Compliance & Legal

How to run a vendor risk assessment as Small Legal and Compliance Teams

Compliance & LegalFor Small Legal and Compliance Teams3 apps11 steps~22 min to set up

Your two-person legal team runs vendor risk assessments the same way you did two years ago: a spreadsheet of 40 SaaS tools, a Google Form questionnaire you copy-paste into email, and a Notion page that tracks responses only when someone remembers to update it. IT wants to onboard a new data processor by Friday. You need a completed security questionnaire, a reviewed DPA, evidence the vendor is SOC 2 certified, and a risk tier assigned — all before you can sign off. Half your day goes to chasing vendors for questionnaire responses over email, cross-referencing what's in Gmail against what's in the Notion tracker, and confirming which tools are already approved versus under review. The six-figure tools (OneTrust, Vanta's vendor module, Prevalent) assume a dedicated risk analyst to run them. You don't have one.

Build this on Starch → See the apps used

Compliance & LegalFor Small Legal and Compliance Teams3 apps11 steps~22 min to set up

Outcome

What you'll set up

A live vendor risk queue that tracks every vendor under review — questionnaire status, risk tier, DPA status, and who owns the decision — pulled from Gmail and your Notion tracker, surfaced in one place

An automated follow-up workflow that monitors vendor questionnaire threads in Gmail and sends a reminder if a response is more than five business days overdue, with no manual chasing on your end

A risk-assessment app where you describe the vendor and Starch drafts the initial risk memo — data classification, subprocessor flags, contractual gaps — so you're editing a draft instead of starting from a blank page

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Knowledge Management Task Manager Email Agent

Data sources & config

Starch syncs your Gmail on a schedule so the vendor risk tracker can surface open questionnaire threads and flag overdue responses without you manually checking. Connect Notion from Starch's integration catalog — the agent queries it live when the tracker needs to pull existing vendor records or policy docs. Connect Google Drive from Starch's integration catalog for DPA and questionnaire template retrieval. If your vendor portal or security questionnaire platform is web-accessible but has no API (e.g., a vendor's custom trust portal or a government procurement site), Starch automates it through your browser — no API needed.

Prompts to copy

Build me a vendor risk tracker that shows every vendor we're currently assessing. For each vendor, track: vendor name, category (cloud infra / HR / sales tools / etc.), data sensitivity tier (low / medium / high — based on whether they process personal data or financial data), questionnaire status (not sent / sent / response received / reviewed), DPA status (not required / requested / received / signed), assigned reviewer, and final risk decision (approved / conditional / rejected). Pull open questionnaire threads from Gmail so I can see which vendors haven't responded yet.

Every Monday morning, check my Gmail for any vendor risk questionnaire threads where we sent a message more than 5 business days ago and haven't received a reply. Draft a polite follow-up email for each one and show them to me for approval before sending.

Create a knowledge base that stores our approved vendor list, our standard security questionnaire template, our DPA template, our data classification policy, and our vendor risk methodology. When I add a new vendor assessment, auto-link the relevant policy docs based on the vendor's data tier.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Gmail — Starch syncs your email on a schedule and indexes threads tagged or filtered for vendor communications, so questionnaire status is derived from actual email activity, not manual entry.

2 Connect Notion from Starch's integration catalog. The agent queries your existing vendor tracker live, so you're not migrating data — you're building a better surface on top of what already exists.

3 Connect Google Drive from Starch's integration catalog so Starch can retrieve your standard security questionnaire, DPA template, and data classification policy when drafting assessments.

4 Open the Knowledge Management app and load your vendor risk methodology, data classification tiers, and approved vendor list. This becomes the reference layer Starch pulls from when drafting risk memos.

5 Describe your vendor risk queue to Starch in natural language: name the fields you care about (vendor, data tier, questionnaire status, DPA status, reviewer, decision), and Starch builds the app. You're not configuring a form — you're describing what you need.

6 For each new vendor assessment request from IT or procurement, open the app, add the vendor, and tell Starch: 'Draft a risk memo for [Vendor]. They process employee HR data, are SOC 2 Type II certified per their trust page, and we haven't received their completed questionnaire yet.' Starch drafts the memo; you edit and approve.

7 Set up the Task Manager app to track every open vendor assessment as a task with a due date tied to the IT onboarding deadline. When a new assessment lands in Gmail, Starch creates the task automatically and assigns it to you or your colleague based on vendor category.

8 Activate the weekly follow-up automation via the Email Agent app. Starch monitors Gmail for questionnaire threads, identifies non-responses after five business days, drafts follow-up emails in your voice, and surfaces them for one-click approval — you send, but you don't compose.

9 When a DPA arrives, tell Starch: 'Log that [Vendor]'s DPA was received today. Flag any clauses that deviate from our standard template and summarize the gaps.' Starch cross-references the received document against your Google Drive template and returns a gap list.

10 When a vendor assessment is complete, update the risk decision in the tracker (approved / conditional / rejected) and tell Starch to generate a one-paragraph approval summary for the IT ticket. This becomes the audit trail entry — timestamped, stored in Starch's knowledge base.

11 At the end of each quarter, ask Starch: 'Show me all vendors approved in the last 90 days, their data tier, and whether a signed DPA is on file.' This is your quarterly vendor inventory for audits, board reporting, or compliance reviews — no manual aggregation required.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

April 2026 SaaS Onboarding Wave — 6 Vendors in 10 Days

Sample numbers from a real run

Vendors submitted by IT for onboarding	6
Vendors processing personal/sensitive data (high tier)	3
Questionnaire responses overdue at day 5	2
DPA gaps flagged by Starch vs. your standard template	4
Hours to complete all 6 assessments (estimated vs. actual)	14

IT submits six new vendor onboarding requests the first week of April: a new payroll analytics tool, an AI recruiting platform that processes candidate data, a contract signing tool, a Slack-integrated project tracker, a cloud storage backup vendor, and a niche legal research tool. Under the old process — email questionnaires, manual Notion updates, chasing for responses — this would be 14 hours of work spread across two weeks and at least one angry Slack from IT asking why it's taking so long. With Starch, the vendor risk queue auto-populates from the IT intake emails in Gmail. Starch identifies the three high-tier vendors (payroll analytics, AI recruiting, cloud backup) based on your data classification policy stored in the knowledge base, and immediately flags that each requires a DPA review. The two vendors who haven't responded to the questionnaire after five days get automated follow-up emails drafted and approved in under 3 minutes. When the AI recruiting platform's DPA arrives, Starch compares it against your standard template and flags four deviations: a subprocessor list that's opt-out rather than opt-in, a data retention clause set at 36 months versus your standard 12, a missing breach notification SLA, and a jurisdiction clause that defaults to Delaware instead of your governing law. You get a gap summary, not a document to read cold. Total time for all six assessments: 6 hours, not 14.

Measurement

How you'll know it's working

Mean days to complete a vendor risk assessment from IT request to legal sign-off

Percentage of high-data-tier vendors with a signed DPA on file

Number of overdue questionnaire responses in the active pipeline at any given time

Vendor assessments completed per week per legal team member

Percentage of approved vendors with a complete audit trail entry (risk memo + DPA status + decision timestamp)

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

OneTrust Vendor Risk Management

Purpose-built and comprehensive, but starts around $50k/year and assumes a dedicated privacy or risk-ops person to configure and maintain it — not realistic for a two-person team running this alongside contract review and everything else.

Prevalent / ProcessUnity

Enterprise vendor risk platforms with strong assessment libraries, but priced and scoped for security teams with dedicated GRC headcount, not lean legal teams who need vendor risk as one workflow among many.

Manual spreadsheet + Google Forms + Gmail

Free and already in use, but the tracker is always stale, follow-ups happen only when someone remembers, and there's no audit trail that holds up in a SOC 2 audit or a regulatory inquiry.

Vanta vendor risk module

Useful if you're already running Vanta for SOC 2, but the vendor risk features are lightweight and you still end up doing the actual assessment work — questionnaire drafting, DPA review, gap analysis — outside the tool.

Notion + Zapier

Flexible and cheaper, but you spend more time building and maintaining the automation than running assessments — and it still won't draft a risk memo or flag DPA deviations against your standard template.

On Starch RECOMMENDED

One platform — knowledge management, task manager, email agent all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

We already have a Notion vendor tracker. Do we have to start over?

No. Connect Notion from Starch's integration catalog and the agent queries your existing data live. You're building a better surface and workflow on top of what's already there, not migrating into a new system of record.

Can Starch actually read the DPA a vendor sends us and flag deviations from our standard template?

Yes, if both documents are accessible — your template in Google Drive (connected from Starch's integration catalog) and the vendor's DPA in Gmail (synced on a schedule) or in a linked Drive folder. You'd tell Starch: 'Compare the DPA in this Gmail thread against our standard DPA template in Drive and flag any clauses that deviate.' Starch reads both and returns a gap list. It's not a legal review — it's a first-pass triage so you're editing and approving rather than reading cold.

What if the vendor uses a custom trust portal or security questionnaire platform that has no API?

Starch automates it through your browser — no API needed. If you can log in and navigate the portal yourself, Starch can do the same: retrieve the completed questionnaire, check certification status, or fill out a required self-assessment form on your behalf.

Is Starch SOC 2 certified? That matters when we're telling vendors to complete our security questionnaire.

Starch is not currently SOC 2 Type II certified — worth knowing before you route sensitive vendor data through it. If your organization requires SOC 2 for all data processors, that's a real constraint to factor in. Starch is honest about this.

Can Starch send the vendor questionnaire emails automatically, or does it just draft them?

Both modes are available. You can set up an automation that drafts the follow-up and requires your one-click approval before sending, or you can configure it to send automatically after a defined delay. Most legal teams prefer the approval step for anything going to external parties — so Starch drafts, you approve, and it sends.

We use Outlook, not Gmail. Does this still work?

Yes. Starch syncs Outlook on a schedule the same way it does Gmail — messages, events, calendars, and contacts. Everything in these recipes that references Gmail works identically for Outlook users.

We're hoping to use this as part of our SOC 2 or ISO 27001 audit prep. Will Starch produce documentation that satisfies an auditor?

The audit trail Starch generates — timestamped decisions, risk memos stored in the knowledge base, DPA status logs — is a solid starting point and likely more complete than what most small teams produce today. Whether it satisfies your specific auditor's evidence requirements depends on your audit scope and the auditor. Use it to eliminate the 'we couldn't find the record' problem, not as a compliance guarantee.