Built for startups, not enterprises
Vendor risk management, handled end to end
Build your vendor inventory, send assessments, and monitor for breaches with ComplyJet's vendor risk management platform — especially if you're running compliance for the first time.
Full vendor inventory
You can't do vendor risk management for vendors you don't know you have
Most startups don't have a clear list of every vendor that touches their production environment or customer data. ComplyJet builds your vendor inventory automatically from your connected integrations and lets you categorise each one by data access, criticality, and compliance requirements.
-
Vendor inventory built from your connected tools
-
Categorise by data access: customer data, personal data, infrastructure
-
Risk tier each vendor automatically based on what they can access
Automated assessments
Vendor risk management starts with automated vendor questionnaires — no manual back-and-forth
Sending a security questionnaire to a vendor, chasing responses, and reviewing the answers is a slow, repetitive process. ComplyJet automates the sending, reminds vendors who haven't responded, and tracks the review — so you can assess your entire vendor list without it becoming a multi-week project.
-
Pre-built vendor questionnaire templates based on your frameworks
-
Automated follow-up reminders for non-responding vendors
-
Review and approve responses directly in the platform
Continuous monitoring
Get notified when a vendor has a breach — before your customers do
Your vendors' security posture changes over time. A breach at a key vendor can expose your customer data and create a compliance incident. ComplyJet monitors your critical vendors continuously and alerts you the moment something changes — so you're never the last to know.
-
Breach and security incident alerts for monitored vendors
-
Annual re-assessment reminders for high-risk vendors
-
Sub-processor tracking for GDPR and data processing requirements
Key capabilities
Everything you need to manage vendor risk
Built for startups going through compliance for the first time — not for enterprise security teams with dedicated analysts.
Vendor inventory
A complete, categorised list of every vendor with access to your systems or data — built from your integrations and manual entries.
Risk tiering
Automatically tier vendors by data access, criticality, and compliance requirements — focus your reviews on the ones that matter most.
Security questionnaire sending
Send pre-built or custom questionnaires to vendors directly from the platform, with automated reminders for non-responses.
Response review and approval
Review vendor responses, flag gaps, request clarification, and approve or reject assessments — all in one workflow.
Breach and incident monitoring
Real-time alerts when a vendor you track is involved in a security breach or significant incident.
Annual review reminders
Automated reminders to re-assess high-risk vendors on the schedule your framework requires.
Sub-processor tracking
Maintain your GDPR sub-processor list automatically — required by law and frequently requested by enterprise prospects.
Audit-ready vendor report
Export your full vendor risk register and assessment history in the format your auditor expects.
Framework requirements
Why your auditor requires it
Control requirements that make vendor risk management non-negotiable.
SOC 2
Trust Services Criteria
CC9.2
Assesses and manages risks associated with vendors and business partners.
ISO 27001
Information Security Management
A.5.19
Processes and procedures shall be implemented for information security in supplier relationships.
A.5.21
Requirements for managing information security in the ICT supply chain shall be addressed.
A.5.22
Performance of suppliers shall be regularly monitored, reviewed, and audited.
HIPAA
Security Rule
§164.308(b)(1)
Obtain satisfactory assurances from business associates that ePHI will be appropriately protected.
§164.308(b)(4)
Document satisfactory assurances through a written contract or other arrangement (Business Associate Agreement).
Priced for startups, not enterprises
Included in your plan — not a bolt-on
Flat price per company. No per-seat fees.
Single framework
$5,000/year
SOC 2, ISO 27001, HIPAA, or any single framework. Flat price, no per-seat charges.
Two frameworks
$8,000/year
Run SOC 2 + ISO 27001 or any two frameworks simultaneously. Same flat price as you grow from 5 to 50 employees.
Price stays the same as you grow from 5 to 50 employees.
See full pricing details →
See your vendor inventory in minutes
Connect your tools, and ComplyJet builds your vendor list automatically. Most customers have their first risk assessments sent within a day — no security background required.
Book a Demo →
Full platform
Vendor risk management is one part of a complete compliance program.
Every feature below is included in your ComplyJet plan — no bolt-ons, no extra modules to configure.
Compliance Automation
Connect your stack, automate evidence, and monitor controls 24/7 — your entire compliance program on autopilot.
Learn more →
Risk Management
Track threats, map them to controls, and keep your risk register audit-ready at all times.
Learn more →
Questionnaire Automation
Answer security questionnaires in minutes using AI trained on your certifications and controls.
Learn more →
Audit Management
Give auditors a pre-populated workspace. Fewer requests, faster close, no last-minute scramble.
Learn more →
Access Reviews
Schedule, run, and document access reviews across your identity systems — automatically.
Learn more →
Policy Management
AI-drafted policies distributed and acknowledged by your team, all tied to active controls.
Learn more →
Customer stories
Startups that went from zero to compliant with ComplyJet
Vendors vetted. Auditor satisfied. Team not overwhelmed.
FAQ
Common questions
What counts as a vendor in my vendor risk management program?
Any third party with access to your systems, infrastructure, or customer data. That includes cloud providers, SaaS tools, contractors, and data processors. For SOC 2 and ISO 27001, your auditor will expect a documented vendor inventory with risk assessments for critical vendors. Most startups going through their first audit are surprised by how many vendors qualify — ComplyJet surfaces them automatically from your connected integrations.
Do my vendors need to be on ComplyJet?
No. ComplyJet sends questionnaires directly to your vendors by email. They respond through a simple web form — no account or login required on their end.
How often do I need to reassess vendors?
Most frameworks require annual reviews for high-risk vendors, with more frequent checks for critical suppliers. ComplyJet tracks your last assessment date and sends reminders when reviews are due. For a first-time compliance run, the initial round of assessments is usually the hardest — after that, the annual cadence is easy to maintain.
What is a sub-processor list and do I need one?
A sub-processor is any vendor you use to process personal data on behalf of your customers. GDPR requires you to maintain and publish this list. ComplyJet builds and maintains it automatically from your vendor inventory.
What happens if I get a breach alert for a vendor?
ComplyJet notifies you immediately with details of the incident. You can document your response, assess the impact on your data, and update your risk register — creating an audit trail of how you handled the event.
How is ComplyJet different from Vanta or Drata?
Vanta and Drata let you log vendors and send questionnaires, but the outreach and review process is mostly manual on both. ComplyJet automates the outreach, follows up on unresponsive vendors, and surfaces high-risk findings in your compliance dashboard. For a startup managing 10 to 30 vendors with a small team, that automation difference is significant. It's included in the same flat-fee plan — not an add-on module with separate pricing.
.svg){kind=logo}
.png)
.png)
.png)
