this time.
⚙️ Assessment Automation
Assessment Automation is designed to streamline recurring vendor assessments. Here are four key things to know: To begin, navigate to the Assessment Automation tab from the Vendor Detail page. This is where all scheduling and automation settings now live.
- You can access Assessment Automation from the Vendor Detail page by selecting the Assessment Automation tab.
- Multiple questionnaires and document types can be sent within a single cadence.
- The system supports auto-versioning, multiple contacts, and multiple cadences per vendor.
- To learn more about how to configure and manage Assessment Automation, read the full article.
🏢 Business Information
-
Sub-menus:
-
Contacts - View, Add, and delete contacts for this vendor. These include:
-
External Contacts:
- Label applied to your contact at the vendor
- To keep contacts current, use the Update Vendor button. Learn more here.
-
Note: Once a contact completes a request, they can't be removed from the list for auditing purposes.
- If you have a typo or made a mistake when adding an external contact and want to delete the contact, do the following:
- Select the pencil icon to Edit the contact.
- Switch the contact to Internal and Save
- Now the X appears to delete the contact
-
External Contacts:
-
Contacts - View, Add, and delete contacts for this vendor. These include:
-
Internal Contacts:
- Individuals working with the vendor within your business.
-
Billing
- Capture all the payment and contract information for this vendor.
💬 Communication
-
Sub-menus
- Follow-Ups - Set reminders for internal vendor contacts. Learn more here.
-
Notes - Internal users can create text-based notes, attached to the vendor record. They can be deleted, but not edited.
-
Enhanced Table Functionality: Notes now support improved table editing capabilities with an expanded workspace. You can:
- Insert and edit tables directly within notes using the full suite of table editing tools
- Work within a larger modal window for easier content creation
- Access all formatting tools with better visibility and layout
- Important: While notes can be deleted, the text content itself cannot be edited after saving. However, you can create new notes with updated information as needed.
-
Enhanced Table Functionality: Notes now support improved table editing capabilities with an expanded workspace. You can:
🔒 Data and System Access
- Track the Data and Systems the vendor can access.
- These are typically captured during the vendor intake process. However, they can be modified after the vendor record is created here.
🚨 Issues
- Create and track Issues associated with this vendor.
-
By default, only open Issues are displayed. Remove the filter to show all associated Issues.
- Learn more here.
⭐ Ratings
- Whistic supports the following continuous monitoring integrations:
-
RiskRecon - Using the following options:
- Included - Access vendor security preview data, supplied by RiskRecon
- Integration - Link your RiskRecon account to Whistic to pull in associated vendor ratings. Learn more here.
-
BitSight
- If you have a BitSight account, it can be linked to Whistic using this integration.
-
Once connected, you can track the associated scores in the vendor record within Whistic.
-
RiskRecon - Using the following options:
🔗 Subprocessors
The Subprocessors tab displays a list of third-party vendors associated with the selected vendor. This includes both manually entered and automatically discovered entries.
- Searchable, sortable table: Easily find and filter subprocessors by name or status.
- Auto-collected data: Whistic pulls public subprocessor lists from vendor websites via Web Sources Automation. This data is refreshed every 30 days.
- Manual additions: Admins can manually add subprocessors to supplement public data. Manually added entries can also be deleted if needed.
- For a current list of Whistic Sub Processors with corporate locations, see here: https://www.whistic.com/sub-processors
📋 Vendor Intake
- Any custom Fields and Sections will show up here.
- To learn more about customizing your Intake form, go here.
- Most fields can be modified after the vendor record is created, by going to this section and selecting Edit.
-
To only show fields required by the intake form (ie. shown through logic or marked required), select the toggle Show Necessary Fields.
🏅 Certifications (conditional)
- Available when Whistic has additional vendor data, such as Audits and/or Certifications that the vendor has achieved.
- Sourced through Whistic web analytics.
❓ FAQ
How do I archive a vendor?
To archive a vendor, navigate to the Vendor Actions menu (triple dot menu in the upper right) and select "Archive Vendor." This will remove the vendor from your active records. To unarchive a vendor, you'll need to contact support@whistic.com.
Why can't I delete an external contact?
Once a contact completes a request, they can't be removed from the list for auditing purposes. However, if you made a mistake when adding the contact, you can edit the contact, switch them to Internal, save, and then delete them using the X that appears.
What file types are supported in the Document Repository?
The Document Repository accepts the following file types: pdf, csv, xls, xlsx, doc, docx, zip, and images. Documents can be added through direct upload or by attaching them to a questionnaire.
How often does the Subprocessors data refresh?
Auto-collected subprocessor data is refreshed every 30 days. Whistic pulls public subprocessor lists from vendor websites via Web Sources Automation. You can also manually add subprocessors to supplement the public data.
When is the Vendor Summary feature available?
The Vendor Summary is a conditional feature that will only be available if you have agreed to AI features and Smart Search has been enabled in your account.
What does 'location' mean as it relates to subprocessors?
The location is in reference to the entity processing location, not necessarily the corporate location.