Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Browse vendorsCreate a new vendorEdit a vendorVendor detail page
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Browse vendors

List, filter and manage all vendors and data processors.

Browse Vendors

The Browse Vendors screen is your organisation's central vendor register — the single place where every third-party supplier, data processor, and sub-processor is listed, tracked, and managed. Whether you are a Data Protection Officer maintaining GDPR Article 28 records, a risk manager monitoring supplier risk scores, an IT security manager checking which vendors touch sensitive systems, or an auditor preparing for a regulatory inspection, this is where you start. The vendor register is also foundational for the rest of DPMS: every record of processing activity (ROPA), asset, risk scenario, and assessment that involves a third party draws its data from the vendors you manage here.

How to open it

In the left-hand navigation sidebar, click Vendors. It is a top-level item — no sub-menu is needed. The platform takes you directly to the vendor list at /vendor.

Access requirements: You need at least one of the following permissions to see any vendor data:

  • Read Vendors — you see all vendor records in the organisation.
  • Read Own Assigned Vendors — you see only the vendor records where you are listed as the responsible person.

If you hold neither permission, the platform shows an "Access Denied" page instead of the list. The Create and Import options in the top-right menu require separate creation and import permissions respectively; users who can read but not create will see the list without those options.

Screenshot

What you see

When you arrive, the entire main content area is taken up by a table-based object browser — the same clean, consistent layout DPMS uses for all its main registers (assets, ROPAs, tasks, and so on).

At the top of the content area you will find a single tab labelled All, which is always active. Below it, a free-text search bar sits above the main vendor table. In the top-right corner you will find the Create button (an animated dropdown icon), and next to it the export buttons — one for Excel (.xlsx) and one for JSON (.json). A small risk standard dropdown also appears near the top of the table; this is easy to overlook but important for risk managers.

The table itself fills the remainder of the screen. Each row represents one vendor, with columns for name, country, classification, type, and a visual risk indicator. A checkbox on the left of every row enables bulk operations.

Working with this screen

Registering a new vendor for the first time

When your organisation signs a contract with a new cloud provider, software vendor, or any other data processor, you need to create a record in DPMS before you can link it to ROPAs, assessments, or risk scenarios.

  • Click the Create button in the top-right corner. A small dropdown opens with two options.
  • Select Create from the dropdown. The platform navigates you to the vendor creation form.
  • Fill in the vendor's details — name, country, type, applicable regulation, classification tags, and any contract duration you want to track. Once saved, the new record appears in the list and becomes available as a reusable reference across the rest of DPMS: you can now link it to ROPAs, assets, assessments, and risk scenarios.
Tip: Before creating a new record, type the vendor's name into the search bar to confirm it does not already exist. Duplicate records can lead to incomplete risk aggregations across the platform.

Finding a specific vendor

If your list has grown long, typing in the search bar is the fastest way to locate a vendor. As you type, the table updates in real time to show only vendors whose name matches your query. The search is not case-sensitive.

The filter state is preserved even if you navigate away and come back. This is intentional and useful: when you open a vendor's detail page from a filtered list, the previous and next navigation arrows in the detail view will cycle through your filtered results — not the entire list. If you later clear the filter, those arrows will reflect the unfiltered list on your next visit.

Once you find the vendor you are looking for, click anywhere on its row to open the full Vendor Detail screen, where you can see and edit all tabs: General, Documents, Criticality, Assets Used, Transfers, Tasks, Assessments, Risk, and Workflows.

Reviewing vendor risk scores by standard

When your organisation uses multiple risk frameworks (for example, a GDPR privacy risk model alongside an ISO 27001 information-security model), the Risk column would otherwise show a blend of scores that is hard to interpret. The risk standard dropdown near the top of the table solves this.

  • Click the dropdown and select the risk standard you want to focus on — for example, your ISO 27001 model.
  • The Risk column immediately updates to show only the scores computed under that standard. Vendors with no link to that standard display a dash.
  • If you spot a vendor with an elevated risk indicator, click its row to go to the detail page, then navigate to the Risk tab to review scenarios, thresholds, and treatment options.
Heads up: A dash in the Risk column does not mean the vendor is low-risk — it means no risk standard has been linked to that vendor yet. Open the vendor's detail page and go to the Risk tab to add one.

Exporting the vendor list for an audit or report

Auditors and DPOs regularly need to provide regulators or clients with a complete list of processors. The export function makes this fast.

  • Make sure the All tab is selected and clear any search filters if you want a complete export of every vendor.
  • Click the XLSX button in the export bar to download an Excel file, or JSON to download a machine-readable version.
  • The file is generated based on your current filter state — if you have an active search, only the matching vendors are included. If specific rows are selected via their checkboxes, only those rows may be exported depending on your platform configuration.

The downloaded file includes the vendor name, country, classification, type, and risk data as shown in the table — ready to attach directly to a regulatory submission or audit pack.

Importing vendors in bulk

After a company acquisition or when migrating from another compliance tool, you may need to add dozens of vendors at once. The import function handles this.

  • First, prepare your import file. The platform expects a .json file that matches its internal vendor schema. The safest way to get the correct format is to export an existing vendor from the platform and use that file as a template.
  • Click the Create button and select Import from the dropdown. A file picker dialog opens.
  • Select your .json file and confirm. The platform processes the file and, once complete, redirects you back to the vendor list where the newly imported vendors appear in the table.
Heads up: The import format is strict. A generic spreadsheet export or a file from a different system will not work unless you have mapped every field to the platform's schema. Attempting to import a badly structured file may produce incomplete records without a clear error message. Always use an exported vendor record as your template.

Deleting or sharing vendor records

If a vendor relationship has ended and the record is no longer relevant, you can remove it without opening the detail page. Hover over the vendor's row to reveal the trailing action icons, then click the delete icon. You can also select multiple vendors using their checkboxes and delete them in bulk.

For organisations with multiple legal entities, the share trailing action lets you publish a vendor record to other entities in your group. Clicking it navigates you to the Group Sharing view for that vendor.

Heads up: Deleting a vendor that is still linked to active ROPAs, assessments, or risk scenarios will affect the completeness of those records. Review linkages on the vendor's detail page before deleting.

Browsing historical data with the time machine

If you need to verify what your vendor register looked like on a specific past date — for example, at the time of a data breach or a previous audit — activate the platform's time machine feature from elsewhere in DPMS. When it is active, this screen shows your vendor list as it existed on the selected date.

You will notice that the Create button disappears entirely. This is correct and intentional: you are browsing a read-only historical snapshot, so creating new records is blocked. Bulk delete actions are also hidden. To restore normal editing, deactivate the time machine from the platform's time machine controls.

Field reference

The vendor list displays the following columns. Their meaning is straightforward, but a few are worth clarifying:

  • Vendor name — The vendor's name in your current interface language. Vendor names are stored in multiple languages; the table shows the version that matches your language setting.
  • Country — The country of the contracting party, displayed in your interface language. This refers to the vendor's registered country, not necessarily where their servers are located.
  • Classification — Custom tags assigned to this vendor by your organisation (for example, "Processor" or "Sub-processor"). These tags are defined in your Compliance Settings and help you group vendors by role or business function.
  • Type — The vendor's category from a fixed platform list (for example, "IT supplier" or "Legal service provider"). A vendor can have more than one type.
  • Risk — A visual indicator of the vendor's current risk level under the selected risk standard. Clicking this cell navigates directly to the risk detail for that vendor. Shows a dash if no risk standard is linked.

How this connects to the rest of DPMS

The vendor register is a foundational register — other modules depend on it. Here is how the connections flow:

  • Records of Processing Activities (ROPAs): Any ROPA that involves data being processed by a third party should reference a vendor record. The vendor's name, country, and classification appear on the ROPA and in regulatory exports. Deleting a vendor here can create gaps in your ROPA documentation.
  • Assets: Assets that are hosted by or managed through third parties can be linked to vendor records. This gives IT security managers a complete view of where each asset sits in the supply chain.
  • Risk scenarios and assessments: Vendor risk scores, linked risk scenarios, and implemented Technical and Organisational Measures (TOMs) are all managed on the vendor's detail page. The risk scores computed there are what appear in the Risk column of this list.
  • Group sharing: In multi-entity organisations, vendor records created here can be published to subsidiary entities using the sharing trailing action. Shared vendors appear in those entities' vendor lists and can be linked to their own ROPAs and assessments.

What to do after this screen:

Once you have created a vendor record here, navigate to its detail page and complete the remaining tabs: add a criticality assessment, link the relevant assets, attach any data transfer records, link applicable risk standards, and assign tasks to your team for any follow-up actions. A vendor record that consists only of a name and country is not sufficient for a well-maintained GDPR processor register.

Tips & common pitfalls

Tip: Use the search bar to filter vendors before exporting. If you need a report on only your "Processor"-classified vendors, type a search or use the filter so the export reflects exactly that subset.
Heads up: The Create button is invisible when the time machine is active. The platform gives no warning on this screen — the button simply does not appear. If you cannot find it, check whether the time machine is switched on.
  • Status-based tabs are not available. Tabs for Active, Draft, Inactive, Review, and Downstream Processors are not active in the current release. If you need to filter by status, use the search or filter bar.
  • The Risk column dash is not a green light. A vendor showing no risk score simply has not had a risk standard linked to it yet. This is a gap in your register, not confirmation of low risk.
  • The "All" standard selection does not always show the worst-case risk. The aggregate score shown when you select "All" in the standard dropdown is determined by your organisation's risk configuration — it may not reflect the highest individual standard score. Switch the dropdown to each standard to compare.
  • The previous/next arrows in the detail view respect your current filter. If you filter to "Cloud" vendors, open one, then clear the filter in another browser tab, the arrows will behave inconsistently when you return. Keep your filter state consistent to avoid confusion.
  • Deleting a vendor is permanent and affects linked records. Always check the vendor's Assessments, Transfers, and ROPA linkages on the detail page before deleting.


Was this article helpful?

English
Powered by Product Fruits