Ops & Supply

How to vet and onboard vendors as CPG Founders

Ops & SupplyFor CPG Founders3 apps12 steps~24 min to set up

Every co-packer, ingredient supplier, and 3PL you bring on starts the same way: a PDF questionnaire emailed back and forth, a certificate of insurance buried in your Gmail, an SQF audit doc that expires next month sitting in a Drive folder nobody checks. You have no single place to see which vendors are approved, which have lapsed food-safety certs, which are still waiting on a signed co-manufacturing agreement. When a lot gets flagged under FSMA and your co-packer's current SQF cert is nowhere to be found, that's a recall risk. Most CPG founders are running this off a spreadsheet and inbox search, which works fine until it really doesn't.

Build this on Starch → See the apps used
Ops & SupplyFor CPG Founders3 apps12 steps~24 min to set up
Outcome

What you'll set up

A centralized vendor registry that tracks approval status, food-safety certifications, insurance documents, and contract renewal dates for every co-packer, ingredient supplier, and 3PL you work with
An automated onboarding checklist that walks new vendors through required documentation and flags gaps before you start production — no more chasing COIs by email
Renewal and expiration alerts wired to your task list so a lapsing SQF cert or expiring co-manufacturing agreement surfaces as a task before it becomes a compliance problem
The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used
Contract Lifecycle Management Task Manager Project Management
Data sources & config

Contract Lifecycle Management (coming soon — request beta access) will handle contract drafting, e-signature, and renewal tracking natively. In the meantime, wire Gmail via scheduled sync so Starch can surface vendor emails and attachments; connect Google Drive from Starch's integration catalog so the agent queries your cert files live; use Task Manager (coming soon — request beta access) for expiration-driven personal alerts; and use Project Management for structured onboarding milestone tracking. Browser automation handles any vendor portal that requires manual login — submitting onboarding forms or pulling audit reports from a supplier portal with no API.

Prompts to copy
Build me a vendor registry that tracks each supplier's name, category (co-packer / ingredient / 3PL / packaging), approval status, SQF or BRC cert expiration date, COI expiration date, and the signed contract status. Alert me 60 days before any cert or contract expires.
Create an onboarding checklist project template for new co-packers. Required milestones: W-9 received, COI on file, food safety cert uploaded, co-manufacturing agreement signed, allergen statement submitted, first production run approved. Assign each milestone to me with a due date I can set at kickoff.
Every Monday morning, show me a summary of all vendors with certifications or contracts expiring in the next 90 days, grouped by urgency.
Run these in Starch → or paste them into your favorite agent
Walkthrough

Step-by-step

1 Build the vendor registry app by describing it to Starch in plain language: include fields for vendor type, approval status, primary contact, SQF/BRC/GFSI cert number and expiration, COI expiration, and contract signed date. Starch generates the data model and entry form without a spreadsheet.
2 Import your existing vendor list — paste it into chat or connect Google Sheets from Starch's integration catalog so the agent queries your current roster live and populates the registry.
3 Set up the onboarding checklist template in Project Management. Define the standard milestones every new co-packer or ingredient supplier must complete before their first purchase order is issued.
4 When a new vendor is approved, spin up an onboarding project from the template. Assign milestones, set a target production-start date, and let the project tracker surface what's missing.
5 Connect Gmail via scheduled sync. Starch reads inbound vendor emails so you can ask 'has Acme Ingredients sent their updated COI this month?' without digging through your inbox.
6 For vendor portals that require a login — a co-packer's quality management portal, an ingredient supplier's compliance hub — Starch automates the session through your browser, no API needed, to pull current audit status or fill out onboarding forms.
7 Wire expiration date alerts into Task Manager: 90-day warning, 30-day warning, and a hard stop at expiration. Each alert creates a task with the vendor name, document type, and the contact to chase.
8 When Contract Lifecycle Management launches (request beta access now), migrate your co-manufacturing agreements and supply agreements into the CLM. AI-assisted drafting pulls from your clause library; e-signature collects multi-party sign-off without DocuSign switching costs.
9 Run a weekly Monday summary: ask Starch 'which vendors have certs or contracts expiring in the next 90 days?' and get a prioritized list with days remaining and the last document received.
10 For vendor qualification, build a scoring view: ask Starch to score each vendor by on-time delivery rate (pulled from your 3PL data via browser automation), cert currency, and complaint history logged in the registry. Use this at annual review instead of gut feel.
11 Archive every signed document against the vendor record — Starch connects to Google Drive from the integration catalog so attachments are linked without manual uploads to a separate system.
12 When a vendor is offboarded, mark them inactive in the registry. The contract expiration alerts stop, and the vendor history stays searchable for FSMA traceability if a lot dispute surfaces later.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →
Worked example

Onboarding a new co-packer, Q1 2026

Sample numbers from a real run
New co-packer: Midwest Pack Co.0
SQF Level 2 cert — expires 2026-09-140
COI (general liability + product liability) — expires 2026-07-010
Co-manufacturing agreement — unsigned at kickoff0
Allergen statement — missing at kickoff0
First production run target — 2026-03-150

You've just agreed to move your bar production to Midwest Pack Co. starting March 15. You open Starch and tell it: 'Create a new vendor onboarding project for Midwest Pack Co., co-packer, target production start March 15. Required milestones: W-9, COI, SQF cert upload, co-manufacturing agreement signed, allergen statement, first-run approval.' Starch builds the project with five milestone tasks, all assigned to you with due dates staggered backward from March 15. On day one, Starch flags that the co-manufacturing agreement is still unsigned and the allergen statement hasn't been submitted — two blockers before any production happens. You ask Starch to draft the co-manufacturing agreement using your standard clause library (once Contract Lifecycle Management launches); in the interim, you attach the signed PDF to the vendor record manually and Starch marks that milestone complete. By February 20, all five milestones are green. Starch also logs that the COI expires July 1 — 45 days before it would have lapsed, a task appears: 'Chase Midwest Pack Co. COI renewal — expires in 45 days.' You never would have caught that in a Drive folder.

Measurement

How you'll know it's working

Vendor approval rate: % of active vendors with all required docs current (SQF/BRC, COI, signed contract)
Days to onboard a new co-packer or ingredient supplier from first contact to first purchase order
Cert expiration coverage: number of vendors with a cert lapsing in the next 90 days vs. total active vendors
Contract renewal lead time: average days between expiration alert and renewed agreement signed
Outstanding onboarding milestones across all active vendor projects
Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Google Drive folder + Gmail search
Zero cost but zero alerts — you find out a cert lapsed when the audit happens, not 60 days before.
Supplier quality platforms (e.g., Supplier.io, Ivalua)
Enterprise SQM tools built for procurement teams of 20+ with six-figure contracts; overkill and overpriced for a CPG brand doing $2M–$10M in revenue.
DocuSign + Airtable
Solid for e-signature and structured data, but you're paying for two separate tools, manually linking records, and still building your own expiration-alert logic.
Notion database
Flexible and cheap, but Notion doesn't send you a task when a cert is 60 days from expiring — you have to remember to check.
On Starch RECOMMENDED

One platform — contract lifecycle management, task manager, project management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →
FAQ

Frequently asked questions

Can Starch actually read the vendor documents I already have in Google Drive?
Yes. Connect Google Drive from Starch's integration catalog and the agent queries your files live when you ask about them. You can ask 'do we have a current COI on file for Acme Ingredients?' and Starch will search your Drive and surface the most recent document. It won't automatically index every file — you point it at the right folder and it works from there.
What about the co-manufacturing agreement — can Starch draft it for me?
Contract Lifecycle Management, which includes AI-assisted contract drafting from a clause library, is coming soon. You can request beta access today to get notified when it launches. Until then, you can store signed contracts against each vendor record in the registry and track signature status as a milestone in Project Management.
Does Starch support FSMA-specific traceability requirements, like lot-level records?
Starch's vendor registry tracks which co-packers and suppliers are approved and keeps their food-safety documentation current — that's the vendor side of traceability. Lot-level production records (Rule 204 key data elements) live in your ERP or production system. Starch can surface those records via browser automation if your production system has a web interface, or you can log lot-to-vendor linkages in the registry manually. It's not a standalone FSMA compliance tool, but it closes the 'which vendors are approved and do their certs actually cover this production run' gap.
My co-packer uses a quality portal that requires a login to access audit docs. Can Starch pull from that?
Yes. Starch automates browser sessions — no API needed. If you can log into the portal and download a report, Starch can do it on your behalf. You tell Starch the URL and your credentials, and it navigates the portal to pull the current audit status or upload your onboarding forms. This works even if the portal has no API at all.
Is my vendor data stored securely? What about SOC 2?
Starch is not SOC 2 Type II certified today. If your procurement or quality policy requires SOC 2 Type II from your software vendors, that's worth knowing upfront. For most CPG founders at the $1M–$10M revenue stage, the practical risk of storing vendor cert dates and contract status in Starch is low — but it's your call.
We already use Airtable for vendor tracking. Why switch?
You don't have to replace Airtable entirely. Connect Airtable from Starch's integration catalog and the agent can query your existing vendor database live. The value Starch adds is the alert layer (expiration tasks that surface automatically), the onboarding workflow structure (milestones tracked in Project Management), and eventually the contract drafting and e-signature once Contract Lifecycle Management launches. If Airtable is working for the data model, Starch can sit on top of it rather than replace it.

Ready to run vet and onboard vendors on Starch?

Request closed-beta access. Everything is free during beta.

You're on the list! We'll be in touch soon.