Skip to content

Vendor Risk Onboarding Tracker

Example prompt: "When someone in procurement adds a new vendor to our 'Pending Vendor Reviews' Airtable, email the vendor a link to our security questionnaire on Typeform. When they submit it, pull the answers back into the Airtable row, work out a risk score from their data handling, sub-processor list, and certifications, and decide whether they need legal review, infosec review, both, or auto-approval. Post a summary in #vendor-reviews on Slack and tag the right reviewers based on the score. If anything in the questionnaire mentions personal data or financial data, force legal review regardless of the score."

The Problem

Onboarding a new vendor sounds simple until you count the steps: procurement wants to move fast, legal wants the DPA terms checked, infosec wants the security questionnaire, finance wants the supplier set up in the ERP, and the business sponsor wants someone to tell them when they can start using the service. The questionnaires bounce around as PDF attachments and shared drive links, scoring is ad-hoc, and the same vendor sometimes gets reviewed twice because nobody knows the first review is in flight. The cost of getting this wrong is real — sign a vendor who turns out to process customer data without adequate safeguards and the regulator views your due diligence as the test of whether you took it seriously.

How GloriaMundo Solves It

We build a workflow triggered when procurement adds a new vendor to the review tracker. An integration step emails the vendor a unique questionnaire link, and a follow-up trigger fires when the questionnaire is returned. An LLM step extracts the key facts from the response — data categories processed, sub-processors used, certifications held, hosting locations — and a code step computes a numeric risk score from those facts. A conditional step routes the vendor to the right reviewers: low-risk vendors who do not touch personal data can be auto-approved, medium-risk vendors go to one reviewer, and anything touching personal or financial data forces legal review regardless of score. Glass Box preview shows the extracted facts, the score, the routing decision, and the reviewer assignments before any Slack messages are sent, so the person running the onboarding can sanity-check the triage.

Example Workflow Steps

  1. Trigger (integration): Fires when a new row is added to the 'Pending Vendor Reviews' Airtable.
  2. Step 1 (integration): Generate a unique questionnaire link in Typeform and email the vendor contact via Gmail with instructions.
  3. Trigger (integration): Fires when the vendor submits the questionnaire response.
  4. Step 2 (integration): Fetch the full questionnaire response from Typeform and update the matching Airtable row.
  5. Step 3 (LLM): Extract data categories processed, sub-processor list, certifications held, hosting jurisdictions, and any noted security incidents.
  6. Step 4 (code): Compute a risk score from the extracted facts using a transparent rubric stored alongside the workflow.
  7. Step 5 (conditional): If the vendor handles personal or financial data, force legal review. Otherwise route based on score thresholds.
  8. Step 6 (LLM): Draft a triage summary listing the score, the rationale, and the assigned reviewers.
  9. Step 7 (integration): Post the triage summary in #vendor-reviews on Slack, tagging the assigned reviewers and linking back to the Airtable row.

Integrations Used

  • Airtable — the central vendor review tracker holding status, scores, reviewers, and the audit trail
  • Typeform — the security and due diligence questionnaire the vendor completes
  • Gmail — sends the questionnaire link and any reviewer follow-ups
  • Slack — triage notifications to legal, infosec, and procurement reviewers in #vendor-reviews

Who This Is For

In-house legal, procurement operations, and third-party risk managers at growing companies who handle five or more new vendors a month — typically scale-ups past their first SOC 2 audit, where vendor due diligence has become a documented control and ad-hoc handling no longer passes review.

Time & Cost Saved

Manually chasing a vendor questionnaire, scoring the response, and routing it to the right reviewer takes around 30-45 minutes per vendor and is easy to drop when procurement is impatient. A team processing 10 new vendors a month recovers roughly 5-7 hours and, more importantly, ends up with a defensible audit trail — every score is computed by the same rubric, every routing decision is logged, and the questionnaire responses live in one place rather than scattered across email and shared drives.