Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Vendors

The Vendor Register is where DPOs, compliance officers, and risk managers build and maintain the complete picture of every third-party supplier, processor, and sub-processor that touches your organisation's personal data — from first onboarding through ongoing risk management and GDPR Article 28 compliance.

The Vendor Register is the operational hub for everything your organisation needs to know about its third-party data processors. Whether you are onboarding a new cloud provider before signing a Data Processing Agreement, giving an auditor a consolidated view of all active sub-processors, or following up on outstanding risk assessments, this is where that work happens. Vendors in DPMS are not isolated records — they connect directly to your Record of Processing Activities (ROPA), to asset risk models, to assessments and documents, and to automated review workflows. Keeping this register accurate and up to date ensures that every downstream module has the data it needs to function correctly.

How to open it

Navigate to Vendors in the main left-hand sidebar. It sits in the compliance and data-mapping navigation cluster and is a top-level item, so you do not need to expand any sub-menu to reach it. The index loads at /vendors.

Heads up: You need at least read permission on the Vendor module to see this screen. If you land on a "403 Forbidden" page, ask your administrator to check your role. Users with a restricted "assigned vendors only" permission will see the same screen but only the vendor records assigned to them.

What you see

The index page is a full-width table of all your vendor records. At the top you will find a search bar and, on the right, a Create button. The table shows five columns: Vendor Name (clickable), Country (the contracting party's country), Classification (free-form tags), Type (one or more vendor type labels), and Risk (a visual indicator tied to your configured risk standards). When you hover over a row, quick action icons appear on the right-hand side for editing or deleting that record.

Above the table sits a tab strip with an All tab — this is currently the only active filter tab, and it shows every vendor regardless of status. Export buttons for XLSX and JSON are available so you can pull snapshots of your vendor data for reports or handovers.

When you click through to a vendor, the detail view opens in a structured shell. A collapsible Element Menu on the left lists all the tabs available for that record: General, Documents, Criticality, Assets Used, Transfers, Tasks, Assessments, Risk, and Manual Workflows. The main content area on the right shows the active tab's content. A sticky header bar across the top of the content area always shows the vendor's responsible person(s), current status, and priority — all editable without opening the full edit form.

Working with this screen

Onboarding a new vendor

When a new supplier relationship is about to begin — typically before a DPA is signed — open the index and click Create, then select Create Vendor from the dropdown. This opens the General creation form.

Start with the vendor's Name (this field supports multiple languages if your organisation operates across locales). Add an Email address and Contact Information (street address and city). Use the Country (Contracting Party) dropdown to select where the vendor is legally established. Then choose any Applicable Regulations that govern this relationship (for example, GDPR or a sector-specific law), set the Vendor Type (such as "Processor" or "Sub-Processor"), and add any relevant Classification tags to help with filtering later.

Write a Description that explains what the vendor does and why your organisation uses them. If the vendor has appointed a Data Protection Officer, toggle DPO Contact to Yes and fill in their name, email, and phone. If there is a defined contract end date, switch on Contract Duration and pick the date from the date picker — this is important for triggering timely renewal reviews.

At the bottom of the form, click Save. DPMS creates the vendor record and redirects you straight to its detail view, where you can immediately continue adding documents, linking assessments, or attaching transfers.

Tip: Set the status to Draft while the DPA negotiation is ongoing. Once the agreement is signed, you can flip it to Active in seconds directly from the detail view — no need to open the edit form.

Updating a vendor's status or ownership

One of the most common daily actions on this screen requires no form at all. From any vendor's detail view, look at the sticky header bar at the top of the content area. You will see three controls side by side: a status dropdown, a responsible person selector, and a priority selector.

To mark a vendor as Active after a DPA is signed, simply click the status dropdown and select Active. DPMS saves the change immediately. The same applies to marking a vendor as Under Review when a periodic reassessment is due, or Inactive when a contract ends.

To reassign ownership — for example, when a team member leaves — click the responsible person selector and choose the new owner. Again, DPMS saves instantly without requiring you to navigate to the edit form. Both of these changes are recorded in the audit trail and will appear in the Activity Log.

Reviewing the full detail of a vendor

Once you are inside a vendor record, use the Element Menu on the left to move between the different facets of the record:

  • General — name, contact details, DPO information, description, and contract duration.
  • Documents — attached policies, DPAs, and other files.
  • Criticality — Material Impact, Criticality of Service, and Overall Criticality ratings. These feed directly into asset risk calculations across DPMS.
  • Assets Used — the technical systems or IT assets that this vendor can access.
  • Transfers — downstream processors (sub-processors) that this vendor sends data to. Each transfer can carry a legal basis such as Standard Contractual Clauses.
  • Tasks — open action items linked to this vendor.
  • Assessments — security and data-protection questionnaires sent to or about this vendor.
  • Risk — a full risk evaluation workspace where you can link risk standards, add risk scenarios, document implemented Technical and Organisational Measures (TOMs), and build a Treatment Plan.
  • Manual Workflows — workflow templates that have been triggered for this vendor.

If you prefer more horizontal space — for example, when reviewing a wide risk table — click the small circle icon on the far left edge of the screen to collapse the Element Menu. The menu's open or closed state is remembered across sessions, so it will stay as you leave it the next time you open a vendor record.

To move quickly between multiple vendors during an audit, use the left and right chevron arrows in the breadcrumb bar. These navigate to the previous or next vendor in your current list without returning to the index. If you are on the Risk tab for one vendor, the arrows keep you on the Risk tab as you move to the next — a real time-saver during sequential reviews.

Checking the audit trail

Any time you need to verify who changed a vendor record and when — a common requirement during internal audits or after a data breach investigation — click the clock icon in the top-right area of the content area. This opens the Activity Log drawer, which slides in from the right side of the screen.

The drawer lists every recorded change chronologically: status transitions, responsible person reassignments, field edits, and more. Each entry shows the date, the time, the user who made the change, and what changed. Close the drawer by clicking the close button inside it when you are done.

Reviewing and exporting your vendor portfolio

To get a full picture of your vendor landscape, use the search bar at the top of the index to filter by name or other attributes. For reporting purposes — for example, to send a spreadsheet of all active processors to your external auditor — use the XLSX or JSON export buttons. The export reflects what is currently visible in the table, so search or filter first if you only want a subset.

The Risk column in the table shows each vendor's risk score. If you manage multiple risk standards, use the standard selector in the table header to focus the Risk column on a specific standard (for example, ISO 27001 only). Clicking the risk indicator in a row takes you directly to that vendor's risk sub-tab, so you can investigate without navigating through the menu manually.

Field reference

Name — The vendor's official name. Supports multiple languages. Required — you cannot save a vendor without it.

Email — The vendor's primary contact email. Optional; maximum 255 characters; must be a valid email format.

Contact Information — Street address and city of the vendor's contracting entity.

Country (Contracting Party) — The country where the vendor is legally established. Single-select from a country dropdown.

Applicable Regulations — The laws or regulations that govern this vendor relationship (e.g., GDPR, CCPA). Multi-select searchable list.

Vendor Type — The role the vendor plays (e.g., Processor, Sub-Processor, Joint Controller). Multi-select from a fixed list.

Classification — Free-form tags for grouping or filtering vendors (e.g., "Critical", "Cloud", "Healthcare"). Multi-select.

Description — A rich-text narrative of what the vendor does. Supports multiple languages and AI-assisted drafting. On the detail view, you can edit this field inline by clicking directly on the text — no need to open the full edit form.

Reason for Sharing — Rich text explaining why this vendor record is shared with other organisations in DPMS (relevant for multi-entity setups).

Representatives — A table of country + address pairs, used when the vendor has local representatives in multiple jurisdictions. Add rows by selecting a country; remove rows with the ✕ button.

DPO Contact — Toggle Yes/No. When set to Yes, three additional fields appear: DPO Name, DPO Email, and DPO Phone.

Contract Duration — Toggle on to activate a date picker for the contract end date. Toggle off to record "no expiry".

Material Impact — How serious the consequences would be if this vendor failed or breached. Single-select: Low / Medium / High.

Criticality of Service — How essential this vendor's service is to your operations. Single-select: Low / Medium / High.

Overall Criticality — A composite criticality rating. Single-select: Low / Medium / High.

How this connects to the rest of DPMS

The Vendor Register sits at the centre of several connected modules. Here is what depends on it:

  • ROPA — Your Record of Processing Activities lists vendors as processors under Article 30. If a vendor is not in the register, it cannot appear in your ROPA's processors list.
  • Asset risk models — The Criticality fields you set here (Material Impact, Criticality of Service, Overall Criticality) feed directly into risk calculations on the assets that vendor can access.
  • Downstream processor transfers — Transfer relationships and their legal bases, configured on the Transfers tab, are required for complete Article 30(2) compliance records.
  • Risk treatment plans — The Risk tab accumulates scenarios, TOMs, and treatment plans that roll up into your organisation's overall risk posture reporting.
  • Automated workflows — Workflow templates for vendor review (e.g., periodic re-assessment reminders) can only be triggered once the vendor exists in the register.
  • Assessments — Security and privacy questionnaires linked on the Assessments tab generate their own records in the Assessments module, but they always reference back to this vendor.

After finishing a new vendor record, your typical next steps are: attach the signed DPA on the Documents tab, link the relevant IT assets on the Assets Used tab, add any sub-processors on the Transfers tab, and send or link an assessment questionnaire on the Assessments tab.

Tips & common pitfalls

Heads up: The status filter tabs (Active, Draft, Inactive, Review, Downstream Processors) are visible in the interface but not yet active in the current release. Only the All tab works. To filter by status, use the search bar instead.
Heads up: If you cannot click Create, Edit, or Save anywhere in the Vendor module, check whether Time Machine is active (look for the indicator in the application header). Time Machine puts the entire module into read-only mode — no changes can be saved while it is on.
  • Inline editing is description-only. The Description field on the General tab can be edited by clicking directly on it. All other fields — Country, Type, Classification, etc. — require opening the full edit form via the Edit button.
  • The Risk sub-menus only appear after linking a standard. The Risk tab will load, but the detailed sub-tabs (Threshold, Scenarios, TOMs, Treatment Plan, etc.) only become visible after you have linked at least one risk standard to the vendor. Until then, the risk column in the index shows "—".
  • The sidebar state is global, not per-vendor. Collapsing the Element Menu on one vendor collapses it for all vendor records until you expand it again. This is intentional — it respects your workspace preference — but it can be surprising if a colleague works on the same workstation.
  • Responsible person and status changes have their own audit entries. These inline updates are not just saved as generic field edits — they are recorded as distinct event types in the Activity Log. This makes it straightforward to produce a chronological history of ownership changes for audits.
  • Import accepts JSON only. The Import option under the Create button only processes .json files exported from DPMS itself. It will not accept Excel sheets or CSV files.


Was this article helpful?

English
Powered by Product Fruits