Ops & Supply

How to vet and onboard vendors as Small IT and ITOps Teams

Ops & SupplyFor Small IT and ITOps Teams2 apps12 steps~24 min to set up

Your team of two owns vendor onboarding for the entire company. That means chasing down security questionnaires from new SaaS vendors, checking if their SOC 2 report is current, routing NDA and DPA sign-off through Legal (who are busy), provisioning access in Okta once contracts land, and logging the vendor in whatever spreadsheet or Notion doc is supposed to be the source of truth this quarter. A new vendor can take two to four weeks to onboard not because it's complicated but because every step lives in a different tool — Jira for the ticket, Google Drive for the contract, Okta for provisioning, email for chasing the vendor's compliance docs — and nobody has time to babysit it.

Build this on Starch → See the apps used
Ops & SupplyFor Small IT and ITOps Teams2 apps12 steps~24 min to set up
Outcome

What you'll set up

A vendor intake tracker that pulls open Jira tickets, contract status, and provisioning state into one app so you always know which vendor is blocked and why
An automated vendor review checklist that prompts your team to collect SOC 2 reports, DPAs, and security questionnaires before access is provisioned — with Slack alerts when something stalls
A renewal and contract-expiration monitor (once Contract Lifecycle Management launches) so vendor agreements don't auto-renew without a review
The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used
Project Management Contract Lifecycle Management
Data sources & config

Connect Jira from Starch's integration catalog — the agent queries it live to pull ticket status and assignee into the vendor tracker. Connect Slack from Starch's integration catalog so stall alerts fire to your #it-ops channel. Starch syncs your Google Calendar data on a schedule so deadline reminders land where you already work. For contract documents stored in Google Drive, Starch automates retrieval through your browser — no additional API needed. The Contract Lifecycle Management app is coming soon; request beta access to be notified at launch.

Prompts to copy
Build me a vendor onboarding tracker with columns for vendor name, onboarding stage (intake / security review / legal sign-off / provisioning / active), contract status, SOC 2 expiry date, DPA received, Okta group assigned, and Jira ticket number. Alert me in Slack when any vendor has been stuck in the same stage for more than five business days.
When Contract Lifecycle Management launches, add a view that shows every vendor contract expiring in the next 90 days, the contract owner, and whether a renewal review task has been created.
Run these in Starch → or paste them into your favorite agent
Walkthrough

Step-by-step

1 Connect Jira from Starch's integration catalog. Every vendor onboarding request should start as a Jira ticket — Starch queries Jira live so your tracker always reflects current ticket state without manual updates.
2 Build the vendor onboarding tracker app in Starch. Describe it in plain language: 'Track each vendor through intake, security review, legal sign-off, and provisioning stages. Pull ticket number and assignee from Jira. Flag anything stuck for more than five business days.'
3 Add a security review checklist step to the tracker. When a vendor moves to the security review stage, Starch creates a sub-task list: collect SOC 2 Type II report, collect DPA, complete internal security questionnaire. Mark each item complete manually or prompt Starch to check your email for the vendor's reply.
4 Connect Slack from Starch's integration catalog and configure stall alerts. If a vendor hasn't moved stages in five business days, Starch posts a message to #it-ops tagging the ticket owner.
5 For vendor contracts stored in Google Drive, use Starch to automate document retrieval through your browser and attach the file path to the tracker row. No additional API setup required.
6 Connect Google Calendar — Starch syncs your calendar data on a schedule — and set milestone reminders for legal sign-off deadlines and provisioning target dates tied to employee start dates.
7 Build a provisioning confirmation step. Once legal sign-off is logged, Starch creates a Jira sub-ticket for Okta group assignment. You close it when provisioning is complete, which moves the vendor to Active in the tracker.
8 Set up a weekly summary automation. Every Monday, Starch pulls all vendors in active onboarding, lists their current stage and days-in-stage, and posts a digest to Slack so nothing is invisibly stalled.
9 For vendors with web-based compliance portals (insurance certificates, government vendor registrations), Starch automates those form submissions and status checks through your browser — no API needed.
10 When Contract Lifecycle Management launches, migrate contract metadata from your tracker into CLM so renewal alerts and e-signature workflows are handled in one place rather than through a Drive folder and email chain.
11 Audit the tracker quarterly. Use Starch to query Jira for closed vendor tickets and flag any vendors marked Active who haven't had a security review in the past 12 months — those need a DPA refresh or SOC 2 recheck.
12 Publish the vendor onboarding app to your Starch workspace so any team member — IT, Finance, Legal — can see vendor status without pinging you directly.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →
Worked example

Onboarding Figma Enterprise + a new payroll vendor, March 2026

Sample numbers from a real run
Figma Enterprise — legal sign-off lag9
New payroll vendor — SOC 2 report chase (days)12
Okta provisioning tickets created automatically2
Slack stall alerts fired before manual follow-up needed3
Hours saved vs. manual spreadsheet tracking6

In March 2026 your team ran two parallel vendor onboardings: Figma Enterprise for the design org (200 seats) and a new payroll integration vendor. The Figma ticket came in on March 3 with a go-live target of March 17 to coincide with a designer hire wave. The vendor tracker flagged on March 8 that legal sign-off had been sitting at the same stage for five days — Starch fired a Slack alert to #it-ops tagging the procurement lead. Legal signed the DPA on March 10. Starch created the Okta provisioning Jira sub-ticket automatically; the group was live by March 12, five days ahead of target. The payroll vendor was messier: their SOC 2 report was 13 months old. The security review checklist in Starch flagged this on intake — your team requested an updated report on March 5, chased again via a browser-automated email follow-up on March 12, and received the updated report on March 17. Provisioning was held until March 19. Without the tracker, that 12-day chase would have been invisible until an engineer asked why the integration wasn't live yet.

Measurement

How you'll know it's working

Average days from vendor intake ticket to Okta provisioning (target: under 10 business days)
Percentage of active vendors with a current SOC 2 report on file (under 12 months old)
Number of vendor contracts expiring in the next 90 days without a renewal review task assigned
Stall rate: percentage of onboarding tickets stuck in one stage for more than 5 business days
DPA coverage: percentage of active SaaS vendors with a signed DPA logged in the tracker
Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Notion + Google Sheets
Free and flexible, but the vendor tracker goes stale immediately because there's no live Jira connection — someone has to manually update it, and that someone is you.
Vendr or Zluri
Purpose-built SaaS management tools with vendor onboarding features, but they're priced for procurement teams at larger companies and add another tool your two-person team has to administer.
Jira Service Management workflows alone
Jira is already in your stack and handles the ticketing layer well, but it doesn't surface cross-vendor status, contract expiry, or security review coverage without significant admin configuration you don't have time to build.
Manual email + Drive folder
Zero cost and already in use, but contract expiry dates and SOC 2 refresh deadlines live in no one's head reliably — you find out a vendor's certification lapsed when an auditor asks.
On Starch RECOMMENDED

One platform — project management, contract lifecycle management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →
FAQ

Frequently asked questions

Does Starch replace Jira for IT ticketing?
No, and it's not trying to. Starch connects to Jira from its integration catalog and queries your tickets live. Your team keeps using Jira the way you already do — Starch builds the vendor onboarding view on top of it so you're not maintaining a separate spreadsheet that's always out of date.
Can Starch provision Okta groups automatically when legal signs off?
Starch can create the Jira sub-ticket for Okta provisioning automatically and alert your team in Slack. Direct write-back to Okta depends on whether your Okta instance is reachable via browser automation or the integration catalog — if it's web-accessible, Starch can automate the steps through your browser. Talk to the Starch team about your specific Okta setup.
What about the Contract Lifecycle Management app — when is it available?
Contract Lifecycle Management is coming soon. You can request beta access on the Starch site to get notified when it launches. In the meantime, contract status, DPA received, and SOC 2 expiry date are all trackable fields in the custom vendor onboarding app you build today.
Is Starch SOC 2 certified? We'll need to run it through our own vendor review.
Starch is not SOC 2 Type II certified today. That's worth factoring into your own vendor onboarding checklist for Starch itself. The team is working toward certification — check with Starch directly for the current status.
Our vendor contracts live in Google Drive and half of them are PDFs. Can Starch work with those?
Starch can automate retrieval and linking of Drive files through your browser. For structured contract data — expiry dates, counterparty names, renewal terms — you'd enter those fields into the vendor tracker manually or as part of the intake process. The coming-soon Contract Lifecycle Management app is designed to handle structured contract metadata more formally.
We use a mix of Slack and email to chase vendors for compliance documents. Can Starch help with that?
Yes. Connect Slack from Starch's integration catalog for internal alerts. For outbound vendor follow-ups over email, Starch can connect to Gmail — Starch syncs your Gmail data on a schedule — and automate follow-up drafts or send reminders at set intervals if a vendor hasn't responded. You approve before anything sends, or you can configure it to send automatically for standard follow-up templates.

Ready to run vet and onboard vendors on Starch?

Request closed-beta access. Everything is free during beta.

You're on the list! We'll be in touch soon.