Compliance & Legal

How to run a vendor risk assessment as Asset Management Founders

Compliance & LegalFor Asset Management Founders4 apps12 steps~24 min to set up

You're managing relationships with 8–15 service providers — fund administrator, prime broker, compliance consultant, auditor, legal counsel, data vendors — and your vendor contracts live in a Google Drive folder nobody has organized since inception. Renewal dates slip. You find out your data vendor auto-renewed at a 20% price increase three weeks after it happened. You can't quickly pull the liability cap in your fund admin agreement when you're on a call with an LP asking about operational risk. You're spending real hours digging through email threads to reconstruct what you agreed to with whom, and that time comes directly out of portfolio work.

Build this on Starch → See the apps used

Compliance & LegalFor Asset Management Founders4 apps12 steps~24 min to set up

Outcome

What you'll set up

A centralized vendor registry that tracks every service provider, contract status, renewal date, notice period, and key commercial terms — searchable in seconds, not buried in Drive

Automated renewal and expiration alerts so you're never caught off-guard by an auto-renew or a missed termination window

A lightweight vendor risk framework that scores each counterparty (financial exposure, data access, operational dependency) and surfaces the ones that need attention before your next LP due diligence request

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Contract Lifecycle Management Task Manager Email Agent Knowledge Management

Data sources & config

Starch syncs your Gmail data on a schedule so the Email Agent can surface vendor-related threads and renewal notices without manual searching. Your Notion pages (if you use Notion for internal docs) sync on a schedule as well, so existing vendor notes pull into the knowledge base automatically. Connect your Google Drive from Starch's integration catalog; the agent queries it live to pull existing contract files when you're building the registry. For vendors with portals but no API — like your compliance filing system or a niche data vendor's client portal — Starch automates those sites through your browser, no API needed.

Prompts to copy

Build me a vendor risk registry for my asset management firm. I need to track vendor name, contract type (data, legal, admin, technology, compliance), annual spend, renewal date, notice period, data access level (do they touch investor data or fund positions?), operational dependency level (high/medium/low), and last review date. Alert me 90 days before any renewal and flag any vendor with high data access and no SOC 2 on file.

Scan my Gmail inbox for emails from [fund administrator name], [auditor name], and [legal counsel name] from the past 12 months. Summarize any contract terms, pricing changes, or renewal notices that were communicated over email and add them as tasks to review against the vendor registry.

Create a knowledge base page for our vendor risk assessment policy. Include our criteria for high/medium/low operational dependency, what documentation we require from each vendor tier (SOC 2, proof of insurance, cyber insurance limits), and when we escalate a vendor for LP disclosure.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Gmail to Starch (scheduled sync) and ask the Email Agent to surface every thread mentioning contract, renewal, agreement, invoice, or auto-renew from your fund admin, auditor, legal counsel, data vendors, and prime broker over the past 24 months.

2 Connect Google Drive from Starch's integration catalog (live query) and pull all PDF and DOCX files from your existing contracts folder. Starch extracts vendor name, effective date, renewal date, notice period, and annual spend from each document.

3 Open the Contract Lifecycle Management app (coming soon — request beta access) to house executed contracts with full audit trail; in the meantime, build a custom vendor registry app by telling Starch: 'Build me a vendor risk registry with fields for vendor name, contract type, annual spend, renewal date, notice period, data access level, dependency level, and review status.'

4 Populate the registry by walking through each vendor: fund administrator, prime broker, auditor, legal counsel, compliance consultant, data vendors (Bloomberg, FactSet, or similar), IT/cybersecurity, and any SaaS tools billed to the fund.

5 Score each vendor on two axes: financial exposure (annual spend + liability cap relative to AUM) and operational dependency (what breaks if they go offline tomorrow). Mark any vendor that touches investor PII or fund positions as 'high data access.'

6 Set up Task Manager alerts for every renewal date minus 90 days and minus 30 days, plus notice-period deadlines. Tell Starch: 'Create recurring tasks for each vendor in my registry: one task 90 days before renewal to begin evaluation, one task 30 days before the notice-period deadline to confirm our decision.'

7 Request SOC 2 reports, cyber insurance certificates, and proof of E&O coverage from any high-dependency or high-data-access vendor that hasn't provided them. Use the Email Agent to draft these outreach emails in one pass: 'Draft vendor due diligence request emails for the following six vendors asking for their most recent SOC 2 Type II report, current cyber insurance certificate with limits, and E&O policy summary.'

8 For vendors without a standard API or document portal, use Starch's browser automation to check their client portals for updated compliance documents or pricing schedules — no manual login required.

9 Store all collected vendor documents and assessment notes in your Starch knowledge base with a standard page structure per vendor: overview, contract terms, risk scores, open items, and history of reviews.

10 Build a vendor risk summary view — tell Starch: 'Show me a dashboard of all vendors sorted by renewal date, with columns for dependency level, data access flag, SOC 2 status, and days until renewal. Highlight any vendor where SOC 2 is missing and dependency is high.'

11 When an LP asks about your operational due diligence process, pull the vendor risk summary and your knowledge base policy page in under two minutes — the answer is documented, not reconstructed from memory.

12 Review the full registry quarterly alongside your LP reporting cycle so vendor risk stays current rather than being a one-time exercise that goes stale.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

Q1 2026 Vendor Risk Review — $85M Emerging Fund

Sample numbers from a real run

Fund Administrator (NAV calculation, LP reporting)	42,000
Legal Counsel (fund agreements, ongoing)	38,000
Auditor (annual audit)	28,000
Bloomberg Terminal (2 seats)	27,000
Compliance Consultant (CCO services)	24,000
Prime Broker (custody + margin)	0
Cybersecurity / IT MSP	14,400
Data Vendor — Alt Data (ESG scores)	9,600

You're a $85M emerging fund three years into operation. You have eight active vendor relationships totaling roughly $183,000 in annual cash spend, plus your prime broker relationship which has zero direct fee but carries the highest operational dependency in your stack. Going into Q1 2026, you ask Starch to scan your Gmail for the past 18 months and surface any pricing or renewal communications. It finds that your Bloomberg contract auto-renewed in January at a 12% increase you didn't formally acknowledge, and that your alt data vendor sent a 60-day termination notice requirement buried in a thread from November 2024 — your renewal window is April 30, 2026, 47 days away. Your compliance consultant's agreement has no SOC 2 on file despite having read access to your compliance management portal. The Task Manager immediately creates three tasks: (1) confirm Bloomberg renewal decision by March 15, (2) alt data vendor renewal decision by April 1 to honor notice period, (3) request SOC 2 or written security attestation from compliance consultant by end of week. You build the vendor risk dashboard — all eight vendors scored, two flagged red (compliance consultant: high data access, no SOC 2; alt data vendor: renewal deadline approaching). When your anchor LP sends their annual DDQ asking about vendor oversight, you export the registry summary and your documented assessment policy in 10 minutes. No scrambling.

Measurement

How you'll know it's working

Days to identify an expiring vendor contract from initial flag to documented decision

Percentage of high-dependency vendors with current SOC 2 or equivalent security documentation on file

Number of vendor auto-renewals caught before the notice-period deadline vs. missed

Time to respond to LP operational due diligence questions touching vendor relationships (target: under 30 minutes)

Annual vendor spend as a percentage of AUM, tracked quarterly

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Google Drive folder + calendar reminders

Free and already set up, but contracts are unsearchable, renewal dates live in someone's head or a spreadsheet that goes stale, and there's no risk scoring — you're one missed renewal away from an auto-renew you didn't want.

Ironclad or Contractbook

Purpose-built CLM tools with strong clause libraries and e-signature workflows, but they're priced for legal teams at larger firms, don't connect to your fund's email or financial data, and don't generate the vendor risk summary your LPs are asking for.

Airtable or Notion database

Flexible and cheap, but you're building and maintaining the schema yourself, there's no AI extraction from existing contract PDFs, and alerts require manual setup — it's a better spreadsheet, not an assessment workflow.

Juniper Square or Allvue

Institutional-grade fund operations platforms with some vendor management features, but they start at $50k+ annually, assume a dedicated ops team, and are built around LP reporting — vendor risk is a secondary feature, not a first-class workflow.

On Starch RECOMMENDED

One platform — contract lifecycle management, task manager, email agent all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Can Starch actually extract renewal dates and notice periods from my existing PDF contracts?

Yes. Connect your Google Drive from Starch's integration catalog and point Starch at your contracts folder. The agent reads the documents and extracts key commercial terms. You should review the output — AI extraction from dense legal PDFs isn't perfect, especially for non-standard clause structures — but it gets you 80% of the way there without manual data entry across 15 agreements.

Is the Contract Lifecycle Management app available today?

Not yet — it's in development. You can request beta access to get notified when it launches. In the meantime, you can build a custom vendor registry app today by describing what you want to Starch in plain language, and store contract documents in your Starch knowledge base using the Notion sync.

My fund admin and prime broker don't have APIs. Can Starch still interact with their portals?

Yes. Starch automates browser-based workflows through your browser — no API needed. If your fund admin has a client portal you log into to pull NAV reports or statements, Starch can navigate that portal on a schedule and pull the documents for you.

Is Starch SOC 2 certified? My LP compliance team will ask.

Not yet — Starch is not SOC 2 Type II certified as of today. That's worth knowing before you route highly sensitive legal documents through the platform. For the vendor registry and risk scoring workflows, most operators find the tradeoff reasonable; for storing the actual executed fund agreements, you should make that call with your compliance counsel.

Can I use this for counterparty risk on portfolio companies, not just my own vendors?

Yes. The same registry and scoring framework works for tracking key counterparties your portfolio companies rely on — especially useful if you're a sector-focused fund where a single data provider or vendor failure could affect multiple holdings. Just describe the use case to Starch and it will build the right fields and views for that context.

How does Starch handle vendor outreach for compliance document collection?

The Email Agent drafts the outreach emails — you describe the vendors and what you need (SOC 2, cyber insurance certificate, E&O policy), and it produces ready-to-send emails for each one. It also tracks which vendors haven't responded and surfaces follow-up reminders so you're not manually chasing eight different counterparties across eight separate threads.