Help Center / Getting started

Getting started

Covenant helps a small business, clinic, billing company, or MSP answer three questions about every vendor it trusts: who are they, can they prove they are safe, and are they staying that way? This page gets you from a blank screen to a live vendor ledger in a few minutes.

What Covenant is

Covenant is vendor / third-party risk management (TPRM) with HIPAA Business Associate Agreement (BAA) tracking built in. It is designed for the 99% of organizations that have third-party risk obligations but no dedicated GRC analyst and no five-figure budget.

Local-first. The app runs entirely in your browser. All your vendor data lives in your browser's localStorage. The free tier makes zero network calls — nothing is uploaded anywhere.
No build, no install, no signup. It is a set of static files. Open it and start.
Optional cloud tier. If you want to sync across devices or publish evidence to the shared Dosanjh Labs graph, you can sign in. That is the only code that ever talks to a network, and it is entirely opt-in. See Cloud sign-in & Pro.

Opening the app

If you are using the hosted version, just go to the app URL your provider gave you (typically /covenant/app/). If you are running the files yourself:

Open a terminal in the Covenant folder.
Start a simple static server, for example: python3 -m http.server 8000
Open http://localhost:8000/app/ in your browser. (The marketing site is at http://localhost:8000/.)

Why a server and not a double-click? The app fetches its question/clause/control data packs over HTTP, and the vendor portal loads the same data. Opening files directly with file:// can block those fetches in some browsers. Any static server works.

Your first run

On first open you will see the Ledger tab with an empty state and two buttons:

Click Load sample data. This seeds a six-vendor clinic portfolio (described below) so you can explore every feature with realistic data. If you already have vendors, it asks before adding to them.
The ledger fills with a heatmap row per vendor, plus stat cards across the top.
Click any row to open that vendor's detail page, where the real work happens.

Prefer to start clean? Click Add a vendor instead and enter your own. See Vendors & risk tiering.

What the sample data contains

The sample is a small clinic's vendor list, seeded with BAAs and a couple of findings so the dashboard is alive immediately:

Vendor	Category	Handles PHI?
Athena Billing Co.	Billing / Revenue Cycle	Yes
CloudCharts EHR	EHR / Clinical	Yes
SecurePost Mail	Communications	Yes
BrightDesk IT Support	MSP / IT Services	Yes
Sparkle Cleaning	Facilities	No
PayrollPro	HR / Payroll	No

PHI vendors are auto-seeded with a BAA record (one is left pending on purpose so you can see that flag). All sample domains use the reserved .example suffix, so a live scan will correctly refuse them — that is expected, see External posture scan.

The five tabs

Tab	What it is for
Ledger	The dashboard. Stat cards (vendors, average score, missing BAAs, BAAs to review, open findings) plus the vendor-ledger heatmap — one row per vendor colored by tier, questionnaire %, BAA flag, findings, and monitoring.
Vendors	Add a vendor, bulk import/export by CSV, and browse the vendor register as cards.
Vendor detail	(Opened by clicking a vendor.) The score breakdown, questionnaire, BAA, attachments, findings, and coverage for one vendor.
BAAs	The BAA renewal calendar + reminders, and the full BAA inventory sorted by urgency, with a CSV export.
Coverage	Portfolio-wide framework coverage rollup across NIST SR, CMMC, HIPAA, SOC 2 and ISO 27001.

Two more buttons sit at the right of the tab bar: ✦ AI (only if the AI module is present — opens bring-your-own-key settings, see Settings & AI) and Cloud (opens the opt-in sign-in panel, see Cloud sign-in & Pro).

The core flow, end to end

This is the job Covenant is built to complete. You can do all of it today, offline:

Add a vendor (or load the sample). Set its data sensitivity, access level, business criticality, and whether it handles PHI. → Vendors
Covenant tiers the vendor Critical/High/Medium/Low automatically. PHI vendors get a tier floor of High. → Tiering
Open the vendor and send a security questionnaire. A signed, expiring portal link is generated; the vendor answers with no account; you import their response. → Questionnaires, Vendor portal
Track the BAA — status, dates, breach-notification SLA, the §164.504(e) clause gap-check, and subcontractor flow-down. → BAA tracking
Run a posture scan (live email-auth probe now; TLS/headers/ports/breach deferred) or log findings manually. → Posture scan
Watch the explainable composite score recompute — every factor itemized with its delta. → Risk scoring
Attach evidence (SOC 2 / ISO / pen-test PDFs and the executed BAA) and see framework coverage light up. → Attachments, Coverage
(Optional) Sign in to Cloud to sync and publish evidence. → Cloud

Where is my data? In your browser only, under the key covenant.v1 in localStorage — unless you sign in to the cloud tier. Clearing your browser data or using a different browser/device starts fresh. Use the JSON/CSV exports (on the Vendors tab) to back up. See Security & privacy.

← Help Center home Vendors & risk tiering →