Compliance & Legal

How to run a vendor risk assessment as Chief of Staff and Founder's Office

Compliance & LegalFor Chief of Staff and Founder's Office2 apps11 steps~22 min to set up

Vendor risk assessments land on your desk because no one else has the full picture. You're chasing down contracts in a shared Google Drive folder (if you're lucky), pinging legal and finance for renewal dates, cross-referencing Slack threads to figure out which tools the engineering team spun up without telling anyone, and manually building a spreadsheet that's out of date the moment you share it. At a 150-person company, you might have 40–80 active vendors — SaaS subscriptions, contractors, professional services, infrastructure — and zero single source of truth for spend, contract status, data-access scope, or renewal dates. You're the one who gets blamed when a vendor auto-renews at $60k and nobody caught it.

Build this on Starch → See the apps used

Compliance & LegalFor Chief of Staff and Founder's Office2 apps11 steps~22 min to set up

Outcome

What you'll set up

A live vendor registry that pulls contract metadata, spend data, and renewal dates from the tools your team already uses — so you stop rebuilding the same spreadsheet every quarter

Automated alerts for upcoming renewals, contracts missing security documentation, and vendors with elevated data-access scope — surfaced in Slack before they become problems

A vendor risk scorecard you can hand to your CEO, CFO, or board without spending a weekend reformatting a spreadsheet

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Contract Lifecycle Management Task Manager

Data sources & config

Starch syncs your QuickBooks data on a schedule (invoices, bills, vendors, payments) to pull actual spend per vendor. Connect Notion from Starch's integration catalog — the agent queries it live — to pull any existing vendor documentation or contract notes your team has stored there. Starch syncs your Gmail data on a schedule so the agent can surface vendor communication threads and flag unanswered renewal conversations. Starch syncs your Slack data on a schedule to push automated weekly alerts to your ops or chief-of-staff channel. For vendors whose contracts or compliance docs live on portals with no API (carrier portals, government vendor registries, niche SaaS admin pages), Starch automates those through your browser — no API needed.

Prompts to copy

Build me a vendor risk registry that tracks every vendor by name, category (SaaS / contractor / services), annual contract value, renewal date, data access level (none / limited / full), SOC 2 status, and risk tier (low / medium / high). Pull spend data from QuickBooks and flag any vendor whose contract is renewing in the next 60 days.

Create an automation that runs every Monday morning, checks for vendors with renewal dates in the next 60 days or missing SOC 2 documentation, and posts a prioritized summary to our #chief-of-staff Slack channel.

Build me a vendor risk scorecard view showing total vendor spend by category, percentage of vendors with SOC 2 Type II on file, count of high-risk vendors, and upcoming renewals by month — formatted for an exec team review.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect QuickBooks as a scheduled-sync provider. Starch syncs your vendor list, bills, and payments so you have actual spend per vendor without manually exporting from accounting.

2 Connect Notion from Starch's integration catalog so the agent can query your existing vendor documentation, contract notes, or security questionnaires stored in your team wiki.

3 Connect Gmail as a scheduled-sync provider so the agent can cross-reference vendor email threads — catching renewal notices, auto-renew warnings, or price increase notices that got buried in your inbox.

4 Tell Starch: 'Build me a vendor risk registry with columns for vendor name, category, annual spend pulled from QuickBooks, contract renewal date, data access level, SOC 2 status, and risk tier.' The agent builds the app; you fill in or import the fields you already have.

5 Add a risk-scoring rule: tell Starch 'Flag any vendor as high-risk if they have full data access AND no SOC 2 documentation on file, or if annual spend exceeds $25,000 and renewal is within 60 days.'

6 For vendors whose security docs or compliance certificates live on external portals, use browser automation to pull those pages: 'Check [vendor] trust portal for their current SOC 2 report and save the summary to their vendor record.' Starch automates this through your browser — no API needed.

7 Set up a renewal alert automation: 'Every Monday, check the vendor registry for any vendor with a renewal date in the next 60 days or a missing SOC 2 field, and post a ranked list to #chief-of-staff on Slack with the vendor name, renewal date, annual value, and risk tier.'

8 Build an exec-facing scorecard view: 'Show me total vendor spend by category, percentage of vendors with SOC 2 on file, count of high-risk vendors, and a month-by-month renewal calendar for the next 6 months.'

9 Use the Task Manager app to convert any vendor-specific action items into tracked tasks — 'Create a P1 task to request SOC 2 documentation from [vendor] before their renewal on [date]' — so follow-ups don't disappear into Slack.

10 Before quarterly board or investor meetings, run a fresh vendor risk summary: 'Generate a vendor risk summary for Q2 2026 showing top 10 vendors by spend, any high-risk flags, and contracts renewing this quarter' — and export it for the deck.

11 When Contract Lifecycle Management launches (coming soon), migrate contract metadata directly into CLM so renewal tracking, e-signature workflows, and audit trails live in one place rather than across Drive, email, and your registry app.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

Q2 2026 Vendor Risk Review — 150-person growth-stage SaaS company

Sample numbers from a real run

AWS (infrastructure)	148,000
Salesforce (CRM)	54,000
Workday (HR)	42,000
Legal outside counsel (services)	38,500
Segment / PostHog (analytics)	22,000
Figma (design tooling)	8,400
Notion (docs)	6,200

Before this review, the vendor list lived in a Google Sheet that hadn't been touched since Q4 2024. The CoS had QuickBooks showing $319,100 in the 'Software & Subscriptions' and 'Professional Services' lines but no breakdown by vendor, no renewal dates, and no record of which vendors had access to customer PII. The Starch vendor risk registry pulled QuickBooks bills and payments directly to populate annual spend per vendor. It flagged three immediate issues: (1) Salesforce at $54,000 was renewing in 38 days with no renewal decision made and no negotiation started — the alert hit Slack on a Monday and gave the CoS two weeks to loop in the CFO; (2) a $12,000/year data enrichment vendor had full CRM data access with no SOC 2 on file — Starch's browser automation pulled their trust portal page and found their SOC 2 report was 14 months old; (3) two 'shadow IT' subscriptions totaling $4,200 appeared in QuickBooks from vendors nobody in ops recognized. The final scorecard showed 34 active vendors, $319,100 in annual spend, 68% with SOC 2 on file, 4 flagged high-risk, and 6 renewals due in the next 90 days. The CoS handed the CFO a one-page summary instead of a spreadsheet, and the prep took 3 hours instead of two days.

Measurement

How you'll know it's working

Percentage of active vendors with SOC 2 documentation on file (target: >80%)

Renewal coverage rate: percentage of renewals in the next 90 days with a decision made or negotiation in progress

Annual vendor spend per category (SaaS / services / infrastructure), tracked against prior quarter

Number of high-risk vendors (full data access + no SOC 2, or spend >$25k + no contract on file)

Time to complete quarterly vendor risk review (target: under 4 hours from data pull to exec summary)

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Manual spreadsheet (Google Sheets + Google Drive)

Free and familiar, but you rebuild it every quarter from scratch and it goes stale the day you share it — no live spend data, no automated alerts.

Vendr or Zip (SaaS spend management)

Good for procurement workflows and negotiation support, but overkill for a 150-person company and doesn't connect to the rest of your exec stack (Notion, Gmail, Slack, QuickBooks) the way Starch does.

Notion database (manual)

You probably already have one and it's six months out of date — Starch connects to your Notion from its integration catalog and builds on top of it rather than replacing it, so you're not starting over.

Jira or ClickUp for tracking vendor tasks

Fine for engineering-led procurement workflows, but connecting vendor risk to spend data and contract metadata requires a separate integration layer that someone (you) has to maintain.

On Starch RECOMMENDED

One platform — contract lifecycle management, task manager all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

We don't have a formal vendor list anywhere. How do we even start?

Start with QuickBooks. Starch syncs your bills and vendor payments on a schedule — that gives you every vendor you've actually paid, with spend amounts. It's not a complete picture (free tools, shadow IT, and barter arrangements won't appear) but it's the fastest honest starting point. From there, tell Starch 'Build me a vendor registry using the vendors from QuickBooks as the seed list, and let me add manual entries for vendors we use but don't pay directly.' Takes about 20 minutes to get a working first draft.

QuickBooks report views like P&L aren't working — will that affect this?

Starch's QuickBooks report views (P&L, Transaction List, Vendor Expenses) are temporarily disabled pending an upstream fix. The entity-level data that vendor risk actually needs — bills, invoices, vendor records, and payments — syncs normally. You'll have spend per vendor; you just won't get a QuickBooks-native P&L roll-up until the report views are restored.

Can Starch pull SOC 2 reports or compliance docs directly from vendor portals?

Yes, for any vendor portal you can log into through a browser. Starch automates those through your browser — no API needed. You'd tell Starch something like 'Go to [vendor]'s trust portal, find their current SOC 2 report, and save the report date and coverage period to their vendor record.' It works even when the vendor has no API at all. The one thing Starch can't do is log into portals that require hardware MFA or CAPTCHA flows that block automation.

Is my vendor data stored securely? Is Starch SOC 2 certified?

Starch is not currently SOC 2 Type II certified. If your company is in a regulated industry or your board has strict data-handling requirements, that's worth knowing upfront. Starch stores your synced data (QuickBooks, Gmail, etc.) in its own database for the scheduled-sync providers; live-queried apps (like Notion) are queried in real time and not stored. For most growth-stage companies, this is fine; for companies with SOC 2 requirements of their own, check with your security lead.

What about Contract Lifecycle Management — the catalog mentions it but I don't see it available?

Contract Lifecycle Management is coming soon — it's currently in development. When it launches, it'll handle contract creation, approval routing, e-signature, and renewal tracking in one place, which will make the vendor risk workflow significantly tighter. For now, you can build a vendor registry and renewal-alert automation today using the natural-language app builder, and migrate to CLM when it's ready. You can request beta access through Starch to get notified when it launches.

We use Salesforce, not HubSpot. Can Starch still pull vendor and spend data?

Yes. Salesforce is reachable from Starch's integration catalog — the agent queries it live when your app runs. You can pull vendor or counterparty records from Salesforce alongside spend data from QuickBooks to build a richer vendor profile. It won't be a scheduled sync the way HubSpot or QuickBooks are, but for a vendor risk registry that's updated weekly rather than in real time, live queries work fine.