VendorRisk FAQ

Answers to commonly asked questions

Software Questions

How many users can login to the system?

We allow unlimited user accounts. There are no per-user or per-seat fees.

Does it support Single Sign-On (SSO)?

Yes, VendorRisk does allow for SSO authentication. We have tested with SSO providers such as ADFS, Azure, Okta, Ping One and OneLogin.

Does it support Multi-Factor Authentication (MFA)?

Yes, you can enable MFA for your site. If enabled, each user can utilize Google Authenticator as an additional security measure.

What browsers are supported?

VendorRisk should work on all current versions of the major browsers, such as Internet Explorer, Firefox, Safari and Chrome. The only other requirements are that the browser has JavaScript enabled and can accept cookies.

Does VendorRisk work on mobile devices?

Yes, we use responsive design to ensure that you can login and access your VendorRisk information from smart phones and tablets. The site will automatically detect that you're on a mobile device and adjust the user interface accordingly.

Can VendorRisk integrate with other systems, such as our accounting software?

We provide the ability to export to Excel, and your developers can use our API to programmatically pull data from your VendorRisk site, but there are no plans to support direct data exchange with specific vendors or products.

How many documents can we upload into the system?

We allow unlimited document uploads and storage space. Each document can be up to 80 MB in size. For security purposes, file types are limited to the well-known formats such as: Word, Excel, PDF, ZIP, etc.

Will emails sent from VendorRisk get caught in our spam filter?

VendorRisk uses the SendGrid service to send emails from the application, and we follow all their best practices and recommendations to ensure that your company's mail server will correctly handle emails sent from VendorRisk. If you do have issues receiving email, we can work with your IT department and SendGrid to help troubleshoot the problem.

Can we create custom fields?

Yes, all modules support at least 5 custom fields. The Vendors & Contracts modules support up to 50 fields. The fields can be: textbox (single-line), textbox (multi-line), date field, yes/no radio buttons, or dropdown items.

Hosting Questions

Is VendorRisk only available as a hosted service?

Yes, VendorRisk is only available as a web-based hosted application developed, maintained and hosted by us. It cannot be installed within your company's internal network.

Who hosts the data?

Hosting is provided by Rails Machine. The Rails Machine infrastructure is hosted at Zayo's datacenter in Atlanta, Georgia. Uploaded documents are first uploaded to Rails Machine and then transferred to Amazon Web Services.

Are Zayo and Amazon SOC/SSAE certified?

Yes. We can send you the latest SOC report for Zayo. For Amazon's report, you need to contact Amazon directly, but we can provide you with the appropriate contact.

Who has physical access to the servers?

Only Rails Machine employees and their authorized agents have physical access to the servers. The person must wear a unique security badge to gain entrance to the datacenter and is then verified by an attendant. To access the server room, the agent must scan their hand and input a numeric code of arbitrary length chosen when they are given access. The agent then has to get into the server cage itself, which is secured by a pad lock.

Security Questions

Do you conduct penetration tests?

We conduct annual penetration tests. We also utilize the Trust Guard daily web site scan to alert us to potential security concerns. The results from the latest scan are available at the bottom-right of the page.

Does the site use SSL encryption?

Yes, all requests to your VendorRisk site require SSL to prevent eavesdropping and tampering. All emails sent through VendorRisk use TLS encryption.

Are user passwords encrypted?

Passwords are encrypted in the database and never sent over email. Neither VendorRisk personnel nor the datacenter's employees can see user passwords.

Can we configure user passwords according to our own requirements?

By default, passwords must be at least 6 characters long. However, your site admin can implement the following:

  • Required # of characters, lower-case letters, upper-case letters, digits & symbols
  • Cannot contain user's first name or last name
  • Cannot use common passwords like "password", "123456", etc.
  • Must be changed every month, 3 months or 6 months
  • Cannot use a password previously used in the past
Do you guard against brute-force login attempts?

Yes, after 10 unsuccessful login attempts, the user is locked out and cannot login until either your site administrator or VendorRisk personnel un-locks their account.

Are our uploaded documents secure at Amazon Web Services?

Yes, all files moved to Amazon's servers are marked as private and can only be accessed by logging into your VendorRisk site first. Documents are encrypted "at rest" at Amazon. They are only decrypted when transferred to VendorRisk and displayed or downloaded to the user's computer.

How often do you backup our data?

All your uploaded documents are backed up to a separate Amazon S3 region (West Coast US), and the database is backed up several times a day to local and remote locations. And every Sunday we export your information to an Excel spreadsheet, which you can access from your VendorRisk site.

Support Questions

How is support provided?

Tech support is provided for free. We are accessible via a toll-free number, email and a web-based support form located inside your VendorRisk site.

Can we make suggestions for new features and changes?

Of course, we love to hear feedback. When a suggestion is made, we determine if we feel it makes sense. If it does, then we'll add it to our development list. If it doesn't, then we'll tell you why we don't feel it's appropriate at this time.

Do you offer training sessions?

We do not offer on-site training sessions. If you have questions about any aspect of the software, you can request a web-based training session. We do not charge for web-based training.

Contract & Billing Questions

Do we sign a formal contract?

Yes, unlike many SaaS providers that have a generic Terms of Service, we have a formal contract that is signed by both parties prior to an invoice being sent. This gives your legal team the ability to review the contract and suggest tweaks or changes.

Do you offer a Service Level Agreement (SLA)?

Yes, Skeey Interactive guarantees that the Service will be available at least 99.5% each month. Uptime status will be based on Pingdom's public report. In the event that the Service fails to meet this expectation in a given month, the customer will be given an additional month of Service usage at no charge, which will be added to their current subscription's expiration date.

Does the contract auto-renew every year?

No. About a month prior to your subscription expiration, we will generate an invoice and send to your account owner. If you are a satisfied customer and want to continue with your current plan, then you can pay the invoice and your subscription will be extended. If you decide to upgrade/downgrade your plan by adding or removing modules from your subscription, then you can let us know and we'll send a revised contract with the updated pricing.

Can we cancel anytime?

Yes. Because VendorRisk is pre-paid and there are no refunds, you typically wouldn't cancel in the middle of your subscription — rather, you would just let us know you don't plan on renewing when we send the following year's invoice. If you do cancel, then we'll work with you to return all uploaded documents and a Microsoft Excel copy of your data. Cancellations will be processed within a business day.

How is VendorRisk billed?

VendorRisk is only offered as an annual subscription paid in advance.

Do you offer refunds?

We do not offer refunds once you have pre-paid for the annual subscription.

Can we use the product before deciding to purchase a subscription?

Yes, we offer a 30-day trial after we've had the introductory phone call and at least one web-based demo with your company. During the trial, you have full access to everything VendorRisk offers, so you can decide if the product is for you and what modules your company would likely require.

Will my annual fee go up in the future?

VendorRisk modules are available on an à la carte basis, so your annual fee will only go up (or down) if you change the modules your company wants to use.

Ready to talk? Get in touch.

Contact Us