Ops & Supply

How to vet and onboard vendors as Small Legal and Compliance Teams

Ops & SupplyFor Small Legal and Compliance Teams2 apps11 steps~22 min to set up

Your two-person legal team is the last stop before every new vendor relationship goes live. IT sends you a SaaS tool to approve, procurement sends you an MSA to redline, and the business wants both done by end of week. You're running vendor-risk questionnaires out of a shared Google Sheet that nobody updates, chasing security questionnaire responses over email, and manually cross-referencing SOC 2 reports stored in a Google Drive folder three levels deep. Ironclad and OneTrust would solve this, but they're priced for a legal-ops team you don't have. So the intake queue just grows.

Build this on Starch → See the apps used
Ops & SupplyFor Small Legal and Compliance Teams2 apps11 steps~22 min to set up
Outcome

What you'll set up

A vendor-risk intake queue that pulls new requests from Gmail and Notion into a single prioritized view, with vendor status tracked from 'questionnaire sent' through 'approved' or 'rejected'
An automated outreach workflow that drafts vendor security questionnaires, sends them via Gmail, and logs responses — so you stop being the one chasing replies
A vendor contract tracker that surfaces upcoming renewals, missing DPAs, and unsigned MSAs before they become problems — built on top of the Google Drive folders and Notion database you already use
The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used
Project Management Contract Lifecycle Management
Data sources & config

Starch syncs your Gmail data on a schedule so the intake queue auto-populates from tagged emails. Connect Notion from Starch's integration catalog — the agent queries it live when the tracker or renewal dashboard runs. Connect Google Drive from Starch's integration catalog to pull questionnaire templates and filed contracts. Slack is connected from Starch's integration catalog for digest delivery. Contract Lifecycle Management (coming soon) will handle the full create-to-renewal workflow; today, the Project Management app handles intake tracking and the custom Notion-backed dashboard handles renewals.

Prompts to copy
Build me a vendor onboarding tracker with columns for vendor name, contract type (MSA / DPA / NDA), risk tier (high / medium / low), questionnaire status, security review owner, and approval date. Pull new vendor requests from our Gmail inbox tagged 'vendor-intake' and create a row for each one automatically.
Every Monday, scan our vendor tracker for any vendor where questionnaire status is 'sent' but no response has been logged in 14 days. Draft a follow-up email to the vendor contact, attach our standard security questionnaire template from Google Drive, and send it from my Gmail. Slack me a list of who you followed up with.
Build a contract renewal dashboard that reads our Notion vendor database, flags any contract with an expiration date in the next 90 days, and groups them by risk tier. Show me who owns each renewal and whether a current DPA is on file.
Run these in Starch → or paste them into your favorite agent
Walkthrough

Step-by-step

1 Connect Gmail in Starch — Starch syncs your Gmail data on a schedule. Set up a label or filter rule ('vendor-intake') so incoming vendor requests are consistently tagged before Starch picks them up.
2 Connect Notion from Starch's integration catalog. If your vendor contract tracker lives in Notion, the agent queries it live. If it doesn't exist yet, tell Starch: 'Create a Notion database for vendor onboarding with fields for vendor name, contract types, risk tier, DPA status, questionnaire owner, and renewal date.'
3 Connect Google Drive from Starch's integration catalog so the agent can read filed MSAs, DPAs, and SOC 2 reports, and pull your standard security questionnaire template when drafting outreach.
4 Install the Project Management app from the Starch App Store and describe your vendor intake queue: 'Add a project called Vendor Risk Review. Each task is a vendor. Statuses are: Intake Received, Questionnaire Sent, Response Under Review, Legal Approved, Legal Rejected. Auto-create tasks from Gmail vendor-intake emails.'
5 Build the questionnaire-chasing automation: 'Every Monday at 8am, check the vendor tracker for any vendor in Questionnaire Sent status for more than 10 business days. Draft a follow-up from my Gmail, attach the security questionnaire from Google Drive, and send it. Log the send date in Notion and post a summary to #legal-ops in Slack.'
6 Build the renewal dashboard: 'Show me all vendors from our Notion database whose contract expiration is within 90 days. Group by risk tier. Flag any vendor missing a current DPA. Show the contract owner and a link to the Google Drive folder.'
7 For each new vendor reaching the 'Response Under Review' stage, tell Starch: 'Summarize the vendor's questionnaire responses from this Gmail thread, flag any answers that indicate gaps against our standard controls list, and draft a risk memo I can attach to the approval record.'
8 When a vendor is approved, trigger the contract execution step: 'Mark [vendor] as approved in Notion, move the task to Legal Approved in the project tracker, and draft a short approval note for the requester in Gmail citing the review date and any conditions.'
9 For high-risk vendors, build a recurring annual attestation reminder: 'Every year on the contract anniversary for vendors marked High Risk in Notion, draft and send an email requesting updated SOC 2 report and security questionnaire. Log the request in Notion.'
10 Check Contract Lifecycle Management (coming soon in Starch's App Store) for the full create-to-renewal workflow with clause library, e-signature routing, and searchable repository. Request beta access now so you're first in line when it launches.
11 Once the workflow has run for a quarter, ask Starch: 'Show me average time-to-approval by risk tier over the last 90 days and flag any vendors where we exceeded our 15-day SLA.' Use this to identify where the queue is actually breaking.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →
Worked example

Q2 2026 SaaS Vendor Intake — Three vendors in the same week

Sample numbers from a real run
Vendor 1: Rippling (HR platform migration)0
Vendor 2: Loom (video tool, IT request)0
Vendor 3: Airtable (ops team, new workspace)0

In a single week in April, IT submits three separate SaaS approval requests. Rippling is a high-risk vendor — it will hold employee PII and needs a DPA reviewed before HR can run payroll on it. Loom is medium risk — no sensitive data, but IT wants it provisioned for 40 users. Airtable is low risk but ops has already bought it and is asking for retroactive legal sign-off on the MSA. Without a system, you'd be triaging this from memory and a spreadsheet last touched in January. With Starch: Gmail syncs on a schedule, and the three vendor-intake emails auto-create tasks in your Project Management tracker — one per vendor, pre-tagged with the requester's name and urgency. The Monday chasing automation fires before you even open your inbox. For Rippling, you tell Starch: 'Pull the MSA from the Google Drive folder IT attached, summarize the data processing terms, flag any clauses that conflict with our standard DPA, and draft a redline cover note.' It reads the document, flags the sub-processor list clause as non-standard, and drafts the note. You review, send, and log approval in Notion — all without opening Drive manually. Rippling goes from intake to DPA signed in 8 days instead of the 3-week average. Loom and Airtable, both lower risk, are approved in 3 days each using the same flow. Your renewal dashboard, reading from Notion, also surfaces that Airtable's MSA expires in 67 days — which nobody on the ops team knew.

Measurement

How you'll know it's working

Average days from vendor intake to legal approval, broken down by risk tier (High / Medium / Low)
Percentage of active vendors with a current, signed DPA on file
Number of contracts expiring in the next 90 days without a renewal owner assigned
Questionnaire response rate within 10 business days of first send
Open items in vendor-risk queue older than 15 days (your internal SLA)
Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Ironclad
Purpose-built CLM with strong workflow automation, but starts at six figures and assumes a legal-ops admin to configure and maintain it — not a realistic buy for a 2-person team at a 150-person company.
OneTrust
Best-in-class for privacy and vendor risk, but the vendor risk module alone requires significant implementation time and is priced for compliance teams, not lean legal functions.
Google Sheets + Gmail (current state)
Free and already in use, but the tracker goes stale the moment someone forgets to update it, and there's no automation — every follow-up and renewal reminder is manual.
Notion (standalone)
Good for storing contract records, but Notion alone can't send emails, draft questionnaires, or surface expiring contracts without someone checking it manually every week.
Evisort / LinkSquares
AI-powered contract analytics that can extract clauses and flag risks at scale — useful if you're managing hundreds of contracts, but overkill and expensive for a vendor roster under 50.
On Starch RECOMMENDED

One platform — project management, contract lifecycle management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →
FAQ

Frequently asked questions

Does Starch actually read the text of our vendor contracts and MSAs?
It depends on where the contracts live. If they're in Google Drive, Starch can access the files through its integration catalog and the agent can read and summarize document content when you ask it to. Starch isn't a dedicated contract-intelligence tool like Evisort — it won't auto-extract every clause from 200 historical contracts on day one. But for new vendor reviews, it can read the document you point it to, summarize key terms, and flag deviations from your standard language when you tell it what to look for.
We use DocuSign for e-signatures. Can Starch see which contracts are waiting on signatures?
DocuSign is reachable from Starch's integration catalog, so the agent can query it live when your app or dashboard runs. You can build a view that shows outstanding envelopes by vendor, signer, and days-waiting. Starch won't replace DocuSign as your signing tool, but it can surface the status so you're not logging into DocuSign just to check who's sitting on a signature.
Can Starch send vendor security questionnaires automatically, or does someone still have to press send?
Starch can draft and send emails via Gmail automatically on a schedule or trigger — so yes, you can build a workflow where questionnaires go out without you touching them. You can also set it up to draft and queue the email for your review before sending, which many legal teams prefer for anything going to a vendor. Either way, the drafting and follow-up logic runs without manual effort.
What if a vendor's portal or questionnaire system doesn't have an API?
Starch automates those through your browser — no API needed. If a vendor requires you to log into their supplier portal and fill out a risk form, Starch's browser automation can navigate the site, complete fields, and submit the form just like a person would. This is useful for vendor portals, government procurement systems, or any web-based form that doesn't offer an integration.
Is Starch SOC 2 certified? That matters because we're sharing vendor security data with it.
Starch is not currently SOC 2 Type II certified — that's an honest limit worth knowing before you decide what data flows through it. If your vendor review process involves sharing sensitive security questionnaire responses or contract terms, factor that into your evaluation. SOC 2 certification is on the roadmap.
We're looking at Contract Lifecycle Management in the App Store. Is that available now?
Not yet. Contract Lifecycle Management — with clause library, e-signature routing, and the searchable repository — is currently in development. You can request beta access to get notified when it launches. In the meantime, the Project Management app handles your vendor intake queue and task tracking, and you can build a custom contract renewal dashboard on top of Notion and Google Drive today.
Our Notion vendor tracker is a mess. Do I need to clean it up before Starch can use it?
You don't need it to be perfect, but the agent works best when the database has consistent field names and types. If your tracker has vendor name, contract type, and expiration date as recognizable fields, Starch can query it and build on top of it immediately. If it's genuinely disorganized, you can tell Starch: 'Here's our existing Notion database — help me restructure it with these fields and migrate the existing rows.' It'll do the restructuring work, not you.

Ready to run vet and onboard vendors on Starch?

Request closed-beta access. Everything is free during beta.

You're on the list! We'll be in touch soon.