
Vendor Security Review Cabinet
v0.1.0Assesses vendor risk through SOC2 reports, DPA status, sub-processor lists, and security questionnaires — producing a structured approval packet for every new and renewing vendor. Keep Vanta and Drata as your GRC system of record — replace the security review spreadsheets, ad-hoc Slack requests, and manual approval emails around them.
Vendor Security Review Cabinet
agents
Compliance Lead
.agents/compliance-agent/
Annual Reassessment Check
0 9 1 * *
Weekly Review Queue Status
0 8 * * 1
Vendor Security Review
QA Reviewer
.agents/qa-reviewer/
2
Agents
3
Jobs
1
Depts
3
Pages
Orchestrates every vendor security assessment — assigning risk tiers, evaluating SOC2/ISO reports and DPA status, sequencing the QA Reviewer, and issuing the formal approval decision in the vendor review packet.
Cross-checks every vendor review packet for completeness and accuracy — validating that all required documents are present and current, verifying claims against source documents, and flagging findings that require escalation before approval.
Vendor Security Review Cabinet
Two agents — a Compliance Lead and a QA Reviewer — assess vendor risk for every new and renewing vendor: SOC2 / ISO 27001 report status, DPA status, data classification, sub-processors, and open findings — producing a structured approval packet and maintaining a live review queue.
Keep Vanta and Drata as your GRC systems of record. Replace the vendor security review spreadsheets, ad-hoc Slack security requests, and manual approval email chains around them.
Why this cabinet
Every SaaS vendor touching company or customer data is a risk — and most teams have no consistent process for reviewing them. Security reviews pile up in Slack, get done inconsistently, and leave no audit trail. This cabinet makes vendor security review a structured, repeatable operation: every vendor gets the same rigorous assessment, every decision is documented, and every annual re-assessment fires automatically.
Every artifact is a file: the vendor review packet, the approval decision, findings, and the review queue are all written to disk so you can open, share with legal, and audit them.
The team
- [[.agents/compliance-agent]] — Compliance Lead. Orchestrates vendor assessments, assigns risk tiers, evaluates SOC2/ISO reports and DPA status, produces the review packet, and issues the approval decision.
- [[.agents/qa-reviewer]] — QA Reviewer. Cross-checks the review packet for completeness, validates that all required docs are present and current, and flags findings that require escalation before approval.
Recurring rhythm
| Cadence | Job | Owner | Output |
|---|---|---|---|
| On-demand | [[.jobs/vendor-review]] | Compliance Lead | Full vendor review packet in /vendors/<vendor-name>/review-packet.md |
| Weekly (Mon 08:00) | [[.jobs/review-queue]] | Compliance Lead | Review queue status refreshed in /queue/status.md, blockers surfaced in the workspace |
| Monthly (1st 09:00) | [[.jobs/annual-reassessment-check]] | Compliance Lead | Vendors due for annual re-assessment flagged in /queue/reassessment-due.md |
How to run the demo
- Open the [[review-workspace]] — the vendor review queue (pending, in-review, approved, escalated) plus a full worked review packet for Atlas Logistics.
- Browse
vendors/atlas-logistics/— a complete vendor review folder with the review packet, SOC2 summary, DPA status, and findings. - Check
queue/status.md— the current review queue with due dates and owners.
Connectors
Required: Vanta or Drata (vendor risk module, compliance controls), procurement system or contract vault (vendor list, contract dates), Google Drive (vendor SOC2 reports, DPAs, security questionnaire responses).
Recommended: Legal vault (DPA / MSA tracking), Okta or Entra (vendor SSO / SCIM integrations), Slack (#vendor-security channel), email (vendor outreach).
Vanta and Drata remain your official GRC and vendor risk systems of record. This cabinet coordinates the review process, structures the evidence, and produces the approval packet — it does not replace Vanta/Drata as the authoritative vendor risk store.
$ git clone --filter=blob:none --sparse https://github.com/hilash/cabinets.git && cd cabinets && git sparse-checkout set vendor-security-review