Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Browse vendorsCreate a new vendorEdit a vendorVendor detail page
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Vendor detail page

Inspect a vendor's documents, assessments, TOMs and risk posture.

Vendor Detail Page

The Vendor Detail page is the single authoritative hub for everything DPMS knows about one external vendor relationship. Whether you are a DPO checking a contract's validity before an audit, a risk manager reviewing treatment plans, a compliance officer confirming applicable regulations, or an IT admin tracing which systems a vendor can access — this is the page you come to. It replaces the need to juggle separate spreadsheets or look across multiple screens: documents, assessments, criticality ratings, linked assets, data transfers, risk scenarios, and workflow history are all reachable from one place without leaving the vendor record.

How to open it

From the main sidebar, click Vendors to open the Vendors list. Click any row in the table to open that vendor's detail page. You can also arrive here by clicking a vendor's name inside a linked-objects table on another record — for example, from a ROPA's linked vendors section, from an assessment's linked vendors list, or from the Transfers tab of another vendor's detail page.

Permissions needed:

  • You need at least one of the following to view the page: a general vendor read permission, or a "read only my assigned vendors" permission that limits visibility to vendors where you are the responsible person.
  • To see edit buttons as active (not grayed out), you need a vendor edit permission (either organization-wide or limited to your assigned vendors).
  • To trigger compliance workflows on a vendor, you need the "assign workflow" permission. Without it, the Trigger Workflow area shows an access-denied message.

If you have neither read permission, the page shows a blank error screen rather than any vendor data.

Screenshot

What you see

The page uses the standard DPMS detail shell that you will recognize from other record types such as assets and ROPAs. A collapsible tab menu runs down the left side, listing all available sections for this vendor. You can collapse this menu with the small blue toggle icon in the top-left corner if you need more horizontal space; DPMS remembers your preference across page refreshes.

Across the top of the content area sit breadcrumbs showing your path: a link back to the Vendors list, then the vendor's name, then the currently active section. Flanking the vendor's name in the breadcrumbs are left and right arrow buttons — clicking them steps you to the previous or next vendor in whatever filtered list you were browsing, so you can review multiple vendors in sequence without returning to the index page.

Immediately below the breadcrumbs is a sticky header panel that stays visible as you scroll. It shows the vendor's status badge, the responsible person or persons assigned to the record, any linked workflow state, and the last-reviewed date. In the top-right corner are two icon buttons: a clock icon that opens the activity log (change history), and a three-dot menu with options such as sharing and requesting a change.

The main content area changes completely depending on which section tab you select.

Working with this screen

Reviewing a vendor's core information

When you first open a vendor's detail page, the General tab is active by default. This is the best starting point for a quick compliance check. The card shows the vendor's name, contact email, address, country of the contracting party, applicable regulations (for example, GDPR or CCPA), vendor type (Processor, Controller, etc.), classification tags, and contract duration.

One field you can edit directly on this page without navigating away is the Description. If the description is missing or out of date and you have edit permission, click anywhere in the description area. An in-place editor appears with a Save button. Type your update and click Save — the change is applied immediately and you stay on the detail page. All other fields on the General card require clicking the pencil (edit) icon in the card's top-right corner, which takes you to the vendor's edit form.

To check criticality ratings, click the Criticality tab in the left menu. You will see three values: Material Impact (how severely the organization would be harmed if this vendor fails), Criticality of Service (how operationally dependent you are on this vendor), and Overall Criticality — each rated Low, Medium, or High. These scores feed into organization-wide risk dashboards, so it is worth confirming they are accurate. The pencil icon on the Criticality card takes you to the edit form to update them.

Changing a vendor's status or responsible person

The sticky header at the top of the page lets you update two important fields without going to the edit form.

To change the status, click the coloured status badge (for example, Draft, Active, or Review). A list of available statuses appears. Click the one you want. The badge updates on screen immediately, and the change is saved to the server in the background. If the server rejects the change for any reason, the badge reverts and a notification appears at the bottom of the screen.

To change the responsible person, click the responsible person selector in the sticky header. You can add or remove users here. Keeping this field up to date matters because the responsible person receives workflow notifications and is shown as accountable on audit reports.

Checking documents, tasks, and assessments

Click Documents in the left menu to see all policies and procedure documents attached to this vendor. Each row is clickable and takes you to that document's own detail page. Use this tab before an audit to confirm the correct data processing agreements or privacy notices are in place.

Click Tasks to see open compliance tasks linked to this vendor relationship. Click any task row to open it directly.

Click Assessments to see both IT security assessments and data protection assessments linked to this vendor. Each row is clickable and takes you to the full assessment record. This is the tab to check if you need to confirm that a required assessment has been completed within the last twelve months. Occasionally, when you open this tab, a modal may appear asking whether you want to load questionnaire data — this happens when the system has detected that a Priverion questionnaire result is available for this vendor. Clicking Yes applies the questionnaire's answers to the vendor's risk scores; clicking No dismisses the modal without making changes.

Investigating the data transfer chain

Click the Transfers tab to see the list of downstream processors or sub-processors — vendors to whom this vendor forwards personal data. Each row shows the downstream vendor's name, country, legal basis for the transfer, classification, type, and a colour-coded risk indicator.

This tab is particularly useful when preparing a cross-border transfer impact assessment. Click any row to open that downstream vendor's own detail page, where you can inspect its legal basis, assessments, and risk posture. Use your browser's back button or the breadcrumb link to return.

If a transfer's legal basis has not been set, the Legal Basis column shows a dash. Transfers that originated from a shared (partner) organization are visible here but cannot be edited — they are owned by the source organization.

Reviewing linked IT assets

Click the Assets tab to see which of your organization's IT assets this vendor is connected to. The table lists each linked asset with its key attributes. Clicking an asset row takes you to that asset's detail page, where you can check the asset's classification, ownership, and risk status. This tab is the go-to view during an annual third-party risk review when you need to document vendor access to internal systems.

Working with the vendor's risk posture

Click the Risk tab to open the risk management area. This section is only meaningful once at least one risk standard has been linked to the vendor. If you see empty sub-tabs, go to the Standards area within the Risk tab and confirm a standard is associated.

Once a standard is linked, use the standard selector at the top of the risk sub-navigation to choose which framework you want to view (for example, ISO 27001 or a custom GDPR risk model). The sub-tabs then show data for that standard:

  • Threshold — the risk threshold configured for this vendor. Click the edit icon to change it via the edit form.
  • Scenarios — the list of risk scenarios linked to this vendor. Click a scenario to drill into its detail.
  • Implemented TOMs — the technical and organizational measures applied to each scenario. If you see a scenario with no controls, use the edit icon to navigate to the edit form and link the appropriate TOMs. The Implement all relevant TOMs button, if available, applies all relevant measures in one action.
  • Current Risk — the calculated risk value for this vendor under the selected standard.
  • Treatment Options, Treatment Plan, and Treatment Status — the full risk treatment lifecycle for this vendor.
Heads up: If edit buttons in the Risk area are disabled even though you have edit permission, the risk recalculation job may be running in the background. Wait a moment and refresh the page — the buttons will re-enable once the job completes.

Checking and triggering workflows

Click the Workflows tab to see all compliance workflows (reviews, approvals) that have been run or are currently active for this vendor. Two sub-tabs are available:

  • Required Action shows the workflow step that currently requires your action — for example, an approval you need to give or a review step awaiting your response.
  • Overview shows the full workflow history table for this vendor.

To trigger a new workflow, you need the workflow assignment permission. If you have it, an Add workflow or Trigger workflow button appears when Time Machine is not active.

Using the activity log and options menu

Click the clock icon in the top-right corner to open the change history drawer. It slides in from the right and lists every edit made to this vendor record — who made the change, when, and what changed. This is invaluable when you need to demonstrate due diligence during an audit or investigate an unexpected data change.

Click the three-dot (ellipsis) menu in the top-right corner to access additional options:

  • Sharing — share this vendor record with a partner organization (requires the publish/share permission and must be enabled in your IT settings).
  • Request Change — initiate a formal change request for this vendor.
Heads up: Both the clock icon and the three-dot menu are hidden when Time Machine is active or when the vendor is in a consulted (shared, read-only) state.

Navigating between vendors without going back to the list

When you are working through a batch of vendors — for example, during a periodic vendor review — use the left and right arrow buttons in the breadcrumbs to step through the list one record at a time. The arrows are grayed out when you have reached the first or last vendor in the filtered list.

Field reference

General tab fields:

  • Name — The vendor's display name, shown in your organization's default language.
  • Email — The vendor's primary contact email address. Shows a dash if not entered.
  • Contact Information — Street address and city, shown as two separate lines.
  • Country of Contracting Party — The country where the vendor is legally established, translated to your UI language.
  • Applicable Regulations — The regulatory frameworks governing this relationship (for example, GDPR, CCPA). Set in the edit form.
  • Type — Whether the vendor acts as a Processor, Controller, or another role. Multiple values are shown as a comma-separated list.
  • Classification — Tags from your organization's classification vocabulary.
  • Description of Vendor — A rich-text description. This is the only field editable inline on the detail page (click directly on the text to edit).
  • Reason for Sharing — Rich-text explanation of why personal data is shared with this vendor. Read-only on the detail page; use the full edit form to change it.
  • Representatives — Contact addresses and countries for each representative.
  • DPO Contact — Whether the vendor has a designated DPO. If Yes, the DPO's name, email, and phone number are also shown.
  • Contract Duration — The contract end date, or "No expiry" if no date has been set.

Criticality tab fields:

  • Material Impact — Low / Medium / High. How severely the organization would be affected if this vendor relationship ended unexpectedly.
  • Criticality of Service — Low / Medium / High. How dependent the organization's operations are on this vendor.
  • Overall Criticality — Low / Medium / High. The combined assessment. Defaults to Medium for new vendors.

How this connects to the rest of DPMS

The Vendor Detail page sits at the centre of the vendor compliance workflow. Changes you make here — updating status, linking assessments, implementing TOMs — flow outward to other parts of the system:

  • Risk dashboards pull the current risk data visible on the Risk sub-tabs. The vendor must have at least one standard linked for risk data to appear there.
  • ROPA records link to vendors; if you update a vendor's details here, those changes are reflected wherever the vendor appears in a ROPA.
  • Workflows initiated on the Workflows tab appear in the responsible person's task queue and in organization-wide workflow reports.
  • Transfer compliance depends on the Transfers tab being accurate and each transfer having a legal basis set. Regulators may request evidence of this during audits.

After finishing your review on the Vendor Detail page, typical next steps include:

  • Updating the vendor's status (for example, from Review to Active) if a periodic review is complete.
  • Navigating to linked assessments to confirm they are current.
  • Going to the edit form (via the pencil icon on any card) to update fields that cannot be changed inline.
  • Triggering a workflow if a formal approval or review process is required.

Tips & common pitfalls

Tip: Use the left/right arrow buttons in the breadcrumbs to step through a batch of vendors efficiently — you don't have to go back to the list each time.
Heads up: If all edit buttons are grayed out, check two things: (1) look at the top bar for a Time Machine indicator — if Time Machine is active, all write controls are disabled by design so you can safely browse historical data. (2) Hover over a grayed-out button — the tooltip will tell you exactly which permission is missing. Contact your system administrator to request the appropriate role.
  • Empty Risk sub-tabs almost always mean no risk standard has been linked to the vendor yet. Go to the Risk tab, open the Standards area, and associate at least one standard before attempting to view scenarios or treatment plans.
  • Inline description save appears to do nothing: Confirm you have edit permission (the inline editor should not appear without it, but if it does and Save fails silently, check your network connection). Another cause is a concurrent edit by another user — refreshing the page loads the latest saved version.
  • The Transfers tab is empty even though transfers exist: Check that each transfer has been fully configured with a legal basis. Transfers imported from a shared partner organization are listed but cannot be edited on this page.
  • The Activity Log clock icon is missing: This icon is hidden when the vendor record is in a shared/consulted state (owned by a partner organization) or when your account lacks vendor read permission.
  • After changing the status, it briefly shows the old value: This is expected — DPMS updates the badge immediately on screen and confirms with the server in the background (optimistic update). If the server rejects the change, the badge reverts automatically within a second or two.


Was this article helpful?

English
Powered by Product Fruits