Compyl
Request Demo
Start here Platform Overview A guided, top-to-bottom tour of the entire GRC platform, one connected system, not point tools. Take the tour → 125+ connectorsIntegrationsConnect your cloud, identity, ticketing & security tools, evidence flows in automatically.Explore integrations →
Govern
Agent LibraryComing SoonSpecialized GRC agents.Policy ManagementCurrent, control-aligned policiesContract ManagementTrack every obligationAsset ManagementProtect critical assets
Comply & audit
ComplianceTest once, satisfy manyEvidence StudioAutomated, live evidenceTrust CenterShare your security postureUser Access ReviewsFast, accurate access reviews
Risk & third-party
Risk ManagementRisk in dollars, via FAIRThird Party InsightsObjective vendor risk in minutesVendor Risk ManagementManage third-party risk end to end
Compyl AI
Compyl AIAgentic AI across the platformCompyl CopilotAsk your GRC data anythingQuestionnaire AssistAI-drafted questionnaire answers
125+ integrations, connect your stackRequest a demo →
By industryIndustriesGRC tailored to the exact regulators and frameworks your industry answers to, one control library, mapped to all of them.Explore industries →
Financial ServicesSOX, GLBA, PCI, NYDFS, DORAHealthcareHIPAA, HITECH, PHI, BAAsLegalSOC 2, ISO 27001, OCG, privilege
InsuranceNAIC, GLBA, Model Audit RuleEnergy & UtilitiesNERC CIP, IEC 62443, TSAHigher EducationFERPA, GLBA, NIST 800-171
Six industries, mapped to your regulatorsRequest a demo →
One control library Every framework, mapped Map a single control to every framework it satisfies, test once, prove many. See all frameworks →
Popular
SOC 2ISO 27001HIPAAPCI DSS
Standards
GDPRNIST CSFNIST SP 800-53ISO 42001
More
CCPAMASNIS2
Compliance, automated, how Compyl maps controlsRequest a demo →
Latest Inside Compyl 26.2 AI-powered GRC, from risk to audit, what's new in the platform. Read the post →
Learn
All ResourcesBrowse the full GRC libraryGRC Learning CenterThe complete guide to GRCBlogInfoSec & compliance, trendingGuidesStep-by-step playbooks
Watch & grow
Security SessionsOn-demand episodesCase StudiesResults from real teams
Network
Partner NetworkCompyl Connect partners
Company Built by CISOs Our mission: make GRC adapt to how you work, not the other way around. About Compyl →
Company
About UsMission & teamCareersJoin the team
Trust
Our SecurityHow we protect youContact UsTalk to us
Solution · Vendor Risk Management

A vendor isn’t a questionnaire you file and forget, it’s a live risk you onboard, score, and monitor.

Most teams assess a vendor once at onboarding, then lose track until something breaks. Compyl makes every third party a connected object, onboarded with automated due diligence, assessed with SIG and custom questionnaires, scored for risk, and tied to the contracts, assets, and controls it touches, then monitored continuously so hidden vendor risk surfaces early.

Request Demo → See how it works
One inventory
125+ integrations
Continuous monitoring
Home › Third Party Critical Okta Vendor Identity · United States · Access ends Dec 31, 2029 Risk assessment SIG Lite · Complete Score 72 / 100 · Medium tier Reassess in 60 days Criticality Critical Data access Personal data · our systems Questionnaire Complete Linked Contracts Okta ESA 1 Linked Risks 2
Vendor monitoring Alert Okta · SOC 2 attestation expired Posture change detected ✓ Reassessment task auto-created
Vendor portfolio 86 third parties tracked 12 critical · 9 high-risk · 65 low
What is Compyl vendor risk management?

Compyl vendor risk management, also third-party risk management or TPRM, runs the entire vendor lifecycle in one platform. Every third party is a connected object: onboarded with automated due diligence, assessed with SIG, SIG Lite, or custom questionnaires, scored for risk and criticality, and tied to the contracts, assets, and controls it touches. Compyl then monitors each vendor continuously with scheduled reassessments and posture alerts, so hidden vendor risk surfaces early, and every decision is backed by evidence instead of a one-time spreadsheet.

The problem

Onboard a vendor once, and the risk quietly drifts out of view

When vendor risk lives in spreadsheets and one-time questionnaires, you can’t see who’s high-risk, what they touch, or when their posture slips.

Assessed once, never again

A vendor is vetted at onboarding and then forgotten, so an expired SOC 2 or a new breach goes unnoticed for months.

Risk cut off from the relationship

The questionnaire sits in one place; the contracts, data access, and controls sit elsewhere, so no one sees the full exposure a vendor carries.

Manual intake slows everyone down

Chasing security docs by email before a contract signs is slow and inconsistent, and high-risk vendors slip through the gate.

How it works

From a one-time questionnaire to a monitored vendor lifecycle

Compyl turns vendor risk into a continuous lifecycle, centralized, onboarded, assessed, connected, and monitored automatically.

01

Centralize

Bring every vendor into one connected inventory.

02

Onboard

Automate intake and due diligence before a contract is signed.

03

Assess & score

Run SIG or custom assessments and score each vendor’s risk.

04

Connect

Link each vendor to its contracts, assets, and controls.

05

Monitor

Reassess on a cadence and remediate emerging vendor risk.

Centralized vendor inventory

One inventory, every vendor in full context

Scattered vendor records make risk impossible to see. Compyl centralizes every third party in one inventory, each connected to the contracts, assets, assessments, and controls it touches, so a vendor’s risk shows up in context, not in a spreadsheet.

  • One inventory of every vendor, with criticality and risk tier
  • Each vendor connected to its contracts, assets & controls
  • See data access, who holds your data or reaches your systems
  • High-risk vendors surface the moment posture changes
Vendor Inventory86 vendorsVENDORCRITICALITYRISKCONTRACTSOktaCriticalMedium1AWSCriticalHigh2MicrosoftCriticalLow1Google CloudCriticalMedium1DataBroker IncNot crit.High0Every vendor connected to its contracts, assets & controls
Onboarding & assessment

Due diligence before the contract, not after

Compyl automates vendor intake and runs SIG, SIG Lite, or custom assessments, scoring each vendor’s security posture before you sign, so high-risk vendors are caught at the gate, with an approval decision backed by evidence.

  • Automated intake forms and approval workflows
  • SIG, SIG Lite & custom questionnaires by vendor category
  • Standard scoring models flag high-risk vendors
  • Assessments fire on onboarding, renewal, or alert
Vendor Assessment · OktaSIG Lite72/ 100Medium tierDOMAIN SCORESSecurity68Privacy74Compliance80Resilience66ONBOARDING DECISIONApprovedConditional approvalDeclinedAssessed and scored before signing · remediate 2 findings to clear
Continuous monitoring

Vendor risk doesn’t end at onboarding

Compyl schedules reassessments on a cadence, watches for posture changes and expiring attestations, and turns newly identified risk into tracked remediation, so you stay ahead of third-party threats across the whole relationship.

  • Scheduled reassessments on a regular cadence
  • Alerts when a vendor’s posture or attestation changes
  • New risks become tracked remediation tasks
  • Contracts, assessments, and vendors linked end to end
Continuous Monitoring● liveREASSESSMENT CADENCEMicrosoft120dOkta60dAWSOverdue!AWS · SOC 2 attestation expiredPosture change detected on reassessmentFlaggedReassessment task #VR-214 createdAssigned to vendor owner · due in 7 daysPosture changes & expiring attestations become tracked tasks automatically
Why Compyl is different

Built by CISOs as an end-to-end GRC platform, not a standalone TPRM tool

A spreadsheet or point tool keeps vendor risk in a silo. Compyl runs it inside your whole program, connected and continuous. It shows up in five ways.

01

GRC that adapts to complexity

No-code configuration of dashboards, workflows, fields, and reports for every team, without an engineering ticket.

02

End-to-end, built to flex and scale

Governance, risk, compliance, and third-party risk as one connected source of truth, with no ceiling as your program matures.

03

No black box, all your data

125+ proprietary, in-house integrations ingest your full dataset and surface risks single-system checks miss.

04

Automation and AI that augments your team

Agentic AI and 1,500+ blueprints automate evidence and busywork, with humans in the loop on every decision that matters.

05

Quantified risk in financial terms

FAIR models and Monte Carlo simulations put risk in dollars, so the board decides on business impact, not heat-map colors. New in 26.2.

Connected across your program

A vendor touches everything, so Compyl connects it to everything

Because vendors live in the same platform as contracts, assets, risk, and controls, every third party is scored in context and its risk rolls into your whole program.

Framework coverage

One control library, mapped to every framework it satisfies

Compyl cross-maps controls so a single piece of evidence can satisfy requirements across multiple frameworks at once. Explore any framework below.

SOC 2 ISO 27001 ISO 42001 HIPAA GDPR PCI DSS NIST CSF NIST SP 800-53 MAS CCPA NIS2 70+ frameworks
Lifecycle
Intake, assessment, scoring & monitoring in one place
SIG
SIG, SIG Lite & custom assessment templates
Continuous
Scheduled reassessments & posture alerts
Connected
Vendors tied to contracts, assets & controls
Recognized by users on G2

Rated a leader by the teams who use it

G2 High Performer, Mid-Market
G2 Momentum Leader
G2 Fastest Implementation, Go-Live Time
G2 Best Support, Quality of Support
G2 Best Meets Requirements, Mid-Market
FAQ

Vendor risk management questions, answered

Compyl vendor risk management (also third-party risk management, or TPRM) runs the entire vendor lifecycle in one platform. Every third party is a connected object, onboarded with automated due diligence, assessed with SIG or custom questionnaires, scored for risk and criticality, and tied to the contracts, assets, and controls it touches, then monitored continuously so emerging risk surfaces before it becomes an incident.

Compyl automates vendor intake with customizable forms and approval workflows, collecting the security, compliance, and operational data you need to complete due diligence before a contract is signed, so high-risk vendors are caught at the gate, not after onboarding.

Compyl ships SIG, SIG Lite, and other pre-built assessment templates, and lets you build and reuse custom questionnaires by vendor category. Assessments can fire automatically on onboarding, renewal, or an alert, and standard scoring models flag high-risk vendors based on their security posture.

Third-party risk doesn’t end at onboarding. Compyl schedules reassessments on a regular cadence, tracks newly identified risks, initiates remediation workflows, and links contracts, assessments, and vendors, so you stay ahead of emerging risk across the whole relationship.

A spreadsheet or standalone TPRM tool keeps vendor risk in a silo. Compyl runs it inside your GRC platform, so each vendor connects to the contracts, assets, and controls it touches and its risk rolls into your enterprise risk register, one source of truth from intake to offboarding.

Security teams, compliance officers, risk managers, procurement, and executives who need structured, scalable oversight of third-party risk, from first due-diligence assessment through continuous monitoring and board-ready reporting.

GRC YOUR WAY

Stop assessing vendors once and hoping

See how Compyl onboards, assesses, scores, and continuously monitors every vendor, connected to the contracts, assets, and controls they touch.

Request a Demo →
By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies
Accept