Help Center / Vendors & risk tiering

Vendors & risk tiering

Every vendor you add is automatically risk-tiered from three drivers you set, with a safety floor for any vendor that touches PHI. The tier drives the dashboard heatmap and feeds the composite score.

Adding a vendor

Go to the Vendors tab.

In Add a vendor, fill the fields (only Name is required):

Field	What it means
Name	The vendor's name. Required.
Primary domain	e.g. `acme.com`. Needed to run a live posture scan. Also used to dedupe on bulk import.
Category	Pick from the built-in list (EHR / Clinical, Billing / Revenue Cycle, MSP / IT Services, Communications, Cloud / Hosting, HR / Payroll, Marketing / CRM, Facilities, Legal / Professional, Other).
Status	prospect, active, or offboarded.
Data sensitivity	low / medium / high — how sensitive the data this vendor touches is.
Access level	low / medium / high — how much access they have to your systems/data.
Business criticality	low / medium / high — how badly an outage or failure hurts you.
Owner	Free text — who internally owns this relationship.
Handles PHI	Tick this if the vendor creates, receives, maintains, or transmits Protected Health Information. This auto-requires a BAA and raises the tier floor.

Click Add vendor. Covenant opens the new vendor's detail page so you can start its questionnaire and BAA.

How tiering works

Covenant multiplies the three drivers (each mapped low=1, medium=2, high=3) into a product from 1 to 27, then buckets it:

Product (sensitivity × access × criticality)	Tier
18 – 27	Critical
9 – 17	High
4 – 8	Medium
1 – 3	Low

PHI floor. If Handles PHI is ticked and the calculation would land on Low or Medium, Covenant raises the tier to High. A business associate is never under-rated — this is deliberate and matches HIPAA's expectation that any PHI handler is meaningfully risky.

The tier is shown as a colored chip on the vendor card, the vendor detail header, and the ledger heatmap. It also sets the inherent-exposure baseline penalty in the score (see Risk scoring).

Editing a vendor

The add form creates a new vendor; to change tiering drivers later, the simplest path today is to adjust the values you care about on the detail page where they surface, or delete and re-add. The score and tier recompute live whenever any driver, questionnaire answer, BAA flag, or finding changes — there is no save button to hunt for; changes persist immediately to localStorage.

Bulk import & export (CSV / JSON)

On the Vendors tab, the Bulk import / export card lets you load or back up many vendors at once.

Importing from CSV

Prepare a CSV with a header row. Column order is flexible; only name is required. Recognized columns: name, primary_domain, category, data_sensitivity, access_level, business_criticality, handles_phi, owner, status. Extra columns are ignored.
Paste the CSV into the text box. Example first two lines:
name,primary_domain,category,data_sensitivity,access_level,business_criticality,handles_phi,owner,status
Acme Billing,acme.com,Billing / Revenue Cycle,high,high,high,true,Office Manager,active
Click Import CSV.

Detail	Behavior
Dedupe	Rows are deduped by `primary_domain` against your existing portfolio and within the file. Duplicates are skipped and counted in the status line.
handles_phi values	`true`, `yes`, `1`, or `y` (any case) mean yes; anything else means no.
Level values	Only `low` / `medium` / `high` are honored; anything else defaults to `low`.
Defaults	Missing category → `Other`; missing status → `prospect`.
Quoted fields	Standard CSV quoting is supported (commas and quotes inside `"…"` fields).

If you see "Import error: missing required 'name' column" your header row is missing or misspelled name. The header row is mandatory.

Exporting

Export all vendors (CSV) — downloads covenant-vendors.csv with every vendor plus its computed tier, score and grade.
Export portfolio (JSON) — downloads covenant-portfolio.json containing your full state (vendors, BAAs, assessments, findings) plus the PHI-safe ledger summary. This is your complete backup.

Because data is local to your browser, the JSON export is the recommended backup before clearing browser data, switching machines, or experimenting. To restore, the cleanest path is the cloud tier sync; the JSON file is a portable record of everything.

Deleting a vendor

Open the vendor.
Click Delete in the header (or on the score card).
Confirm. This removes the vendor and its assessment, BAA, and findings. There is no undo, so export first if unsure.

The vendor register

Below the forms, every vendor appears as a card showing its tier chip, letter-grade chip, and a PHI tag if applicable. Click a card (or any ledger row) to open the detail page.

← Getting started Security questionnaires →