Covenant is flat-priced vendor risk management and HIPAA BAA tracking built for the clinic, the billing company, and the MSP — everyone with third-party risk obligations but no GRC analyst and no five-figure budget.
If you handle PHI, you are legally obligated to execute and track a Business Associate Agreement with every vendor that touches it (45 CFR §164.308(b)). Most small practices run that in a spreadsheet. Covenant ships a BAA library, a §164.504(e) required-clause gap-check, renewal reminders, a subcontractor flow-down chain, and executed-BAA document tracking with term-end expiry flags — free for up to 10 vendors, with no card.
How BAA tracking works →Catalog every vendor with data-sensitivity, access, and criticality. Covenant auto-tiers each one Critical → Low; PHI vendors are flagged and auto-require a BAA.
Send a signed, expiring magic-link with a built-in +3/+7/+12-day reminder cadence. The vendor answers with no account; you import the response and it scores by the same engine.
Every score change is itemized with evidence and a delta — no unexplained letter-grade swings. Dispute, accept, or remediate any finding.
Signed / expiring / overdue / missing flags, 90-60-30-day review reminders, §164.504(e) clause gap-check, and subcontractor flow-down tracking.
Attach a vendor's SOC 2, ISO 27001, or pen-test report and the executed BAA. Term-end dates drive a current / expiring / expired flag on the document itself.
Vendor evidence maps to NIST SR, HIPAA §164.308(b)/314, SOC 2 CC9.2, and ISO A.5.19–23 — and feeds the shared DosanjhLabs evidence graph.
Covenant looks at each vendor's public posture and turns what it observes into explainable findings — and a finding exists only because an observation justifies it. Email authentication (SPF / DMARC) is probed live from your browser via DNS-over-HTTPS today; TLS & certificates, security headers, exposed services, and breach/leak signals come from the hosted scan runner. Each finding carries the exact evidence that fired it and a fix, so you can dispute, accept, or remediate it and hand the delta to an auditor — the answer to a ratings platform's "unexplained score."
Inherent exposure, questionnaire results, scan findings, and BAA gaps — each weighted, each shown. No unexplained letter-grade swings.
Live today: email-auth (SPF/DMARC) via DNS-over-HTTPS, with an SSRF guard on every domain. TLS, headers, ports, and breach/leak run on the hosted scan runner; the same explainable evaluator scores them. How the scan works →
"We had eighteen BAAs living in a shared drive and no idea which had lapsed. Covenant flagged three overdue ones in the first hour."
"My auditor asked how a vendor scored a B. I exported the itemized factors and the timestamped change log. Done. That used to be a week of email."
"The quotes we got from the ratings vendors started at five figures. Covenant covers what we needed — BAAs and external scans — for a flat fee we could actually approve."
Representative scenarios from target-customer interviews; identifying details withheld. Covenant is in early access.
Incumbents punish you for growing: UpGuard adds $79/mo per vendor, SecurityScorecard $1,500+/vendor/yr, OneTrust enforces a $10,000/yr floor. Covenant is one flat fee for unlimited vendors at the top tier.
See full pricing →