You don't have a GRC analyst, a $16,000 budget, or a quarter to roll out an enterprise platform. You do have an auditor, an enterprise customer, or a regulator asking how you manage vendor risk. Covenant is third-party risk management built for exactly that gap.
A single register of every vendor with owner, category, data sensitivity, and access. Bulk-import from CSV and dedupe by domain.
Auto-tier Critical → Low from sensitivity × access × criticality, with a PHI floor so a business associate is never under-rated.
Send SIG Lite, CAIQ Lite, a HIPAA attestation, or an SMB Lite questionnaire over a signed, no-account portal link. Risky answers fold into the score with conditional follow-ups.
External-posture checks with each finding tied to its evidence: email authentication (SPF/DMARC) live via DNS-over-HTTPS today, and TLS, headers, ports, and breach signals from the hosted runner on a weekly or daily cadence.
Attach SOC 2, ISO, and pen-test reports, track findings to closure, accept risk with an expiry, and export an auditor-ready inventory.
If you handle PHI, the §164.504(e) BAA lifecycle is built in and free — see the BAA tracking page.
This market is famously opaque, so here are real numbers. Enterprise platforms start in the five figures and bill per vendor; Covenant publishes a flat price and never charges per vendor.
| Option | Entry price | Per-vendor fee | HIPAA BAA |
|---|---|---|---|
| Covenant Free | $0 | none | Yes |
| Covenant Pro | $8149.80/yr | none | Yes |
| UpGuard | ~$19,200/yr | ~$79/mo each | No |
| SecurityScorecard | ~$16,500/yr | ~$1,500+/vendor | No |
| OneTrust TPRM | $10,000/yr floor | — | Add-on |
Figures from public pricing and third-party quotes, 2025–2026. Compare in detail: vs UpGuard · vs SecurityScorecard · vs Vanta VRM.
Free for 10 vendors with full BAA tracking. No card, no sales call.
Start free →