Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

Vendor register

Vendor risk management in Nuxari: key fields, risk ratings, DPA tracking, subprocessor oversight, and how overdue vendor reviews block compliance readiness.

Last updated: June 2026

Vendor risk management

Third-party vendors — especially those who process your data or provide critical services — are a significant source of information security risk. SOC 2 (CC9.2) and ISO 27001 (A.5.19–A.5.22) both require demonstrated vendor risk management: identifying vendors, assessing their risk, reviewing their security posture periodically, and maintaining appropriate contractual protections.

The vendor register in Nuxari is the central place to track all third-party relationships. It links to compliance controls and surfaces overdue reviews that could block your readiness.

Key vendor fields

Vendor name and description

Who the vendor is and what service they provide to your organization.

Data access level

Whether the vendor processes personal data, sensitive data, or has no data access. Drives the required diligence level.

Risk rating

The assessed risk level for this vendor relationship (low, medium, high, critical) based on data access and service criticality.

DPA status

Whether a Data Processing Agreement is signed, pending, not required, or overdue. Required for vendors that handle personal data.

SOC 2 or ISO 27001 report

Whether the vendor has provided a current SOC 2 or ISO 27001 certification report, and its expiry date.

Last security review date

When the vendor last underwent a security review as part of your vendor management program.

Next review date

When the next scheduled security review is due. Overdue reviews trigger a blocked state on related controls.

Review owner

The person in your organization responsible for managing this vendor relationship and conducting reviews.

How overdue vendor reviews block compliance

Vendor Management controls require that vendor reviews be completed on schedule. When a vendor's next review date passes without a completed review, the related controls enter a blocked state. Complete the overdue review and update the review status in the vendor record to unblock them.

Vendors with a high or critical risk rating and no current DPA will block compliance readiness for controls that require contractual data protection. Ensure DPA status is kept current.

Subprocessor tracking

If your organization is itself a service provider that processes customer data, you are required to maintain a record of subprocessors — the vendors who handle that customer data on your behalf. The vendor register supports subprocessor tracking with a dedicated flag and data classification fields. This list may need to be disclosed to your own customers as part of your DPA obligations.

Vendor review cadence

High and critical risk vendors should be reviewed at least annually and whenever there is a material change in the relationship (new data sharing, service expansion, ownership change). Low risk vendors may be reviewed on a longer cycle. Your Vendor Management Policy defines the required review frequency for each risk tier.

Related docs

Risk register

Risk assessment for vendor relationships

Control library

Vendor Management controls

Policy center

Vendor Management Policy

Compliance troubleshooting

Resolve overdue vendor review blockers

Was this page helpful?