Compliance & Legal

How to run a vendor risk assessment as Small IT and ITOps Teams

Compliance & LegalFor Small IT and ITOps Teams2 apps12 steps~24 min to set up

You're a two-person IT team supporting 300 employees, and vendor risk assessment is the compliance task that always gets bumped. You have SaaS sprawl across 40-plus tools — Okta, Jamf, Jira, Zoom, Slack, AWS, half of which were approved by a department head who emailed you after the fact. When audit season or a security review hits, you're manually pulling SOC 2 reports from vendor portals, cross-referencing them against contracts buried in a Google Drive folder, chasing data processing agreements over email, and trying to remember whether that new AI vendor anyone signed up for last quarter even answered your security questionnaire. Nobody owns this. It's you, a spreadsheet, and hope.

Build this on Starch → See the apps used

Compliance & LegalFor Small IT and ITOps Teams2 apps12 steps~24 min to set up

Outcome

What you'll set up

A living vendor risk register that pulls contract data, renewal dates, and security questionnaire status from the tools your team already uses — built in natural language, no spreadsheet maintenance required.

Automated alerts that flag vendor renewals 60 and 30 days out, missing DPAs, or lapsed SOC 2 report dates before your next audit surfaces them for you.

A browser-automated intake flow that visits vendor trust portals and security pages to collect SOC 2 report links, uptime SLAs, and sub-processor lists — without you logging into each one manually.

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Contract Lifecycle Management Task Manager

Data sources & config

Starch connects to Notion from its integration catalog — the agent queries your Notion databases live to pull contract and vendor records. Starch connects directly to Slack (scheduled sync) to send weekly digest alerts. For vendor trust portals and security pages that don't have an API — like a vendor's dedicated trust.vendorname.com page or their SOC 2 download form — Starch automates those through your browser, no API needed. Contract Lifecycle Management (coming soon — beta access available) will handle structured contract storage and renewal tracking natively once it launches.

Prompts to copy

Build me a vendor risk register that tracks vendor name, contract owner, renewal date, data classification (PII/PHI/none), SOC 2 report link, DPA status, and last security review date. Pull contract data from our Notion workspace and flag any vendor where the SOC 2 report is more than 12 months old or the DPA is missing.

Create a task for each vendor flagged in the risk register with a due date 30 days before their contract renewal, assigned to me, with a P2 priority. If a vendor handles PII and has no DPA on file, set it to P1.

Every Monday morning, check the vendor risk register for renewals in the next 60 days and send me a Slack summary listing the vendor name, renewal date, and outstanding security items.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Notion from Starch's integration catalog. If your vendor contracts and security questionnaire responses already live in a Notion database, the agent queries it live — no migration needed.

2 Tell Starch what your vendor risk register should look like: 'Build me a vendor risk register tracking vendor name, data classification, DPA status, SOC 2 expiry, renewal date, and contract owner.' Starch assembles the app from your description.

3 For each vendor's trust portal or security page (AWS Trust Center, Zoom's security page, your AI vendor's sub-processor list), describe the sites to Starch and it automates visits through your browser — no API needed — to collect SOC 2 report links and last-updated dates.

4 Set up a risk-scoring rule in plain language: 'Flag any vendor as high-risk if they process PII and are missing a DPA, or if their SOC 2 report is more than 12 months old.' Starch applies this logic across your register automatically.

5 Use the Task Manager app to create P1/P2 remediation tasks for each flagged vendor — one task per outstanding security item, with a due date tied to the vendor's renewal date.

6 Configure a Monday morning Slack alert: 'Every Monday, send me a Slack message listing vendors renewing in the next 60 days, their risk status, and any missing documents.' Starch queries the register and posts the digest.

7 Build a simple intake form prompt — 'When I add a new vendor, ask me for their data classification, whether they've signed a DPA, and a link to their latest SOC 2 report or SOC 3 page' — so every new vendor enters the register with the right fields from day one.

8 For vendors who haven't responded to your security questionnaire, describe the follow-up automation: 'If a vendor's questionnaire status is still pending after 14 days, draft a follow-up email from Gmail and add a P2 task.' Starch handles drafting via Gmail integration and task creation in one step.

9 Connect Jira from Starch's integration catalog so any P1 vendor risk items can automatically create Jira Service Management tickets — visible to whoever handles your security escalations.

10 Set a quarterly re-review trigger: 'On the first Monday of each quarter, show me all vendors with a SOC 2 report older than 9 months so I can request an updated copy.' Starch schedules this against the register and surfaces it in your dashboard.

11 Export or share a vendor risk summary view with your compliance lead or legal counsel — describe the format you want (table, PDF-ready view, or a shared Notion page Starch writes back to) and Starch builds that surface.

12 As Contract Lifecycle Management launches (currently in development — request beta access), migrate structured contract records into it so renewal alerts, clause tracking, and DPA status live in one place rather than split across Notion and a dashboard.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

Q1 2026 Security Audit Prep — 43-Vendor Stack Review

Sample numbers from a real run

Vendors in Notion database	43
Vendors flagged high-risk (PII + no DPA or expired SOC 2)	7
Vendor trust portals visited via browser automation	19
Missing DPAs identified	4
SOC 2 reports older than 12 months	5
P1 remediation tasks auto-created in Task Manager	4
Hours saved vs. manual portal visits and spreadsheet cross-referencing	11

Your company's external auditor is requesting evidence of vendor risk controls in three weeks. You have 43 SaaS vendors in Notion — some with contracts, some just Okta SSO entries that an employee connected six months ago. You tell Starch to build a vendor risk register from the Notion database, apply your risk-scoring rules, and visit 19 vendor trust portals through browser automation to pull SOC 2 links and last-updated dates. Starch returns the populated register in under an hour. Seven vendors are flagged high-risk: four are missing DPAs (including one HR tool that processes employee PII for 300 people), and five have SOC 2 reports last updated in early 2024. Starch creates P1 tasks in Task Manager for the four missing DPAs, drafts follow-up emails from Gmail to each vendor's security contact, and generates a Jira ticket for your security escalation queue. You send the auditor a clean vendor risk summary — not a half-finished spreadsheet — and close out the four DPAs before the audit window opens.

Measurement

How you'll know it's working

Percentage of vendors with a current SOC 2 report on file (less than 12 months old)

Percentage of PII-handling vendors with a signed DPA

Days from vendor contract renewal to risk review completion

Number of high-risk vendor flags resolved before audit deadline

Time spent on quarterly vendor risk review (target: under 2 hours for a 40-50 vendor stack)

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Spreadsheet + Google Drive folder

Free and familiar, but it's a manual process — no automated alerts, no browser-collected SOC 2 links, and the register is always one person's job to maintain and always out of date.

Torii or Zluri (SaaS management platforms)

Good at surfacing SaaS spend and license utilization, but not built for vendor risk assessment — you still need a separate process for DPA tracking, SOC 2 collection, and security questionnaire follow-up.

OneTrust or Prevalent (dedicated VRM tools)

Purpose-built for vendor risk management at scale, but priced and scoped for enterprise compliance teams — overkill for a 2-person IT team that needs a vendor register and renewal alerts, not a full GRC platform with a 6-month implementation.

Notion database (manual)

You probably already have one, and Starch connects to it — but the database itself doesn't visit vendor portals, auto-flag expired SOC 2 reports, or create Jira tickets when something goes wrong. Starch is the automation layer on top of the Notion you already have.

On Starch RECOMMENDED

One platform — contract lifecycle management, task manager all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

We don't have a formal vendor database yet — just contracts scattered across Google Drive and a few Notion pages. Can Starch still work?

Yes. Tell Starch what you have and where it lives — 'I have vendor contracts in Google Drive and some notes in a Notion database' — and Starch connects to both from its integration catalog and helps you build the register from what's already there. You don't need a clean starting point. Google Drive is reachable via Starch's integration catalog; Notion syncs on a schedule.

Can Starch actually visit vendor trust portals and download SOC 2 reports automatically?

Starch can automate navigation through your browser — visiting a vendor's trust page, locating a SOC 2 link, and recording the URL and last-updated date — without needing an API. For portals that require a login, Starch can automate the login flow the same way you would. It cannot accept legal agreements on your behalf, so you'd still confirm any gated downloads. But the research and tracking work — visiting 20 portals and returning structured data — is the part Starch handles.

Is Starch SOC 2 certified? Should I be putting vendor contract data into it?

Starch is not SOC 2 Type II certified yet. That's worth knowing if your infosec policy requires SOC 2 certified tools for storing contract data. For teams where that's a hard requirement today, you may want to keep contract records in your existing systems (Notion, Google Drive) and use Starch to read from and automate against them rather than as the primary store.

What about Contract Lifecycle Management — I saw that listed?

Contract Lifecycle Management is currently in development. You can request beta access to get notified when it launches. Today, you'd build your vendor risk register as a custom Starch app — describing what you need in natural language — pulling from Notion or Google Drive where your contracts live. The CLM app, when it launches, will add structured contract storage, clause libraries, and e-signature workflows on top of that.

We use Okta and already have a partial vendor list there. Can Starch pull from Okta?

Okta is reachable from Starch's integration catalog — the agent queries it live when your app runs. You can tell Starch to cross-reference your Okta app list against your vendor risk register to surface any SaaS tools your employees are using that haven't gone through a formal risk review. That's a useful starting point for finding shadow IT.

How is this different from just setting calendar reminders for renewal dates?

Calendar reminders tell you a date is coming. They don't tell you whether the DPA is signed, whether the SOC 2 report is still current, or whether the vendor even processes PII. Starch's vendor risk register tracks all of those fields together, flags what's missing, and creates the remediation tasks — so when the renewal alert fires, you already know what's outstanding and how urgent it is.