VendorRisk FAQ

Answers to commonly asked questions

Jump to:


Hosting Questions

Is VendorRisk only available as a hosted service?

Yes, VendorRisk is only available as a web-based hosted application developed, maintained and hosted by us. It cannot be installed within your company's internal network.

Who hosts the data?

Hosting is provided by Rails Machine. The Rails Machine infrastructure is hosted at Zayo's datacenter in Atlanta, Georgia. Uploaded documents are first uploaded to Rails Machine and then transferred to Amazon Web Services.

Do you have more info on the data center?

You can view more detailed technical information on the data center via the link at the bottom of this page under "Links of Interest".

Are Zayo and Amazon SOC/SSAE certified?

Yes. We can send you the latest SOC report for Zayo. For Amazon's report, you need to contact Amazon directly, but we can provide you with the appropriate contact.

Who has physical access to the servers?

Only Rails Machine employees and their authorized agents have physical access to the servers. The person must wear a unique security badge to gain entrance to the datacenter and is then verified by an attendant. To access the server room, the agent must scan their hand and input a numeric code of arbitrary length chosen when they are given access. The agent then has to get into the server cage itself, which is secured by a pad lock.


Security Questions

We take all reasonable and expected measures to ensure that VendorRisk is safe and secure for our customers.

Do you consult with or utilize third-party security providers?

Beginning in 2014, we began annual engagements with the NCC Group, a well-known security research firm, to perform code reviews of the VendorRisk application. We also utilize the Trust Guard daily web site scan to alert us to potential security concerns. The results from the latest scan are available at the bottom-right of the page.

Does the site use SSL encryption?

Yes, all requests to your VendorRisk site require SSL to prevent eavesdropping and tampering. All emails sent through VendorRisk use TLS encryption.

Are user passwords encrypted?

Passwords are encrypted in the database and never sent over email. Neither VendorRisk personnel nor the datacenter's employees can see user passwords.

Can we configure user passwords according to our own requirements?

By default, passwords must be at least 6 characters long. However, your site admin can implement the following:

  • Required # of characters, lower-case letters, upper-case letters, digits & symbols
  • Cannot contain user's first name or last name
  • Cannot use common passwords like "password", "123456", etc.
  • Must be changed every month, 3 months or 6 months
  • Cannot use a password previously used in the past

Do you guard against brute-force login attempts?

Yes, after 10 unsuccessful login attempts, the user is locked out and cannot login until either your site administrator or VendorRisk personnel un-locks their account.

Are our uploaded documents secure at Amazon Web Services?

Yes, all files moved to Amazon's servers are marked as private and can only be accessed by logging into your VendorRisk site first. Documents are encrypted "at rest" at Amazon. They are only decrypted when transferred to VendorRisk and displayed or downloaded to the user's computer.

How often do you backup our data?

All your uploaded documents are backed up to a separate Amazon S3 region (West Coast US), and the database is backed up several times a day to local and remote locations. And every Sunday we export your information to an Excel spreadsheet, which you can access from your VendorRisk site.

Do you actively monitor the servers?

Rails Machine is alerted within minutes to any issues at the server level. At the application level, we utilize Pingdom, PagerDuty and Airbrake to be alerted to downtime and application errors.


Product Questions

How many users can login to the system?

We allow unlimited user accounts. There are no per-user or per-seat fees.

Does it support SSO authentication?

VendorRisk does allow for SSO authentication. We have tested with SSO providers such as Ping Identity and OneLogin.

What browsers are supported?

VendorRisk should work on all current versions of the major browsers, such as Internet Explorer (7 and up), Firefox, Safari, Chrome and Opera. Please note that Internet Explorer 6 is not supported. VendorRisk does not use Flash, ActiveX, or any other plugins, but does require that the browser has JavaScript enabled and can accept cookies.

Does VendorRisk work on mobile devices?

Yes, we use responsive design to ensure that you can login and access your VendorRisk information from smart phones and tablets. The site will automatically detect that you're on a mobile device and adjust the user interface accordingly.

Can VendorRisk integrate with other systems, such as our accounting software?

We provide the ability to export to Excel, and your developers can use our API to programmatically pull data from your VendorRisk site, but there are no plans to support direct data exchange with specific vendors or products.

How many documents can we upload into the system?

We allow unlimited document uploads and storage space. Each document can be up to 80 MB in size. For security purposes, file types are limited to the well-known formats such as: Word, Excel, PDF, ZIP, etc.

Can we import data from Excel?

We have an "Import from Excel" feature for the following modules: Vendors, Contracts, Incidents, Services & IT Assets and Users. We provide a template that contains all the available fields, then you can populate it with your data, save as CSV and then upload to your site. Up to 1000 records can be imported at a time.

Will emails sent from VendorRisk get caught in our spam filter?

VendorRisk uses the SendGrid service to send emails from the application, and we follow all their best practices and recommendations to ensure that your company's mail server will correctly handle emails sent from VendorRisk. If you do have issues receiving email, we can work with your IT department and SendGrid to help troubleshoot the problem.

Can we create custom fields?

Yes, all modules support at least 5 custom fields. The Vendors & Contracts modules support up to 20 fields. The fields can be: textbox (single-line), textbox (multi-line), date field, yes/no radio buttons, or dropdown items.


Support Questions

How is support provided?

Tech support is provided for free. We are accessible via a toll-free number, email and a web-based support form located inside your VendorRisk site.

Can we make suggestions for new features and changes?

Of course, we love to hear feedback. When a suggestion is made, we determine if we feel it makes sense. If it does, then we'll add it to our development list. If it doesn't, then we'll tell you why we don't feel it's appropriate at this time.

Do you offer training sessions?

We do not offer on-site training sessions. If you have questions about any aspect of the software, you can request a web-based training session. We do not charge for web-based training.


Contract Questions

Do we sign a formal contract?

Yes, unlike many SaaS providers that have a generic Terms of Service, we have a formal contract that is signed by both parties prior to an invoice being sent. This gives your legal team the ability to review the contract and suggest tweaks or changes.

Do you offer a Service Level Agreement (SLA)?

Yes, Skeey Interactive guarantees that the Service will be available at least 99.5% each month. Uptime status will be based on Pingdom's public report. In the event that the Service fails to meet this expectation in a given month, the customer will be given an additional month of Service usage at no charge, which will be added to their current subscription's expiration date.

Does the contract auto-renew every year?

No. About a month prior to your subscription expiration, we will generate an invoice and send to your account owner. If you are a satisfied customer and want to continue with your current plan, then you can pay the invoice and your subscription will be extended. If you decide to upgrade/downgrade your plan by adding or removing modules from your subscription, then you can let us know and we'll send a revised contract with the updated pricing.

Can we cancel anytime?

Yes. Because VendorRisk is pre-paid and there are no refunds, you typically wouldn't cancel in the middle of your subscription — rather, you would just let us know you don't plan on renewing when we send the following year's invoice. If you do cancel, then we'll work with you to return all uploaded documents and a Microsoft Excel copy of your data. Cancellations will be processed within a business day.


Billing Questions

How is VendorRisk billed?

VendorRisk is only offered as an annual subscription paid in advance.

Do you offer refunds?

We do not offer refunds once you have pre-paid for the annual subscription.

Can we use the product before deciding to purchase a subscription?

Yes, we offer a 30-day trial after we've had the introductory phone call and at least one web-based demo with your company. During the trial, you have full access to everything VendorRisk offers, so you can decide if the product is for you and what modules your company would likely require.

Will my annual fee go up in the future?

VendorRisk modules are available on an à la carte basis, so your annual fee will only go up (or down) if you change the modules your company wants to use.


Company Questions

Who are you?

VendorRisk is a product created by Skeey Interactive LLC. Skeey is a web design & development company founded in 1999. For the first decade, we specialized in custom websites and applications for a wide variety of businesses. Since 2009, we have focused completely on VendorRisk.

How did VendorRisk come about?

In 2005, we created an internal vendor management application for a Boston bank that was received with high praise from its users. Our long-term goal was always to create a product, so we eventually decided to launch VendorRisk as a SaaS product. VendorRisk was launched to the public in December 2009.

What are the company's long-term goals and plans?

We are not serial entrepreneurs interested in pursuing something else every few years. VendorRisk is our best idea and hopefully our last idea, and we have no plans on selling it or otherwise abandoning it.


Consulting Services

Are you vendor management consultants and do you actually help us with our vendor management program?

VendorRisk is software that will be one part of your overall vendor management program. It's expected that you either have in-house vendor management experience or have brought in a consultant. If you don't, we have partnerships with vendor management consultants. View our service offerings.

Will VendorRisk make me compliant with my industry's rules & regulations?

VendorRisk is software that centralizes your vendor management efforts. Like anything, the value you derive from VendorRisk is proportional to the amount of time you invest into using the software, and we cannot guarantee that subscribing to VendorRisk will satisfy auditor requirements. That said, our customers who actively use VendorRisk to populate and manage their vendor information have not had any issues with audits.


Links of Interest

Schedule a Quick Phone Call

Let's talk and see how VendorRisk can help your company.

Contact Us