A production-grade application for tracking vendor risk scores, due diligence, review cycles, and compliance documents. Built to run on your own infrastructure, with your own data.
No audit trail. When a vendor's risk status changes, there is no record of who changed it, when, or why.
Documents go missing. Certificates, contracts, and assessments scattered across drives and inboxes with no expiry tracking.
Reviews slip through. Without a structured review schedule, overdue assessments go unnoticed until an incident forces the question.
No consistent scoring. Different people assess the same vendor differently, making portfolio-level comparisons meaningless.
"Most organizations know their vendor risk posture is a problem. The harder question is why they are still managing it in a spreadsheet two audits later."Vendor Risk Assessment was built to answer that question with a practical, deployable solution.
Six core modules covering the full vendor risk lifecycle, from onboarding to ongoing oversight.
Centralised catalog of all vendors with auto-assigned IDs, category classification, contract dates, contact records, and status tracking.
Composite scoring across five configurable domains with adjustable weights. Every scoring event is preserved, giving you a full history and trend line for each vendor.
19 structured questions across 5 domains, fully configurable by admins. Per-vendor response tracking with completion progress shown at a glance.
Schedule vendor reviews with due dates and status management. Overdue reviews surface automatically on the dashboard so nothing falls through the gaps.
Drag-and-drop document upload per vendor with expiry date tracking. Documents expiring within 30 days are flagged on the dashboard before they become a compliance gap.
Every write operation is recorded with user, timestamp, entity reference, and IP address. An immutable trail for auditors and internal governance reviews.
Composite scores are calculated from weighted domain scores and mapped to one of four tiers. Thresholds are configurable by administrators to match your organization's risk appetite.
Immediate attention required. Remediation plan and escalation path expected.
Elevated risk. Active monitoring and documented mitigation controls required.
Moderate risk. Annual review cycle and standard due diligence expected.
Minimal risk exposure. Lightweight monitoring on a standard review cadence.
A single installer script handles everything on Ubuntu. No containers required, no cloud account needed.
Run the installer on any Ubuntu server. Node.js, PostgreSQL, and all dependencies are handled automatically.
Set your domain weights, tier thresholds, and due diligence questions from the admin panel. Defaults are production-ready out of the box.
Bulk import your existing vendor list from an XLSX or CSV file. Each row is validated before anything is committed.
Score vendors, complete due diligence, schedule reviews, and track documents. The dashboard surfaces what needs attention.
No proprietary runtimes. No vendor lock-in. Standard technologies that any capable engineer can maintain and extend.
Granular access control without the complexity. Assign roles manually or promote SSO users from the admin panel.
Can browse the full vendor register, review scores, due diligence responses, and documents. No authentication required for this level — the application is read-accessible by default.
Can create and update vendors, submit risk scores, complete due diligence responses, schedule reviews, upload documents, and import vendor lists. The day-to-day working role.
Everything an Editor can do, plus user management, identity provider configuration, scoring weight and tier threshold configuration, and access to the immutable audit log.
The live demo is seeded with sample vendors across all four risk tiers. Book a call if you want to talk through deployment, customization, or what it would take to make this work for your organization.