Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning Data Source AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs

Inventorization of vendors

Vendors are the suppliers of the systems that you use to process data within your organization and play an integral role in managing your compliance with Kertos.

Activating discovered vendors

 

When you have run some discovery integrations, Kertos will already have identified lots of vendors for you. Now you need to activate those and provide their missing information.

 

 

1. Go to "Vendors" under "Inventory". 

2. Select the "Discovered" tab.

3. Select the vendors that you actually use within your organization and click "set to active". Then select the vendors that are not relevant to you and click "archive". This means that they will not be re-discovered when you run discovery integrations on a regular basis (which you should).

4. The vendors that you have activated will now show up in the "Active" tab.

5. Now you can click on the individual vendors and supplement missing information. See the section below for more information.

 

Adding Vendors manually

If a vendor of yours was not identified in the discovery, you have the option to add it manually. Every manually added vendor will be automatically assigned active status.

 

 

1. Click “Add Vendor”.

2. Now you already need to provide the missing information as described below in "Documenting basic information".

3. Click “Save”.

 

Documenting basic vendor information

 

Among the basic options for documentation in the detail view, there are:

  • Vendor name The legal name of the vendor
  • Address add the HQ location here 
  • Region/ Country Region/ Country of the headquarters
  • Description What does the vendor do
  • Internal Contact Who is responsible for this vendor
  • Department Which department is responsible for this vendor
  • External Contact incl. E-Mail and phone number
  • Compliance Standards Certificates that you know the vendor possesses
  • Vendor Risk based on your personal risk evaluation (e.g. which data do they process, if they play a critical role for your organisation etc.) 

Template and Autofill

When creating a new vendor there is two functions that enable you to more quickly document vendor information:

  • create from template: we have more than 3000 vendors and detail information stored in our system. When you choose this all information + linked data source are created in your account. 
  • Auto Fill: We live crawl information from this vendor and store it for you. More info can be found here: https://docs.kertos.io/en/article/interacting-with-kaia 

 

Compliance Standards: Adding Vendor Certificates

For some widely-used vendors, Kertos will automatically set their certificates for you. If there are none available for pre-setting, you can add certificates manually.

 

1. Click into the Vendor Certificates bar.

2. Choose the desired certification from the list.

 

If it does not appear in the list, you can add a custom vendor certificate by entering its name and click “Add vendor certificate”.

 

 

If you want to remove a custom certificate, click “edit vendor certificates”. You can remove the certificate by clicking on the red minus that appears.

 

Review Date

As most of the frameworks and standards suggest having regular vendor reviews to re-asses risk also based on changed information (e.g. outdated vendor certificates), we introduced the review section. 

You can choose between 6 and 12 months review period. Once the end date is reached, the vendor status will move to "needs review" and a task is created and assigned to the owner of the vendor to review this vendor. 

From the task you get redirected to the respective vendor and can review, change and store the changes, and then the review period starts from scratch again. 

This will support you in having up-to-date information around your vendors. 

Assigning Systems

This step is very important as it connects systems to their respective vendors.

 

1. Scroll down to the section "Linked Systems?".

2. Select the systems that are provided by this vendor.

Alternatively, you can assign systems to a vendor from a system page. See this article for how to do that.

When clicking on "go to systems" you will be directed to the systems page. 

If you don't add any systems, you will be asked if you want to add systems to a vendor, when creating a new vendor. There are certain vendors (e.g. cleaning company) that may not offer any system. However, as a lot of vendors provide some kind of system, you are being asked if a system needs to be added to a vendor. 

Additional Information

You can add any document that belongs to a specific vendor on its detail view. We urge

We have added the one pre-defined for accessibility:

  • Data Processing Agreement

Next to the DPA you can also add any other document relevant for vendors. E.g. the vendor contract, transfer impact assessment. Also, you can add notes to provide additional information. 

Archive/delete vendors

You can delete or archive vendors. 

Deleting = system might be found again by Discovery Channels
Archiving = system is ignored by Discovery in the future.

More info can be found here: https://docs.kertos.io/en/article/discovery-explained

When you delete a vendor and this vendor has systems assigned to it, then this message will appear. You can then either choose to only delete the vendor, so that the assigned data sources are kept. 

However, to keep data clean, you should keep vendor and data sources in sync. For this reason, we would recommend that you also delete the assigned systems. 

FAQs

What do I need to fill in to all the fields for the vendors? Are all fields mandatory?

To be able to create a vendor in Kertos, you only need the name of the vendor. From a Compliance standpoint, however, you should add at least the following info:

  • HQ Location incl. country
  • Description of what the vendor does
  • What Systems belong to the vendor (if applicable)

When do I know that my vendor management is compliant?

Your Vendor Management is done correctly when all relevant vendors are documented in the way described above.

How do I document my ongoing vendor management?

As soon as you are aware of a new vendor that you are working together with, make sure to add it to your list as described above. To stay on top of Shadow IT and new vendors that come with it, make sure to setup our Discovery Integrations so that you can detect new data sources and vendors.

Was this article helpful?

Powered by Product Fruits